Kernel Evidence Status

Subject: Root Lock by HeartSuite HS kernel evidence parity
Commercial baseline: HeartSuite v1.6.4 — kernel 6.18.9 (6.18.9-HeartSuite-1.0)
Legacy stream: kernel 5.19.6 (maintenance-only; see Kernel Support Policy)

Summary

HeartSuite ships two HS kernel lines with the same Root Lock enforcement contract. New subscriptions and fleet images should standardize on 6.18. Public hardening evidence for that stream is being brought to parity with the 5.19.6 publication; until then, procurement and audit teams should treat 5.19.6 measurements as illustrative of design philosophy, not as a score-for-score substitute for 6.18.9.

What is published today (5.19.6)

The following artifacts are complete and independently reproducible:

• Config identity — SHA-256 for config-5.19.6-HeartSuite-1.0 and config-5.19.6-HeartSuite-2.0 in evidence-pack-5.19.6.txt
• Automated scores — kernel-hardening-checker commit b9b83a0, era-matched comparison against Arch linux-hardened 5.19.11 and vanilla defconfig, in kernel-comparison-matrix-5.19.6.md
• Runtime posture — module inventory, SELinux permissive state, HeartSuite enforcement trace, bypass-primitive grep results (sections 2–5 of the evidence pack)
• Buyer and auditor summaries — Procurement Brief and Auditor Brief (detailed measured sections currently reference 5.19.6 data)

What is in progress (6.18.9)

The 6.18 LTS port closed known gaps documented for 5.19.6 — notably CONFIG_IO_URING and CONFIG_KEXEC are disabled in the 6.18.x HS config (design intent recorded in the deviation registry). Public publication still requires:

1. Canonical config SHA-256 for config-6.18.9-HeartSuite-1.0 (and any subsequent bundle revision)
2. evidence-pack-6.18.9.txt — raw checker output, per-category scores, bypass-primitive verification, module inventory, runtime LSM state
3. Era-matched comparison — HS 6.18.9 vs Arch linux-hardened (or equivalent) on the same 6.18.x Kconfig namespace
4. Runtime verification — uname -r, /boot/config-* hash match, lsmod, SELinux state, HeartSuite activation in dmesg on a representative validated distribution

The Kernel Hardening Comparison Matrix (6.18.9) page mirrors the 5.19.6 structure. Sections that depend on measured output are marked Pending publication — engage support for pre-release evidence until the artifacts above are released.

Evidence parity roadmap

For procurement and audit teams

Evaluating a 6.18.9 deployment today

• Use Distro Compatibility Matrix and Kernel Support Policy for support boundaries, version strings, and patch targets.
• Use CVE Hygiene for Scanners for vulnerability-management workflows — do not infer HS reachability from upstream 6.18.9 alone.
• For hardening scores comparable to the 5.19.6 publication, request pre-release evidence through your HeartSuite support channel. Reference HeartSuite v1.6.4 / tag hs-v1.6.4-kernel-6.18.9 and the expected version string 6.18.9-HeartSuite-1.0.

Evaluating a 5.19.6 legacy fleet

• Full public evidence remains authoritative for that stream. Plan migration to 6.18 per the support policy; do not extend 5.19.6 checker scores to 6.18.9 without the published 6.18 pack.

Reproducing 5.19.6 measurements now

See Auditor Brief for kernel-hardening-checker commands and expected SHA-256.

Related pages

• Kernel Hardening Comparison Matrix (6.18.9) — primary stream structure (measured sections pending)
• Kernel Hardening Comparison Matrix (5.19.6) — legacy stream, fully measured
• Enterprise Adoption Guide — supply chain, verification, and regulated-deployment context