Hardening Tool
Before launching a product, it’s crucial to ensure that your software is as secure as possible. This process, known as “hardening”, involves strengthening the security of a system to protect it from potential threats and vulnerabilities.
At a high-level, hardening a Zephyr application can be seen as a two-fold process:
Disabling features and compilation flags that might lead to security vulnerabilities (ex. making sure that no “experimental” features are being used, disabling features typically used for debugging purposes such as assertions, shell, etc.).
Enabling optional features that can lead to improve security (ex. stack sentinel, hardware stack protection, etc.). Some of these features might be hardware-dependent.
To simplify this process, Zephyr offers a hardening tool designed to analyze an application’s configuration against a set of hardening preferences defined by the Security Working Group. The tool looks at the KConfig options in the build target and provides tailored suggestions and recommendations to adjust security-related options.
Usage
Using west:
west build -b reel_board samples/hello_world
west build -t hardenconfig
Using CMake and ninja:
# Use cmake to configure a Ninja-based buildsystem:
cmake -Bbuild -GNinja -DBOARD=reel_board samples/hello_world
# Now run the build tool on the generated build system:
ninja -Cbuild hardenconfig
The output should be similar to the table below. For each configuration option set to a value that could lead to a security vulnerability, the table will propose a recommended value that should be used instead.
name | current | recommended || check result
================================================================================================
CONFIG_BOOT_BANNER | y | n || FAIL
CONFIG_BUILD_OUTPUT_STRIPPED | n | y || FAIL
CONFIG_FAULT_DUMP | 2 | 0 || FAIL
CONFIG_HW_STACK_PROTECTION | n | y || FAIL
CONFIG_MPU_STACK_GUARD | n | y || FAIL
CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT | n | y || FAIL
CONFIG_STACK_SENTINEL | n | y || FAIL
CONFIG_EARLY_CONSOLE | y | n || FAIL
CONFIG_PRINTK | y | n || FAIL