diff --git a/tools/packaging/kernel/configs/fragments/common/base.conf b/tools/packaging/kernel/configs/fragments/common/base.conf
index 12d249e756..362608470f 100644
--- a/tools/packaging/kernel/configs/fragments/common/base.conf
+++ b/tools/packaging/kernel/configs/fragments/common/base.conf
@@ -4,13 +4,6 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SMP=y
 # Note, no nested VM support enabled here
 
-# Turn off embedded mode, as it disabled 'too much', and we
-# no longer pass all the tests. We should refine this, and
-# work out which of the ~66 items it enables are really needed.
-# I believe this is the actual syntax we need for a fragment to
-# disable an item...
-# CONFIG_EMBEDDED is not set
-
 # Note, no virt enabled baloon yet
 CONFIG_INPUT=y
 CONFIG_PRINTK=y
diff --git a/tools/packaging/kernel/configs/fragments/common/fs.conf b/tools/packaging/kernel/configs/fragments/common/fs.conf
index c3be9f925e..8ff5573c17 100644
--- a/tools/packaging/kernel/configs/fragments/common/fs.conf
+++ b/tools/packaging/kernel/configs/fragments/common/fs.conf
@@ -31,7 +31,6 @@ CONFIG_FSNOTIFY=y
 CONFIG_DNOTIFY=y
 CONFIG_INOTIFY_USER=y
 CONFIG_FANOTIFY=y
-CONFIG_AUTOFS4_FS=y
 CONFIG_AUTOFS_FS=y
 CONFIG_TMPFS=y
 CONFIG_DEVTMPFS=y
diff --git a/tools/packaging/kernel/configs/fragments/common/lsm.conf b/tools/packaging/kernel/configs/fragments/common/lsm.conf
index 6dc685fca7..fa29f43159 100644
--- a/tools/packaging/kernel/configs/fragments/common/lsm.conf
+++ b/tools/packaging/kernel/configs/fragments/common/lsm.conf
@@ -7,6 +7,5 @@ CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_SECURITY_SELINUX_DEVELOP=y
-CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
 CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
diff --git a/tools/packaging/kernel/configs/fragments/common/netfilter.conf b/tools/packaging/kernel/configs/fragments/common/netfilter.conf
index 02aeda788f..55b5d330d2 100644
--- a/tools/packaging/kernel/configs/fragments/common/netfilter.conf
+++ b/tools/packaging/kernel/configs/fragments/common/netfilter.conf
@@ -190,7 +190,6 @@ CONFIG_IP_NF_TARGET_MASQUERADE=y
 CONFIG_IP_NF_TARGET_NETMAP=y
 CONFIG_IP_NF_TARGET_REDIRECT=y
 CONFIG_IP_NF_MANGLE=y
-CONFIG_IP_NF_TARGET_CLUSTERIP=y
 CONFIG_IP_NF_TARGET_ECN=y
 CONFIG_IP_NF_TARGET_TTL=y
 CONFIG_IP_NF_RAW=y
diff --git a/tools/packaging/kernel/configs/fragments/common/network.conf b/tools/packaging/kernel/configs/fragments/common/network.conf
index 7bdc3de7a0..2270c9a14a 100644
--- a/tools/packaging/kernel/configs/fragments/common/network.conf
+++ b/tools/packaging/kernel/configs/fragments/common/network.conf
@@ -42,7 +42,6 @@ CONFIG_BRIDGE=y
 CONFIG_BRIDGE_IGMP_SNOOPING=y
 CONFIG_LLC=y
 CONFIG_NET_SCHED=y
-CONFIG_NET_SCH_CBQ=y
 CONFIG_NET_SCH_MULTIQ=y
 CONFIG_NET_SCH_FQ_CODEL=y
 CONFIG_NET_SCH_FQ=y
diff --git a/tools/packaging/kernel/configs/fragments/whitelist.conf b/tools/packaging/kernel/configs/fragments/whitelist.conf
index e6b2711511..39d34eedd3 100644
--- a/tools/packaging/kernel/configs/fragments/whitelist.conf
+++ b/tools/packaging/kernel/configs/fragments/whitelist.conf
@@ -2,10 +2,13 @@
 # without generating an error in fragment merging
 CONFIG_ARCH_RANDOM
 CONFIG_ARM64_CRYPTO
+CONFIG_AUTOFS4_FS
 CONFIG_GENERIC_MSI_IRQ_DOMAIN
+CONFIG_IP_NF_TARGET_CLUSTERIP
 CONFIG_PCI_MSI_IRQ_DOMAIN
 CONFIG_CLK_LGM_CGU
 CONFIG_MEMCG_SWAP
+CONFIG_NET_SCH_CBQ
 CONFIG_NF_NAT_IPV4
 CONFIG_NF_NAT_NEEDED
 CONFIG_NF_NAT_PROTO_DCCP
@@ -20,6 +23,7 @@ CONFIG_NF_LOG_COMMON
 CONFIG_MANDATORY_FILE_LOCKING
 CONFIG_ARM64_UAO
 CONFIG_VFIO_MDEV_DEVICE
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE
 CONFIG_SPECULATION_MITIGATIONS
 CONFIG_X86_SGX
 CONFIG_VIRTIO_IOMMU