Before launching a product, it’s crucial to ensure that your software is as secure as possible. This process, known as “hardening”, involves strengthening the security of a system to protect it from potential threats and vulnerabilities.
At a high-level, hardening a Zephyr application can be seen as a two-fold process:
Disabling features and compilation flags that might lead to security vulnerabilities (ex. making sure that no “experimental” features are being used, disabling features typically used for debugging purposes such as assertions, shell, etc.).
Enabling optional features that can lead to improve security (ex. stack sentinel, hardware stack protection, etc.). Some of these features might be hardware-dependent.
To simplify this process, Zephyr offers a hardening tool designed to analyze an application’s configuration against a set of hardening preferences defined by the Security Working Group. The tool looks at the KConfig options in the build target and provides tailored suggestions and recommendations to adjust security-related options.
west build -b reel_board samples/hello_world west build -t hardenconfig
Using CMake and ninja:
# Use cmake to configure a Ninja-based buildsystem: cmake -Bbuild -GNinja -DBOARD=reel_board samples/hello_world # Now run ninja on the generated build system: ninja -Cbuild hardenconfig
The output should be similar to the table below. For each configuration option set to a value that could lead to a security vulnerability, the table will propose a recommended value that should be used instead.
name | current | recommended || check result ================================================================================================ CONFIG_BOOT_BANNER | y | n || FAIL CONFIG_BUILD_OUTPUT_STRIPPED | n | y || FAIL CONFIG_FAULT_DUMP | 2 | 0 || FAIL CONFIG_HW_STACK_PROTECTION | n | y || FAIL CONFIG_MPU_STACK_GUARD | n | y || FAIL CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT | n | y || FAIL CONFIG_STACK_SENTINEL | n | y || FAIL CONFIG_EARLY_CONSOLE | y | n || FAIL CONFIG_PRINTK | y | n || FAIL