doc: security: Add hardening tool information
Add basic reference to hardening tool. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit is contained in:
parent
8ec53cf870
commit
b5bb4cd085
3 changed files with 46 additions and 0 deletions
|
@ -1199,6 +1199,7 @@ See :ref:`setting_configuration_values` for detailed documentation on setting
|
|||
Kconfig configuration values. The :ref:`initial-conf` section on the same page
|
||||
explains how the initial configuration is derived. See
|
||||
:ref:`configuration_options` for a complete list of configuration options.
|
||||
See :ref:`hardening` for security information related with Kconfig options.
|
||||
|
||||
The other pages in the :ref:`Kconfig section of the manual <kconfig>` are also
|
||||
worth going through, especially if you planning to add new configuration
|
||||
|
|
44
doc/security/hardening-tool.rst
Normal file
44
doc/security/hardening-tool.rst
Normal file
|
@ -0,0 +1,44 @@
|
|||
.. _hardening:
|
||||
|
||||
Hardening Tool
|
||||
##############
|
||||
|
||||
Zephyr contains several optional features that make the overall system
|
||||
more secure. As we take advantage of hardware features, many of these
|
||||
options are platform specific and besides it, some of them are unknown
|
||||
by developers.
|
||||
|
||||
To address this problem, Zephyr provides a tool that helps to check an
|
||||
application configuration option list against a list of hardening
|
||||
preferences defined by the **Security Group**. The tool can identify the build
|
||||
target and based on that provides suggestions and recommendations on how to
|
||||
optimize the configuration for security.
|
||||
|
||||
Usage
|
||||
*****
|
||||
|
||||
After configure of your application, change directory to the build folder and:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# ninja build system:
|
||||
$ ninja hardenconfig
|
||||
# make build system:
|
||||
$ make hardenconfig
|
||||
|
||||
The output should be similar to the one bellow:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
|
||||
name | current | recommended || check result
|
||||
===================================================================================================================
|
||||
CONFIG_HW_STACK_PROTECTION | n | y || FAIL
|
||||
CONFIG_BOOT_BANNER | y | n || FAIL
|
||||
CONFIG_PRINTK | y | n || FAIL
|
||||
CONFIG_EARLY_CONSOLE | y | n || FAIL
|
||||
CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT | n | y || FAIL
|
||||
CONFIG_DEBUG_INFO | y | n || FAIL
|
||||
CONFIG_TEST_RANDOM_GENERATOR | y | n || FAIL
|
||||
CONFIG_BUILD_OUTPUT_STRIPPED | n | y || FAIL
|
||||
CONFIG_STACK_SENTINEL | n | y || FAIL
|
|
@ -13,3 +13,4 @@ for ensuring security is addressed within the Zephyr project.
|
|||
security-overview.rst
|
||||
secure-coding.rst
|
||||
sensor-threat.rst
|
||||
hardening-tool.rst
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue