zephyr/doc/security/hardening-tool.rst

45 lines
2.0 KiB
ReStructuredText
Raw Normal View History

.. _hardening:
Hardening Tool
##############
Zephyr contains several optional features that make the overall system
more secure. As we take advantage of hardware features, many of these
options are platform specific and besides it, some of them are unknown
by developers.
To address this problem, Zephyr provides a tool that helps to check an
application configuration option list against a list of hardening
preferences defined by the **Security Group**. The tool can identify the build
target and based on that provides suggestions and recommendations on how to
optimize the configuration for security.
Usage
*****
After configure of your application, change directory to the build folder and:
.. code-block:: console
# ninja build system:
$ ninja hardenconfig
# make build system:
$ make hardenconfig
The output should be similar to the one bellow:
.. code-block:: console
name | current | recommended || check result
===================================================================================================================
CONFIG_HW_STACK_PROTECTION | n | y || FAIL
CONFIG_BOOT_BANNER | y | n || FAIL
CONFIG_PRINTK | y | n || FAIL
CONFIG_EARLY_CONSOLE | y | n || FAIL
CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT | n | y || FAIL
CONFIG_DEBUG_INFO | y | n || FAIL
CONFIG_TEST_RANDOM_GENERATOR | y | n || FAIL
CONFIG_BUILD_OUTPUT_STRIPPED | n | y || FAIL
CONFIG_STACK_SENTINEL | n | y || FAIL