diff --git a/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc b/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc
index b59ab236867cfb28ef0dddc197d03b5009de7a06..39b73fc1a59fab7ce9436b68096030eec83b436b 100644
--- a/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc
+++ b/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc
@@ -14,6 +14,7 @@ SRC_URI += "file://hardening_dmesg.cfg"
 SRC_URI += "file://hardening_fortify_source.cfg"
 SRC_URI += "file://hardening_memory.cfg"
 # SRC_URI += "file://hardening_oops.cfg"
+SRC_URI += "file://hardening_toolchain.cfg"
 SRC_URI += "file://hardening_usercopy.cfg"
 SRC_URI += "file://hardening_validation_checks.cfg"
 
diff --git a/meta-ohos-core/recipes-kernel/linux/linux/hardening_toolchain.cfg b/meta-ohos-core/recipes-kernel/linux/linux/hardening_toolchain.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..970c556e1cc9a2212d10af566f298176c71b9e5c
--- /dev/null
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_toolchain.cfg
@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Hardening through toolchain features
+
+CONFIG_GCC_PLUGINS=y
+
+# More of a demo of how to write compiler plugins, not useful in production
+# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
+
+# Generate additional entropy during boot and runtime
+CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
+
+# Randomize struct layout - this should be enabled in paranoid
+# mode, but severely impacts performance
+# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
+
+# Randomize struct layout limited to cacheline sized groups of elements
+# This is like a compromise between GCC_PLUGIN_RANDSTRUCT and
+# maximum performance.
+CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
+
+# Adds a __sanitizer_cov_trace_pc() call to all basic blocks. This can
+# be useful during development, but shouldn't be in a product.
+# CONFIG_GCC_PLUGIN_SANCOV is not set
+
+# Erase the kernel stack before returning from system calls
+# Comes with a 1% slowdown in many situations; might be worse
+# (and worth disabling) in some use cases.
+CONFIG_GCC_PLUGIN_STACKLEAK=y
+
+# Zero-initialize structures - enables STRUCTLEAK options below
+CONFIG_GCC_PLUGIN_STRUCTLEAK=y
+
+# Zero-initialize structures that may be passed by reference
+# This should be enabled in paranoid mode, but has a significant
+# impact on performance and memory use since variables that could
+# otherwise be optimized out will remain on the stack.
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
+
+# Zero-initialize structures with __user attribute
+# Introduces a small slowdown from initializing twice in many
+# cases, but can prevent some information exposures as long
+# as there are uninitialized structs in the kernel.
+CONFIG_GCC_PLUGIN_STRUCTLEAK_USER=y
+
+# More verbose output in build logs - not very useful here
+# because people are unlikely to read kernel build logs from
+# a build inside bitbake
+# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
+
+# Per-task stack smashing protection on ARM
+CONFIG_GCC_PLUGIN_ARM_SSP_PER_TASK=y