Zephyr contains several optional features that make the overall system more secure. As we take advantage of hardware features, many of these options are platform specific and besides it, some of them are unknown by developers.
To address this problem, Zephyr provides a tool that helps to check an application configuration option list against a list of hardening preferences defined by the Security Group. The tool can identify the build target and based on that provides suggestions and recommendations on how to optimize the configuration for security.
After configure of your application, change directory to the build folder and:
# ninja build system: $ ninja hardenconfig # make build system: $ make hardenconfig
The output should be similar to the one bellow:
name | current | recommended || check result =================================================================================================================== CONFIG_HW_STACK_PROTECTION | n | y || FAIL CONFIG_BOOT_BANNER | y | n || FAIL CONFIG_PRINTK | y | n || FAIL CONFIG_EARLY_CONSOLE | y | n || FAIL CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT | n | y || FAIL CONFIG_DEBUG_INFO | y | n || FAIL CONFIG_TEST_RANDOM_GENERATOR | y | n || FAIL CONFIG_BUILD_OUTPUT_STRIPPED | n | y || FAIL CONFIG_STACK_SENTINEL | n | y || FAIL