45 lines
2.0 KiB
ReStructuredText
45 lines
2.0 KiB
ReStructuredText
|
.. _hardening:
|
||
|
|
||
|
Hardening Tool
|
||
|
##############
|
||
|
|
||
|
Zephyr contains several optional features that make the overall system
|
||
|
more secure. As we take advantage of hardware features, many of these
|
||
|
options are platform specific and besides it, some of them are unknown
|
||
|
by developers.
|
||
|
|
||
|
To address this problem, Zephyr provides a tool that helps to check an
|
||
|
application configuration option list against a list of hardening
|
||
|
preferences defined by the **Security Group**. The tool can identify the build
|
||
|
target and based on that provides suggestions and recommendations on how to
|
||
|
optimize the configuration for security.
|
||
|
|
||
|
Usage
|
||
|
*****
|
||
|
|
||
|
After configure of your application, change directory to the build folder and:
|
||
|
|
||
|
.. code-block:: console
|
||
|
|
||
|
# ninja build system:
|
||
|
$ ninja hardenconfig
|
||
|
# make build system:
|
||
|
$ make hardenconfig
|
||
|
|
||
|
The output should be similar to the one bellow:
|
||
|
|
||
|
.. code-block:: console
|
||
|
|
||
|
|
||
|
name | current | recommended || check result
|
||
|
===================================================================================================================
|
||
|
CONFIG_HW_STACK_PROTECTION | n | y || FAIL
|
||
|
CONFIG_BOOT_BANNER | y | n || FAIL
|
||
|
CONFIG_PRINTK | y | n || FAIL
|
||
|
CONFIG_EARLY_CONSOLE | y | n || FAIL
|
||
|
CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT | n | y || FAIL
|
||
|
CONFIG_DEBUG_INFO | y | n || FAIL
|
||
|
CONFIG_TEST_RANDOM_GENERATOR | y | n || FAIL
|
||
|
CONFIG_BUILD_OUTPUT_STRIPPED | n | y || FAIL
|
||
|
CONFIG_STACK_SENTINEL | n | y || FAIL
|