diff --git a/base.nix b/base.nix
index 3dac3d3..5c33340 100644
--- a/base.nix
+++ b/base.nix
@@ -79,13 +79,12 @@
   STACKPROTECTOR = yes;
   STACKPROTECTOR_STRONG = yes;
 
-  LTO_CLANG_FULL = option yes;
+  LTO_CLANG_FULL = yes;
+  CFI_CLANG = yes;
 
   VMAP_STACK = yes;
   RANDOMIZE_KSTACK_OFFSET_DEFAULT = yes;
 
-  GCC_PLUGINS = yes;
-
   BLK_DEV_WRITE_MOUNTED = yes;
   BLK_WBT = yes;
   BLK_WBT_MQ = yes;
@@ -325,8 +324,6 @@
 
   BUG_ON_DATA_CORRUPTION = yes;
 
-  RANDSTRUCT_PERFORMANCE = option yes;
-
   CRYPTO_ZSTD = yes;
 
   SWIOTLB_DYNAMIC = yes;
diff --git a/linux-hardened.nix b/linux-hardened.nix
index a2d3709..25a7038 100644
--- a/linux-hardened.nix
+++ b/linux-hardened.nix
@@ -4,11 +4,16 @@ let
     lib
     buildEnv
     buildLinux
+    buildPackages
     fetchFromGitHub
-    gccStdenv
+    overrideCC
     runCommand;
 
   kernel = let
+    inherit (pkgs.llvmPackages_latest)
+      llvm clang-unwrapped lld
+      clang bintools;
+
     args = {
       inherit (pkgs) lib hostPlatform;
     };
@@ -23,35 +28,53 @@ let
       ];
     };
   in buildLinux rec {
-      pname = "linux-hardened";
-      version = "6.10.4-hardened1";
+    pname = "linux-hardened";
+    version = "6.10.4-hardened1";
 
-      src = fetchFromGitHub {
-        owner = "anthraxx";
-        repo = pname;
-        rev = "v${version}";
-        hash = "sha256-qq2vmrUIYUuXEwuZoXrXbZY/li+ReFNuqhsy1R0yx0s=";
-      };
-
-      defconfig = "allnoconfig";
-      extraMakeFlags = [ "KCFLAGS=-march=${arch}" ];
-      enableCommonConfig = false;
-
-      structuredExtraConfig =
-        (import ./base.nix args) //
-        (import config args) //
-        lib.optionalAttrs (firmware != [ ]) {
-          EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
-          EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareEnv}/lib/firmware";
-        };
-
-      features = {
-        efiBootStub = true;
-      };
-
-      isHardened = true;
-      stdenv = gccStdenv;
+    src = fetchFromGitHub {
+      owner = "anthraxx";
+      repo = pname;
+      rev = "v${version}";
+      hash = "sha256-qq2vmrUIYUuXEwuZoXrXbZY/li+ReFNuqhsy1R0yx0s=";
     };
+
+    defconfig = "allnoconfig";
+    enableCommonConfig = false;
+
+    extraMakeFlags = [
+      "LLVM=1"
+
+      "HOSTCC=${clang}/bin/clang"
+      "HOSTCXX=${clang}/bin/clang++"
+      "HOSTLD=${bintools}/bin/ld.lld"
+      "HOSTAR=${bintools}/bin/ar"
+
+      "CC=${clang-unwrapped}/bin/clang"
+      "LD=${lld}/bin/ld.lld"
+      "AR=${llvm}/bin/llvm-ar"
+      "NM=${llvm}/bin/llvm-nm"
+      "OBJCOPY=${llvm}/bin/llvm-objcopy"
+      "OBJDUMP=${llvm}/bin/llvm-objdump"
+      "READELF=${llvm}/bin/llvm-readelf"
+      "STRIP=${llvm}/bin/llvm-strip"
+
+      "KCFLAGS=-march=${arch}"
+    ];
+
+    structuredExtraConfig =
+      (import ./base.nix args) //
+      (import config args) //
+      lib.optionalAttrs (firmware != [ ]) {
+        EXTRA_FIRMWARE = lib.kernel.freeform (toString firmware);
+        EXTRA_FIRMWARE_DIR = lib.kernel.freeform "${firmwareEnv}/lib/firmware";
+      };
+
+    features = {
+      efiBootStub = true;
+    };
+
+    isHardened = true;
+  };
 in kernel.overrideAttrs (base: {
   installFlags = base.installFlags or [ ] ++ [ "INSTALL_MOD_PATH=$(out)" ];