2020-01-30 03:32:25 +08:00
|
|
|
.. _hardening:
|
|
|
|
|
|
|
|
Hardening Tool
|
|
|
|
##############
|
|
|
|
|
2023-05-17 00:13:55 +08:00
|
|
|
Before launching a product, it's crucial to ensure that your software is as secure as possible. This
|
|
|
|
process, known as "hardening", involves strengthening the security of a system to protect it from
|
|
|
|
potential threats and vulnerabilities.
|
2020-01-30 03:32:25 +08:00
|
|
|
|
2023-05-17 00:13:55 +08:00
|
|
|
At a high-level, hardening a Zephyr application can be seen as a two-fold process:
|
2020-01-30 03:32:25 +08:00
|
|
|
|
2023-05-17 00:13:55 +08:00
|
|
|
#. Disabling features and compilation flags that might lead to security vulnerabilities (ex. making
|
|
|
|
sure that no "experimental" features are being used, disabling features typically used for
|
|
|
|
debugging purposes such as assertions, shell, etc.).
|
|
|
|
#. Enabling optional features that can lead to improve security (ex. stack sentinel, hardware stack
|
|
|
|
protection, etc.). Some of these features might be hardware-dependent.
|
2020-01-30 03:32:25 +08:00
|
|
|
|
2023-05-17 00:13:55 +08:00
|
|
|
To simplify this process, Zephyr offers a **hardening tool** designed to analyze an application's
|
|
|
|
configuration against a set of hardening preferences defined by the **Security Working Group**. The
|
|
|
|
tool looks at the KConfig options in the build target and provides tailored suggestions and
|
|
|
|
recommendations to adjust security-related options.
|
2020-01-30 03:32:25 +08:00
|
|
|
|
2023-05-17 00:13:55 +08:00
|
|
|
Usage
|
|
|
|
*****
|
2020-01-30 03:32:25 +08:00
|
|
|
|
2023-05-17 00:13:55 +08:00
|
|
|
.. zephyr-app-commands::
|
|
|
|
:tool: all
|
2024-08-24 00:00:28 +08:00
|
|
|
:zephyr-app: samples/hello_world
|
2023-05-17 00:13:55 +08:00
|
|
|
:board: reel_board
|
|
|
|
:goals: hardenconfig
|
2020-01-30 03:32:25 +08:00
|
|
|
|
2023-05-17 00:13:55 +08:00
|
|
|
The output should be similar to the table below. For each configuration option set to a value that
|
|
|
|
could lead to a security vulnerability, the table will propose a recommended value that should be
|
|
|
|
used instead.
|
2020-01-30 03:32:25 +08:00
|
|
|
|
|
|
|
.. code-block:: console
|
|
|
|
|
2023-05-17 00:13:55 +08:00
|
|
|
name | current | recommended || check result
|
|
|
|
================================================================================================
|
|
|
|
CONFIG_BOOT_BANNER | y | n || FAIL
|
|
|
|
CONFIG_BUILD_OUTPUT_STRIPPED | n | y || FAIL
|
|
|
|
CONFIG_FAULT_DUMP | 2 | 0 || FAIL
|
|
|
|
CONFIG_HW_STACK_PROTECTION | n | y || FAIL
|
|
|
|
CONFIG_MPU_STACK_GUARD | n | y || FAIL
|
|
|
|
CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT | n | y || FAIL
|
|
|
|
CONFIG_STACK_SENTINEL | n | y || FAIL
|
|
|
|
CONFIG_EARLY_CONSOLE | y | n || FAIL
|
|
|
|
CONFIG_PRINTK | y | n || FAIL
|