doc: security: Add hardening tool information

Add basic reference to hardening tool.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit is contained in:
Flavio Ceolin 2020-01-29 11:32:25 -08:00 committed by Anas Nashif
commit b5bb4cd085
3 changed files with 46 additions and 0 deletions

View file

@ -1199,6 +1199,7 @@ See :ref:`setting_configuration_values` for detailed documentation on setting
Kconfig configuration values. The :ref:`initial-conf` section on the same page
explains how the initial configuration is derived. See
:ref:`configuration_options` for a complete list of configuration options.
See :ref:`hardening` for security information related with Kconfig options.
The other pages in the :ref:`Kconfig section of the manual <kconfig>` are also
worth going through, especially if you planning to add new configuration

View file

@ -0,0 +1,44 @@
.. _hardening:
Hardening Tool
##############
Zephyr contains several optional features that make the overall system
more secure. As we take advantage of hardware features, many of these
options are platform specific and besides it, some of them are unknown
by developers.
To address this problem, Zephyr provides a tool that helps to check an
application configuration option list against a list of hardening
preferences defined by the **Security Group**. The tool can identify the build
target and based on that provides suggestions and recommendations on how to
optimize the configuration for security.
Usage
*****
After configure of your application, change directory to the build folder and:
.. code-block:: console
# ninja build system:
$ ninja hardenconfig
# make build system:
$ make hardenconfig
The output should be similar to the one bellow:
.. code-block:: console
name | current | recommended || check result
===================================================================================================================
CONFIG_HW_STACK_PROTECTION | n | y || FAIL
CONFIG_BOOT_BANNER | y | n || FAIL
CONFIG_PRINTK | y | n || FAIL
CONFIG_EARLY_CONSOLE | y | n || FAIL
CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT | n | y || FAIL
CONFIG_DEBUG_INFO | y | n || FAIL
CONFIG_TEST_RANDOM_GENERATOR | y | n || FAIL
CONFIG_BUILD_OUTPUT_STRIPPED | n | y || FAIL
CONFIG_STACK_SENTINEL | n | y || FAIL

View file

@ -13,3 +13,4 @@ for ensuring security is addressed within the Zephyr project.
security-overview.rst
secure-coding.rst
sensor-threat.rst
hardening-tool.rst