diff --git a/debian/changelog b/debian/changelog
index 2de69067c..f4fab4ebf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -284,6 +284,10 @@ linux (4.16.13-1) UNRELEASED; urgency=medium
   * [armhf] Enable MFD_AC100 and RTC_DRV_AC100, used in allwinner A80/A83t
     systems.
 
+  [ Yves-Alexis Perez ]
+  * hardening: enable FORTIFY_SOURCE, disable HARDENED_USERCOPY_FALLBACK
+  * [x86] hardening: enable REFCOUNT_FULL
+
  -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 30 May 2018 08:41:30 +0200
 
 linux (4.16.12-1) unstable; urgency=medium
diff --git a/debian/config/config b/debian/config/config
index c410470ab..8f71d0f25 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -7118,7 +7118,9 @@ CONFIG_SECURITY_NETWORK_XFRM=y
 # CONFIG_INTEL_TXT is not set
 CONFIG_LSM_MMAP_MIN_ADDR=32768
 CONFIG_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
 # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
+CONFIG_FORTIFY_SOURCE=y
 CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 ## choice: Default security module
diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config
index ad64314e2..302409462 100644
--- a/debian/config/kernelarch-x86/config
+++ b/debian/config/kernelarch-x86/config
@@ -2,6 +2,7 @@
 ## file: arch/Kconfig
 ##
 # CONFIG_OPROFILE_EVENT_MULTIPLEX is not set
+CONFIG_REFCOUNT_FULL=y
 
 ##
 ## file: arch/x86/Kconfig