diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 7eb68952f302..42bf534c5002 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -234,7 +234,9 @@ with stdenv.lib;
   # Security related features.
   STRICT_DEVMEM y # Filter access to /dev/mem
   SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default
-  DEVKMEM? n # Disable /dev/kmem
+  ${optionalString (!features.grsecurity or true) ''
+    DEVKMEM n # Disable /dev/kmem
+  ''}
   ${if versionOlder version "3.14" then ''
     CC_STACKPROTECTOR? y # Detect buffer overflows on the stack
   '' else ''
@@ -378,11 +380,13 @@ with stdenv.lib;
 
   # Virtualisation.
   PARAVIRT? y
-  ${if versionAtLeast version "3.10" then ''
-    HYPERVISOR_GUEST? y
-  '' else ''
-    PARAVIRT_GUEST? y
-  ''}
+  ${optionalString (!features.grsecurity or true)
+    (if versionAtLeast version "3.10" then ''
+      HYPERVISOR_GUEST y
+    '' else ''
+      PARAVIRT_GUEST? y
+    '')
+  }
   KVM_APIC_ARCHITECTURE y
   KVM_ASYNC_PF y
   ${optionalString (versionOlder version "3.7") ''