doc: security: Refresh hardening tool doc page

Improved the wording of the Hardening tool documentation to better
reflect that it does suggestions for both options that could be enabled
for improved security, as well as options that should be disabled for
they may expose to vulnerabilities. Also fixed the "Usage" section which
was stale.

Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>

doc/security/hardening-tool.rst

@@ -3,42 +3,46 @@
 Hardening Tool
 ##############
 
-Zephyr contains several optional features that make the overall system
+Before launching a product, it's crucial to ensure that your software is as secure as possible. This
-more secure. As we take advantage of hardware features, many of these
+process, known as "hardening", involves strengthening the security of a system to protect it from
-options are platform specific and besides it, some of them are unknown
+potential threats and vulnerabilities.
-by developers.
 
-To address this problem, Zephyr provides a tool that helps to check an
+At a high-level, hardening a Zephyr application can be seen as a two-fold process:
-application configuration option list against a list of hardening
+
-preferences defined by the **Security Group**. The tool can identify the build
+#. Disabling features and compilation flags that might lead to security vulnerabilities (ex. making
-target and based on that provides suggestions and recommendations on how to
+   sure that no "experimental" features are being used, disabling features typically used for
-optimize the configuration for security.
+   debugging purposes such as assertions, shell, etc.).
+#. Enabling optional features that can lead to improve security (ex. stack sentinel, hardware stack
+   protection, etc.). Some of these features might be hardware-dependent.
+
+To simplify this process, Zephyr offers a **hardening tool** designed to analyze an application's
+configuration against a set of hardening preferences defined by the **Security Working Group**. The
+tool looks at the KConfig options in the build target and provides tailored suggestions and
+recommendations to adjust security-related options.
 
 Usage
 *****
 
-After configure of your application, change directory to the build folder and:
+.. zephyr-app-commands::
+    :tool: all
+    :app: samples/hello_world
+    :board: reel_board
+    :goals: hardenconfig
+
+The output should be similar to the table below. For each configuration option set to a value that
+could lead to a security vulnerability, the table will propose a recommended value that should be
+used instead.
 
 .. code-block:: console
 
-   # ninja build system:
+                  name                       |   current   |  recommended   ||    check result
-   $ ninja hardenconfig
+   ================================================================================================
-   # make build system:
+   CONFIG_BOOT_BANNER                        |      y      |       n        ||       FAIL
-   $ make hardenconfig
+   CONFIG_BUILD_OUTPUT_STRIPPED              |      n      |       y        ||       FAIL
-
+   CONFIG_FAULT_DUMP                         |      2      |       0        ||       FAIL
-The output should be similar to the one bellow:
+   CONFIG_HW_STACK_PROTECTION                |      n      |       y        ||       FAIL
-
+   CONFIG_MPU_STACK_GUARD                    |      n      |       y        ||       FAIL
-.. code-block:: console
+   CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT     |      n      |       y        ||       FAIL
-
+   CONFIG_STACK_SENTINEL                     |      n      |       y        ||       FAIL
-
+   CONFIG_EARLY_CONSOLE                      |      y      |       n        ||       FAIL
-                          name                       |   current   |    recommended     ||        check result
+   CONFIG_PRINTK                             |      y      |       n        ||       FAIL
-   ===================================================================================================================
-   CONFIG_HW_STACK_PROTECTION                        |      n      |         y          ||            FAIL
-   CONFIG_BOOT_BANNER                                |      y      |         n          ||            FAIL
-   CONFIG_PRINTK                                     |      y      |         n          ||            FAIL
-   CONFIG_EARLY_CONSOLE                              |      y      |         n          ||            FAIL
-   CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT             |      n      |         y          ||            FAIL
-   CONFIG_DEBUG_INFO                                 |      y      |         n          ||            FAIL
-   CONFIG_TEST_RANDOM_GENERATOR                      |      y      |         n          ||            FAIL
-   CONFIG_BUILD_OUTPUT_STRIPPED                      |      n      |         y          ||            FAIL
-   CONFIG_STACK_SENTINEL                             |      n      |         y          ||            FAIL