GrapheneOS is the continuation of CopperheadOS

It isn't used or exposed by the base system and is a dubious feature.
It performs no better than thread pools and it can still block, along
with having coverage of only a tiny portion of blocking system calls
even when considering only commonly used system calls for IO.
There are no known compatibility issues caused by having this disabled.
Since this is such a dubious niche feature, it's also very poorly tested
and it doesn't get much attention. Proposed improvements have been blocked
based on the concern that POSIX AIO is such a bad interface that trying
to improve/extend it would be harmful. Following the lead of CopperheadOS
on this front has been proposed and accepted upstream for the recommended
Android kernel configuration used to derive device specific configurations.

https://github.com/AndroidHardeningArchive/documentation/blob/master/technical_overview.md#attack-surface-reduction

CONFIG_VMSPLIT_3G=y is for maximal userspace memory area and maximal ASLR.

It works both for ARM and X86_32.

That commit contains changes in the checks that I made after learning
the upstreamed LOCKDOWN

That features didn't change in the upstreamed version of LOCKDOWN

That would simplify things

The debug_mode enables:
 - reporting about unknown kernel options in the config,
 - showing all checks from all supported platforms,
 - verbose printing of ComplexOptChecks (OR, AND).

This fixes the false positive report about LDISC_AUTOLOAD for old kernels

Nice, like it :)

And move config_checklist to other globals by the way.