doc: security: Add hardening tool information

Flavio Ceolin · nashif · commit b5bb4cd085c7 · 2020-02-06T23:05:38.000-05:00
Add basic reference to hardening tool.

Signed-off-by: Flavio Ceolin &lt;flavio.ceolin@intel.com&gt;
diff --git a/doc/application/index.rst b/doc/application/index.rst
@@ -1199,6 +1199,7 @@ See :ref:`setting_configuration_values` for detailed documentation on setting
 Kconfig configuration values. The :ref:`initial-conf` section on the same page
 explains how the initial configuration is derived. See
 :ref:`configuration_options` for a complete list of configuration options.
+See :ref:`hardening` for security information related with Kconfig options.
 
 The other pages in the :ref:`Kconfig section of the manual <kconfig>` are also
 worth going through, especially if you planning to add new configuration
diff --git a/doc/security/hardening-tool.rst b/doc/security/hardening-tool.rst
@@ -0,0 +1,44 @@
+.. _hardening:
+
+Hardening Tool
+##############
+
+Zephyr contains several optional features that make the overall system
+more secure. As we take advantage of hardware features, many of these
+options are platform specific and besides it, some of them are unknown
+by developers.
+
+To address this problem, Zephyr provides a tool that helps to check an
+application configuration option list against a list of hardening
+preferences defined by the **Security Group**. The tool can identify the build
+target and based on that provides suggestions and recommendations on how to
+optimize the configuration for security.
+
+Usage
+*****
+
+After configure of your application, change directory to the build folder and:
+
+.. code-block:: console
+
+   # ninja build system:
+   $ ninja hardenconfig
+   # make build system:
+   $ make hardenconfig
+
+The output should be similar to the one bellow:
+
+.. code-block:: console
+
+
+                          name                       |   current   |    recommended     ||        check result
+   ===================================================================================================================
+   CONFIG_HW_STACK_PROTECTION                        |      n      |         y          ||            FAIL
+   CONFIG_BOOT_BANNER                                |      y      |         n          ||            FAIL
+   CONFIG_PRINTK                                     |      y      |         n          ||            FAIL
+   CONFIG_EARLY_CONSOLE                              |      y      |         n          ||            FAIL
+   CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT             |      n      |         y          ||            FAIL
+   CONFIG_DEBUG_INFO                                 |      y      |         n          ||            FAIL
+   CONFIG_TEST_RANDOM_GENERATOR                      |      y      |         n          ||            FAIL
+   CONFIG_BUILD_OUTPUT_STRIPPED                      |      n      |         y          ||            FAIL
+   CONFIG_STACK_SENTINEL                             |      n      |         y          ||            FAIL
diff --git a/doc/security/index.rst b/doc/security/index.rst
@@ -13,3 +13,4 @@ for ensuring security is addressed within the Zephyr project.
    security-overview.rst
    secure-coding.rst
    sensor-threat.rst
+   hardening-tool.rst
