Out-of-box security hardening for Zephyr
All Scenario OS should have provide an OS that is secure out of the box. This allows users to to get best-in-class security features that are available in Zephyr RTOS without the need to tweak kernel and toolchain features.
The high level ideas of basic Zephyr security:
- Defense in depth: have multiple layers of protection
- Reduce the attack surface
- Harden settings to limit impact of further attacks (eg. file permissions) or known issues (limit buffer overflows by compiler options)
- Enable kernel security options
- Verify configuration to avoid unsafe settings by default
- Add firewalling
- Require reliable system update (with verified images)
- Update packages for known CVEs
This tasks includes basic Zephyr system hardening techniques. Other tasks exist for networking, sandboxing, OTA and vulnerability handling
The Security hardening settings are enabled in the default builds.