diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 8ecdc692ef5d..ed6265a77435 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -367,6 +367,7 @@
   ./security/auditd.nix
   ./security/ca.nix
   ./security/chromium-suid-sandbox.nix
+  ./security/default.nix
   ./security/dhparams.nix
   ./security/doas.nix
   ./security/duosec.nix
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index a4c2f9e29fc3..e0b768b60af4 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -200,10 +200,8 @@ in
           sed '1,/\[qualifiers\]/d' $footer >> $out
         '';
 
-    boot.kernelParams = [
-      "apparmor=1"
-      "security=apparmor"
-    ];
+    boot.kernelParams = [ "apparmor=1" ];
+    security.lsm = [ "apparmor" ];
 
     systemd.services.apparmor = {
       after = [
diff --git a/nixos/modules/security/default.nix b/nixos/modules/security/default.nix
new file mode 100644
index 000000000000..c8baad1a3dd9
--- /dev/null
+++ b/nixos/modules/security/default.nix
@@ -0,0 +1,28 @@
+{ config, lib, ... }:
+let
+  cfg = config.security;
+in
+{
+  options = {
+    security.lsm = lib.mkOption {
+      type = lib.types.uniq (lib.types.listOf lib.types.str);
+      default = [ ];
+      description = ''
+        A list of the LSMs to initialize in order.
+      '';
+    };
+  };
+
+  config = lib.mkIf (lib.lists.length cfg.lsm > 0) {
+    assertions = [
+      {
+        assertion = builtins.length (lib.filter (lib.hasPrefix "security=") config.boot.kernelParams) == 0;
+        message = "security parameter in boot.kernelParams cannot be used when security.lsm is used";
+      }
+    ];
+
+    boot.kernelParams = [
+      "lsm=${lib.concatStringsSep "," cfg.lsm}"
+    ];
+  };
+}