doc: security: Add hardening tool information

Add basic reference to hardening tool. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2020-01-29 11:32:25 -08:00 · 2020-01-29 11:32:25 -08:00 · b5bb4cd085
commit b5bb4cd085
parent 8ec53cf870
3 changed files with 46 additions and 0 deletions
--- a/doc/application/index.rst
+++ b/doc/application/index.rst
@ -1199,6 +1199,7 @@ See :ref:`setting_configuration_values` for detailed documentation on setting
 Kconfig configuration values. The :ref:`initial-conf` section on the same page
 explains how the initial configuration is derived. See
 :ref:`configuration_options` for a complete list of configuration options.
+See :ref:`hardening` for security information related with Kconfig options.

 The other pages in the :ref:`Kconfig section of the manual <kconfig>` are also
 worth going through, especially if you planning to add new configuration
--- a/doc/security/hardening-tool.rst
+++ b/doc/security/hardening-tool.rst
@ -0,0 +1,44 @@
+.. _hardening:
+
+Hardening Tool
+##############
+
+Zephyr contains several optional features that make the overall system
+more secure. As we take advantage of hardware features, many of these
+options are platform specific and besides it, some of them are unknown
+by developers.
+
+To address this problem, Zephyr provides a tool that helps to check an
+application configuration option list against a list of hardening
+preferences defined by the **Security Group**. The tool can identify the build
+target and based on that provides suggestions and recommendations on how to
+optimize the configuration for security.
+
+Usage
+*****
+
+After configure of your application, change directory to the build folder and:
+
+.. code-block:: console
+
+   # ninja build system:
+   $ ninja hardenconfig
+   # make build system:
+   $ make hardenconfig
+
+The output should be similar to the one bellow:
+
+.. code-block:: console
+
+
+                          name                       |   current   |    recommended     ||        check result
+   ===================================================================================================================
+   CONFIG_HW_STACK_PROTECTION                        |      n      |         y          ||            FAIL
+   CONFIG_BOOT_BANNER                                |      y      |         n          ||            FAIL
+   CONFIG_PRINTK                                     |      y      |         n          ||            FAIL
+   CONFIG_EARLY_CONSOLE                              |      y      |         n          ||            FAIL
+   CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT             |      n      |         y          ||            FAIL
+   CONFIG_DEBUG_INFO                                 |      y      |         n          ||            FAIL
+   CONFIG_TEST_RANDOM_GENERATOR                      |      y      |         n          ||            FAIL
+   CONFIG_BUILD_OUTPUT_STRIPPED                      |      n      |         y          ||            FAIL
+   CONFIG_STACK_SENTINEL                             |      n      |         y          ||            FAIL
--- a/doc/security/index.rst
+++ b/doc/security/index.rst
@ -13,3 +13,4 @@ for ensuring security is addressed within the Zephyr project.
   security-overview.rst
   secure-coding.rst
   sensor-threat.rst
+   hardening-tool.rst