1.. _hardening:
2
3Hardening Tool
4##############
5
6Before launching a product, it's crucial to ensure that your software is as secure as possible. This
7process, known as "hardening", involves strengthening the security of a system to protect it from
8potential threats and vulnerabilities.
9
10At a high-level, hardening a Zephyr application can be seen as a two-fold process:
11
12#. Disabling features and compilation flags that might lead to security vulnerabilities (ex. making
13   sure that no "experimental" features are being used, disabling features typically used for
14   debugging purposes such as assertions, shell, etc.).
15#. Enabling optional features that can lead to improve security (ex. stack sentinel, hardware stack
16   protection, etc.). Some of these features might be hardware-dependent.
17
18To simplify this process, Zephyr offers a **hardening tool** designed to analyze an application's
19configuration against a set of hardening preferences defined by the **Security Working Group**. The
20tool looks at the KConfig options in the build target and provides tailored suggestions and
21recommendations to adjust security-related options.
22
23Usage
24*****
25
26.. zephyr-app-commands::
27    :tool: all
28    :zephyr-app: samples/hello_world
29    :board: reel_board
30    :goals: hardenconfig
31
32The output should be similar to the table below. For each configuration option set to a value that
33could lead to a security vulnerability, the table will propose a recommended value that should be
34used instead.
35
36.. code-block:: console
37
38                  name                       |   current   |  recommended   ||    check result
39   ================================================================================================
40   CONFIG_BOOT_BANNER                        |      y      |       n        ||       FAIL
41   CONFIG_BUILD_OUTPUT_STRIPPED              |      n      |       y        ||       FAIL
42   CONFIG_FAULT_DUMP                         |      2      |       0        ||       FAIL
43   CONFIG_HW_STACK_PROTECTION                |      n      |       y        ||       FAIL
44   CONFIG_MPU_STACK_GUARD                    |      n      |       y        ||       FAIL
45   CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT     |      n      |       y        ||       FAIL
46   CONFIG_STACK_SENTINEL                     |      n      |       y        ||       FAIL
47   CONFIG_EARLY_CONSOLE                      |      y      |       n        ||       FAIL
48   CONFIG_PRINTK                             |      y      |       n        ||       FAIL
49