This is the documentation for the latest (main) development branch of Zephyr. If you are looking for the documentation of previous releases, use the drop-down menu on the left and select the desired version.

Hardening Tool

Zephyr contains several optional features that make the overall system more secure. As we take advantage of hardware features, many of these options are platform specific and besides it, some of them are unknown by developers.

To address this problem, Zephyr provides a tool that helps to check an application configuration option list against a list of hardening preferences defined by the Security Group. The tool can identify the build target and based on that provides suggestions and recommendations on how to optimize the configuration for security.

Usage

After configure of your application, change directory to the build folder and:

# ninja build system:
$ ninja hardenconfig
# make build system:
$ make hardenconfig

The output should be similar to the one bellow:

                       name                       |   current   |    recommended     ||        check result
===================================================================================================================
CONFIG_HW_STACK_PROTECTION                        |      n      |         y          ||            FAIL
CONFIG_BOOT_BANNER                                |      y      |         n          ||            FAIL
CONFIG_PRINTK                                     |      y      |         n          ||            FAIL
CONFIG_EARLY_CONSOLE                              |      y      |         n          ||            FAIL
CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT             |      n      |         y          ||            FAIL
CONFIG_DEBUG_INFO                                 |      y      |         n          ||            FAIL
CONFIG_TEST_RANDOM_GENERATOR                      |      y      |         n          ||            FAIL
CONFIG_BUILD_OUTPUT_STRIPPED                      |      n      |         y          ||            FAIL
CONFIG_STACK_SENTINEL                             |      n      |         y          ||            FAIL