Update the README

Refers to #67.

diff --git a/README.md b/README.md
index dbdc1f3b72ae1911268aaceffc8c29823795e2fa..735a89120ca51692f42c1606bfa271dc87344546 100644 (file)
--- a/README.md
+++ b/README.md
@@ -63,24 +63,28 @@ Some Linux distributions also provide `kconfig-hardened-check` as a package.
 
 ## Usage
 ```
-usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG]
-                              [-l CMDLINE] [-m {verbose,json,show_ok,show_fail}]
+usage: kconfig-hardened-check [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
+                              [-c CONFIG] [-l CMDLINE] [-p {X86_64,X86_32,ARM64,ARM}]
+                              [-g {X86_64,X86_32,ARM64,ARM}]
 
 A tool for checking the security hardening options of the Linux kernel
 
 options:
   -h, --help            show this help message and exit
   --version             show program's version number and exit
-  -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
-                        print the security hardening recommendations for the selected
-                        microarchitecture
+  -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
+                        choose the report mode
   -c CONFIG, --config CONFIG
-                        check the security hardening options in the kernel kconfig file (also
-                        supports *.gz files)
+                        check the security hardening options in the kernel Kconfig file
+                        (also supports *.gz files)
   -l CMDLINE, --cmdline CMDLINE
                         check the security hardening options in the kernel cmdline file
-  -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
-                        choose the report mode
+  -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
+                        print the security hardening recommendations for the selected
+                        microarchitecture
+  -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
+                        generate a Kconfig fragment with the security hardening options for
+                        the selected microarchitecture
 ```
 
 ## Output modes
@@ -338,14 +342,22 @@ sysrq_always_enabled                    |cmdline| is not set |    my    |cut_att
 [+] Config check is finished: 'OK' - 122 / 'FAIL' - 101
 ```
 
-## kconfig-hardened-check versioning
-
-I usually update the kernel security hardening recommendations every few kernel releases.
+## Generating a Kconfig fragment with the security hardening options
 
-So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
-
-The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
+With the `-g` argument the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.
 
+This Kconfig fragment can be merged with the existing Linux kernel config:
+```
+$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
+$ cd ~/linux-src/
+$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
+Using .config as base
+Merging /tmp/fragment
+Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
+Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
+New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
+ ...
+```
 
 ## Questions and answers