6 files changed, 37 insertions, 18 deletions
diff --git a/security-blueprint/annexes/ConfigNotes.md b/security-blueprint/annexes/ConfigNotes.md
index 3e1f295..f79f4fa 100644
--- a/security-blueprint/annexes/ConfigNotes.md
+++ b/security-blueprint/annexes/ConfigNotes.md
@@ -99,8 +99,8 @@ Boot-Consoles-MemDump-8 | `mtest`        | _Disabled_
 Boot-Consoles-MemDump-9 | `loopw`        | _Disabled_
 
 Domain               | Object | Recommendations
--------------------- | ------ | --------------------
-Kernel-General-MAC-1 | SMACK  | Must implement a MAC
+-------------------- | ------ | ------------------------------------------
+Kernel-General-MAC-1 | SMACK  | Must implement a Mandatory Access Control.
 
 Domain                 | `Config` name  | `Value`
 ---------------------- | -------------- | -------
@@ -131,9 +131,9 @@ Domain                     | `Config` name        | `Value`
 Kernel-General-SocketMon-1 | `CONFIG_PACKET_DIAG` | `n`
 Kernel-General-SocketMon-2 | `CONFIG_UNIX_DIAG`   | `n`
 
-Domain                   | `Config` name | `Value`
------------------------- | ------------- | -------
-Kernel-General-BPF_JIT-1 | `BPF_JIT`     | `n`
+Domain                   | `Config` name    | `Value`
+------------------------ | ---------------- | -------
+Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n`
 
 Domain                         | `Config` name             | `Value`
 ------------------------------ | ------------------------- | -------
@@ -453,10 +453,10 @@ Domain                      | Tech name | Recommendations
 Connectivity-Wireless-NFC-1 | NFC       | Protected against relay and replay attacks.
 Connectivity-Wireless-NFC-2 | Device    | Disable unneeded and unapproved services and profiles.
 
-Domain                       | Object           | Recommendations
----------------------------- | ---------------- | ----------------------------------------
+Domain                       | Object         | Recommendations
+---------------------------- | -------------- | --------------------------------------
 Application-Cloud-Download-1 | authentication | Must implement authentication process.
-Application-Cloud-Download-2 | Authorization    | Must implement Authorization process.
+Application-Cloud-Download-2 | Authorization  | Must implement Authorization process.
 
 Domain                             | Object        | Recommendations
 ---------------------------------- | ------------- | ----------------------------------------------------------
diff --git a/security-blueprint/part-2/0_Abstract.md b/security-blueprint/part-2/0_Abstract.md
index 5ebb750..6d10490 100644
--- a/security-blueprint/part-2/0_Abstract.md
+++ b/security-blueprint/part-2/0_Abstract.md
@@ -53,6 +53,7 @@ loads the Kernel/system image before passing control to it.
 The following table lists the terms utilized within this part of the document.
 
 Acronyms or Abbreviations | Description
-------------------------- | ---------------------------------
+------------------------- | -----------------------------------------------------------------------
 _FUSE_                    | **F**ilesystem in **U**ser**S**pac**E**
 _OTP_                     | **O**ne-**T**ime-**P**rogrammable
+_DOCSIS_                  | **D**ata **O**ver **C**able **S**ervice **I**nterface **S**pecification
diff --git a/security-blueprint/part-2/2-Communication-modes.md b/security-blueprint/part-2/2-Communication-modes.md
index d3a823c..165f8fd 100644
--- a/security-blueprint/part-2/2-Communication-modes.md
+++ b/security-blueprint/part-2/2-Communication-modes.md
@@ -1,6 +1,6 @@
 # Communication modes
 
-## Disable USB, Serial and Docsis Support
+## Disable USB, Serial and DOCSIS Support
 
 To disable USB support in U-Boot, following config's shall not be defined:
 
diff --git a/security-blueprint/part-2/3-Consoles.md b/security-blueprint/part-2/3-Consoles.md
index 5adad3f..a2d1209 100644
--- a/security-blueprint/part-2/3-Consoles.md
+++ b/security-blueprint/part-2/3-Consoles.md
@@ -21,8 +21,8 @@ Boot-Consoles-1 | Secure loader: No reference earlier?
 
 <!-- endtodo -->
 
-And set "**silent**" environment variable. For the Secure loader, disable the
-traces by undefined the below macro:
+And set "**silent**" environment variable. For the Secure loader,
+disable the traces by not defining the below macro:
 
 <!-- config -->
 
diff --git a/security-blueprint/part-3/0_Abstract.md b/security-blueprint/part-3/0_Abstract.md
index 3fb8831..4fe7fb6 100644
--- a/security-blueprint/part-3/0_Abstract.md
+++ b/security-blueprint/part-3/0_Abstract.md
@@ -3,6 +3,8 @@
 Definition: "A hypervisor or virtual machine monitor (VMM) is computer software,
 firmware or hardware that creates and runs virtual machines".
 
+It must include a signature verification (possibly delegated).
+
 <!-- todo -->
 
 Domain                | Improvement
diff --git a/security-blueprint/part-4/1-General.md b/security-blueprint/part-4/1-General.md
index 013762f..6f951db 100644
--- a/security-blueprint/part-4/1-General.md
+++ b/security-blueprint/part-4/1-General.md
@@ -1,17 +1,25 @@
 # General configuration
 
-## MAC
+## Mandatory Access Control
 
 Kernel should controls access with labels and policy.
 
 <!-- config -->
 
 Domain               | Object | Recommendations
--------------------- | ------ | --------------------
-Kernel-General-MAC-1 | SMACK  | Must implement a MAC
+-------------------- | ------ | ------------------------------------------
+Kernel-General-MAC-1 | SMACK  | Must implement a Mandatory Access Control.
 
 <!-- endconfig -->
 
+<!-- todo -->
+
+Domain       | Improvement
+------------ | ----------------
+Kernel-MAC-1 | Add MAC config note.
+
+<!-- endtodo -->
+
 --------------------------------------------------------------------------------
 
 ## Disable kexec
@@ -129,9 +137,9 @@ This configuration for is supported in **Linux 3.16 and greater** and thus shoul
 
 <!-- config -->
 
-Domain                   | `Config` name | `Value`
------------------------- | ------------- | -------
-Kernel-General-BPF_JIT-1 | `BPF_JIT`     | `n`
+Domain                   | `Config` name    | `Value`
+------------------------ | ---------------- | -------
+Kernel-General-BPF_JIT-1 | `CONFIG_BPF_JIT` | `n`
 
 <!-- endconfig -->
 
@@ -139,6 +147,14 @@ Kernel-General-BPF_JIT-1 | `BPF_JIT`     | `n`
 
 ## Enable Enforced Module Signing
 
+The kernel should never allow an unprivileged user the ability to load specific kernel modules,
+since that would provide a facility to unexpectedly extend the available attack surface.
+
+To protect against even privileged users, systems may need to either disable
+module loading entirely, or provide signed modules
+(e.g. CONFIG_MODULE_SIG_FORCE, or dm-crypt with LoadPin), to keep from having
+root load arbitrary kernel code via the module loader interface.
+
 This configuration is supported in **Linux 3.7 and greater** and thus should only be enabled for such versions.
 
 <!-- config -->