diff --git a/helpers/DATA/kernel/apply_policies.py b/helpers/DATA/kernel/apply_policies.py
new file mode 100644
index 00000000..61ca1b54
--- /dev/null
+++ b/helpers/DATA/kernel/apply_policies.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+import sys
+import json
+import subprocess
+import os
+
+def set_annotation(config, arch, flavour, value, annotations_file):
+    """Executes the Debian script to enforce a specific kernel configuration."""
+
+    cmd = [
+        "python3",
+        "debian/scripts/misc/annotations",
+        "--file", annotations_file,
+        "--arch", arch,
+        "--flavour", flavour,
+        "--config", config,
+        "--write", value
+    ]
+
+    print(f"Setting {config} for {arch} ({flavour}) to '{value}'")
+
+    try:
+        subprocess.run(cmd, check=True, stdout=subprocess.DEVNULL)
+    except subprocess.CalledProcessError:
+        print(f"  [ERROR] Failed to apply {config} on {arch} ({flavour})", file=sys.stderr)
+
+def main():
+    # Fetch the environment variable exported by helper
+    target_file = os.environ.get("KERNEL_CONFIG_ANNOTATIONS")
+
+    # Fail fast if the annotations file is not defined
+    if not target_file:
+        print("[FATAL ERROR] KERNEL_CONFIG_ANNOTATIONS environment variable is not set.", file=sys.stderr)
+        print("Aborting to prevent modifying the wrong configuration file.", file=sys.stderr)
+        sys.exit(1)
+
+    print(f"[INFO] Target annotations file: {target_file}")
+
+    # Read and parse the JSON policy from stdin
+    try:
+        policy_dict = json.load(sys.stdin)
+    except json.JSONDecodeError as e:
+        print(f"[FATAL ERROR] Invalid JSON policy format: {e}", file=sys.stderr)
+        sys.exit(1)
+
+    # Process the nested dictionary
+    for config, archs in policy_dict.items():
+        for key, value in archs.items():
+            
+            # Check if the key contains a flavour delimiter (e.g., "arm64/generic-64k")
+            if "/" in key:
+                arch, flavour = key.split("/", 1)
+                set_annotation(config, arch, flavour, value, target_file)
+            
+            # Backward compatibility for nested dicts (just in case)
+            elif isinstance(value, dict):
+                for flavour_nested, val_nested in value.items():
+                    set_annotation(config, key, flavour_nested, val_nested, target_file)
+            
+            # If it's just a plain string without a slash, default to 'generic'
+            else:
+                set_annotation(config, key, "generic", value, target_file)
+
+if __name__ == "__main__":
+    main()
diff --git a/helpers/make-linux-hwe-6.17 b/helpers/make-linux-hwe-6.17
index 2ad06421..26b35814 100644
--- a/helpers/make-linux-hwe-6.17
+++ b/helpers/make-linux-hwe-6.17
@@ -287,32 +287,34 @@ find debian* -type f -name *control* -exec sed 's/ with Ubuntu patches//; s/Linu
 #echo > ./debian.master/d-i/firmware/nic-modules
 #echo > ./debian.master/d-i/firmware/scsi-modules
 
-# Disable using udev as a fallback for firmware loading
-# Read more at: Documentation/driver-api/firmware/fallback-mechanisms.rst
-#replace "CONFIG_FW_LOADER_USER_HELPER=y" "CONFIG_FW_LOADER_USER_HELPER=n" $DEBIAN_PATH/config
+# General changes to annotations on kernel (base or HWE).
+## Disable Ubuntu ODM drivers & AAEON.
+export KERNEL_CONFIG_ANNOTATIONS="$DEBIAN_PATH/config/annotations"
 
-# Disable aaeon & ubuntu odm drivers, remove on both paths to match annotations.
-for i in CONFIG_GPIO_AAEON CONFIG_LEDS_AAEON CONFIG_MFD_AAEON CONFIG_SENSORS_AAEON
-do
-    echo "> Modifying $i annotations value:"
-    python3 debian/scripts/misc/annotations -f $DEBIAN_PATH/config/annotations \
-        --arch amd64 --flavour generic --config $i --write -
-done
-for i in amd64 arm64 armhf ppc64el riscv64 s390x
-do
-    echo "> Modifying CONFIG_UBUNTU_ODM_DRIVERS for arch $i:"
-    python3 debian/scripts/misc/annotations -f $DEBIAN_PATH/config/annotations \
-            --arch $i --flavour generic --config CONFIG_UBUNTU_ODM_DRIVERS --write n
-done
-python3 debian/scripts/misc/annotations -f $DEBIAN_PATH/config/annotations \
-            --arch arm64 --flavour generic-64k --config CONFIG_UBUNTU_ODM_DRIVERS --write n
-
-python3 debian/scripts/misc/annotations -f $DEBIAN_PATH/config/annotations \
-            --arch amd64 --flavour generic --config CONFIG_RUST --write -
+# $arch/generic
+python3 $DATA/../kernel/apply_policies.py << 'EOF'
+{ 
+"CONFIG_UBUNTU_ODM_DRIVERS": {"amd64": "n", "arm64": "n", "arm64/generic-64k": "n", "armhf": "n", "ppc64el": "n", "riscv64": "n"},
+"CONFIG_GPIO_AAEON": {"amd64": "-", "arm64": "-", "arm64/generic-64k": "-", "armhf": "-", "ppc64el": "n", "riscv64": "-"},
+"CONFIG_LEDS_AAEON": {"amd64": "-", "arm64": "-", "arm64/generic-64k": "-", "armhf": "-", "ppc64el": "n", "riscv64": "-"},
+"CONFIG_MFD_AAEON": {"amd64": "-", "arm64": "-", "arm64/generic-64k": "-", "armhf": "-", "ppc64el": "n", "riscv64": "-"},
+"CONFIG_SENSORS_AAEON": {"amd64": "-", "arm64": "-", "arm64/generic-64k": "-", "armhf": "-", "ppc64el": "n", "riscv64": "-"}
+}
+EOF
 
 ## Disable ppc64el Werroron amdgpu
-python3 debian/scripts/misc/annotations -f $DEBIAN_PATH/config/annotations \
-    --arch ppc64el --flavour generic --config CONFIG_DRM_AMDGPU_WERROR --write n
+python3 $DATA/../kernel/apply_policies.py << 'EOF'
+{ 
+"CONFIG_DRM_AMDGPU_WERROR": {"ppc64el": "n"}
+}
+EOF
+
+# Disable using udev as a fallback for firmware loading
+python3 $DATA/../kernel/apply_policies.py << 'EOF'
+{ 
+"CONFIG_FW_LOADER_USER_HELPER": {"amd64": "n", "arm64": "n", "arm64/generic-64k": "n", "armhf": "n", "ppc64el": "n", "riscv64": "n"}
+}
+EOF
 
 ## Remove disabled modules from generic list (starting at 6.2)
 for module in gpio-aaeon hwmon-aaeon leds-aaeon mfd-aaeon spl
@@ -322,43 +324,14 @@ do
         sed -i "/^$module$/d" $i
     done
 done
-# Custom changes for linux and linux-hwe.
-if [ $HWE_ENABLED != 1 ]; then
-## HWEKR - 6.8
-    for i in CONFIG_AX88796B_RUST_PHY CONFIG_CONSTRUCTORS CONFIG_RUST_BUILD_ASSERT_ALLOW \
-        CONFIG_RUST_DEBUG_ASSERTIONS CONFIG_RUST_OVERFLOW_CHECKS CONFIG_RUST_PHYLIB_ABSTRACTIONS \
-        CONFIG_SAMPLES_RUST
-    do
-        echo "> Modifying $i annotations value:"
-        python3 debian/scripts/misc/annotations -f $DEBIAN_PATH/config/annotations \
-            --arch amd64 --flavour generic --config $i --write -
-    done
+
+# Custom annotations changes for linux and linux-hwe.
+if [ "$HWE_ENABLED" != 1 ]; then
+    echo "# Additional custom changes on KRN - 6.8 annotations"
+    echo "... nothing here"
 else
-    echo "# Custom change on HWEKR - 6.17 to match previous changes"
-    for i in  CONFIG_BLK_DEV_RUST_NULL \
-              CONFIG_CONSTRUCTORS \
-              CONFIG_DRM_NOVA \
-              CONFIG_DRM_PANIC_SCREEN_QR_CODE \
-              CONFIG_RUST_BUILD_ASSERT_ALLOW \
-              CONFIG_RUST_DEBUG_ASSERTIONS \
-              CONFIG_RUST_FW_LOADER_ABSTRACTIONS \
-              CONFIG_RUST_OVERFLOW_CHECKS \
-              CONFIG_RUST_PHYLIB_ABSTRACTIONS \
-              CONFIG_SAMPLES_RUST
-    do
-        echo "> Modifying $i annotations value:"
-        python3 debian/scripts/misc/annotations -f $DEBIAN_PATH/config/annotations \
-            --arch amd64 --flavour generic --config $i --write -
-    done
-    for arch in amd64 arm64 ; do
-        echo "> Modifying CONFIG_NOVA_CORE annotations value on $arch:"
-        python3 debian/scripts/misc/annotations -f $DEBIAN_PATH/config/annotations \
-            --arch $arch --flavour generic --config CONFIG_NOVA_CORE --write -
-    done
-    # More changes for HWE 6.17
-        echo "> Modifying CONFIG_RUST annotations value:"
-        python3 debian/scripts/misc/annotations -f $DEBIAN_PATH/config/annotations \
-            --arch amd64 --flavour generic --config CONFIG_RUST --write n
+    echo "# Additional custom changes on HWEKRN - 6.17 annotations"
+    echo "... nothing here"
 fi
 
 grep -rl '^Vcs-Git:' | \