Introduce Kconfig option in zephyr build system that reflects the TF-M
cmake config variable with the same default value for dummy provisioning
and have it satisfy the IAK present requirement.
This configuration is not suitable for production, and by having this
in zephyr configuration we can have this as part of the hardened
configuration check.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
The experimental status of the PPP L2 is long overdue so
it can be removed as the component is working fine.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
This commit adds the requirement for the `TIMER_RANDOM_GENERATOR`
Kconfig to be set to `n` because it enables timer-based pseudo-random
number generator, which is only intended to be used for testing
purposes.
Signed-off-by: Stephanos Ioannidis <stephanos.ioannidis@nordicsemi.no>
As per #38352, we would like to start building out PTP (IEEE 1588)
support for superset of gPTP functionality in Zephyr. This is the first
step to abstract away some key interfaces from NET_GPTP umbrella to
NET_L2_PTP.
Signed-off-by: Alex Sergeev <asergeev@carbonrobotics.com>
Remove this intrusive tracing feature in favor of the new object tracing
using the main tracing feature in zephyr. See #33603 for the new tracing
coverage for all objects.
This will allow for support in more tools and less reliance on GDB for
tracing objects.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Removing CONFIG_TRACING_CPU_STATS in favor of
CONFIG_THREAD_RUNTIME_STATS which provides per thread stats. The same
functionality is also available when Thread analyzer is enabled with the
runtime stats enabled.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
The exported structures that were originally introduced for OpenOCD have
since then been reused for other debugger plugins, including PyOCD and
Segger J-Link.
Rename the Kconfig option and the implementation from openocd to debug
thread info, so that it reflects the fact that this is no longer
specifically tied to OpenOCD.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Log the security keys that the sniffer needs in order to sucessfully
decrypt the connection.
This option allows the sniffer to work in the cases where enabling
using the SMP debug keys is not wanted, either because it changes the
way the peer behaves or is denied by the peer.
It also enables the sniffer to decrypt a connection where the bond
already exists.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Mark the option BT_FIXED_PASSKEY as an insecure option.
During Legacy pairing the passkey is used as encryption key, and
brute-forcing this is easy.
During LE Secure Connections the passkey is checked one bit at a time,
so when it is fixed the passkey can be deduced with series of pairing
attempts.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
This code had one purpose only, feed timing information into a test and
was not used by anything else. The custom trace points unfortunatly were
not accurate and this test was delivering informatin that conflicted
with other tests we have due to placement of such trace points in the
architecture and kernel code.
For such measurements we are planning to use the tracing functionality
in a special mode that would be used for metrics without polluting the
architecture and kernel code with additional tracing and timing code.
Furthermore, much of the assembly code used had issues.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The extra empty line broke the "ninja hardenconfig" on my machine with
Python 3.7.5, it complains:
"
... ...
File "/home/zephyrproject/zephyr/scripts/kconfig/hardenconfig.py",
line 46, in compare_with_hardened_conf
name = row[0]
IndexError: list index out of range
FAILED: CMakeFiles/hardenconfig
"
The csv.reader reads this empty line and gets an empty list which will
not be successfully "de-referenced". Removing it to improve the
out-of-box experience when pepople try out the hardening options.
Signed-off-by: Wenbo Yang <wenbo.yangcn@gmail.com>
This adds CONFIG_BT_CONN_DISABLE_SECURITY which can be used to disable
security checks for incoming requests enabling to test accessing GATT
attributes and L2CAP channels that would otherwise require
encryption/authentication in order to be accessed.
It depends on BT_TESTING to indicate to the users that this is a
testing feature which shall not be used in production.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Add warning about enabling the options below so that users are
aware that this is a security risk.
- CONFIG_BT_DEBUG_SMP
- CONFIG_BT_DEBUG_KEYS
- CONFIG_BT_OOB_DATA_FIXED
- CONFIG_BT_USE_DEBUG_KEYS
- CONFIG_BT_STORE_DEBUG_KEYS
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
MCMUMGR file system management is discouraged in production, just
adding it to the recommendation list.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Remove Kconfig, linker script, and related bits associated with
CUSTOM_RODATA_LD, CUSTOM_RWDATA_LD, CUSTOM_SECTIONS_LD,
SOC_NOINIT_LD, SOC_RODATA_LD, and SOC_RWDATA_LD options that have been
deprecated since Zephyr 2.2.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Basic tool to help checking Kconfig options against a list of
hardening preferences.
This tool is available as a kconfig target, so to run it:
make/ninja hardenconfig
[Flavio Ceolin: Simplify logic and fix python lint issues]
Signed-off-by: Lauren Murphy <lauren.murphy@intel.com>
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
