1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 menu "Global build settings"
11 bool "Select all target specific packages by default"
16 bool "Select all kernel module packages by default"
19 bool "Select all userspace packages by default"
24 bool "Set build defaults for automatic builds (e.g. via buildbot)"
27 This option changes several defaults to be more suitable for
28 automatic builds. This includes the following changes:
29 - Deleting build directories after compiling (to save space)
30 - Enabling per-device rootfs support
33 config SIGNED_PACKAGES
34 bool "Cryptographically signed package lists"
37 config SIGNATURE_CHECK
38 bool "Enable signature checking in opkg"
39 default SIGNED_PACKAGES
41 comment "General build options"
43 config DISPLAY_SUPPORT
44 bool "Show packages that require graphics support (local or remote)"
49 bool "Compile with support for patented functionality"
51 When this option is disabled, software which provides patented functionality
52 will not be built. In case software provides optional support for patented
53 functionality, this optional support will get disabled for this package.
57 bool "Compile with full language support"
59 When this option is enabled, packages are built with the full versions of
60 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
61 used, it is also built with locale support.
63 config SHADOW_PASSWORDS
69 prompt "Remove ipkg/opkg status data files in final images"
72 This removes all ipkg/opkg status data files from the target directory
73 before building the root filesystem.
76 bool "Include build configuration in firmware" if DEVEL
79 If enabled, config.seed will be stored in /etc/build.config of firmware.
81 config COLLECT_KERNEL_DEBUG
83 prompt "Collect kernel debug information"
84 select KERNEL_DEBUG_INFO
87 This collects debugging symbols from the kernel and all compiled modules.
88 Useful for release builds, so that kernel issues can be debugged offline
91 menu "Kernel build options"
93 source "config/Config-kernel.in"
97 comment "Package build options"
101 prompt "Compile packages with debugging info"
104 Adds -g3 to the CFLAGS.
108 prompt "Enable IPv6 support in packages"
111 Enables IPv6 support in kernel (builtin) and packages.
113 comment "Stripping options"
116 prompt "Binary stripping method"
117 default USE_STRIP if EXTERNAL_TOOLCHAIN
118 default USE_STRIP if USE_GLIBC
121 Select the binary stripping method you wish to use.
126 This will install unstripped binaries (useful for native
127 compiling/debugging).
132 This will install binaries stripped using strip from binutils.
137 depends on !USE_GLIBC
139 This will install binaries stripped using sstrip.
144 prompt "Strip arguments"
146 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
147 default "--strip-all"
149 Specifies arguments passed to the strip command when stripping binaries.
151 config STRIP_KERNEL_EXPORTS
152 bool "Strip unnecessary exports from the kernel image"
154 Reduces kernel size by stripping unused kernel exports from the kernel
155 image. Note that this might make the kernel incompatible with any kernel
156 modules that were not selected at the time the kernel image was created.
159 bool "Strip unnecessary functions from libraries"
161 Reduces libraries to only those functions that are necessary for using all
162 selected packages (including those selected as <M>). Note that this will
163 make the system libraries incompatible with most of the packages that are
164 not selected during the build process.
167 prompt "Preferred standard C++ library"
168 default USE_LIBSTDCXX if USE_GLIBC
171 Select the preferred standard C++ library for all packages that support this.
180 comment "Hardening build options"
182 config PKG_CHECK_FORMAT_SECURITY
184 prompt "Enable gcc format-security"
187 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
188 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
193 prompt "User space ASLR PIE compilation"
194 select BUSYBOX_DEFAULT_PIE
197 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
198 This enables package build as Position Independent Executables (PIE)
199 to protect against "return-to-text" attacks. This belongs to the
200 feature of Address Space Layout Randomisation (ASLR), which is
201 implemented by the kernel and the ELF loader by randomising the
202 location of memory allocations. This makes memory addresses harder
203 to predict when an attacker is attempting a memory-corruption exploit.
204 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
208 prompt "User space Stack-Smashing Protection"
210 default PKG_CC_STACKPROTECTOR_REGULAR
212 Enable GCC Stack Smashing Protection (SSP) for userspace applications
213 config PKG_CC_STACKPROTECTOR_NONE
215 config PKG_CC_STACKPROTECTOR_REGULAR
217 select GCC_LIBSSP if !USE_MUSL
218 depends on KERNEL_CC_STACKPROTECTOR_REGULAR
219 config PKG_CC_STACKPROTECTOR_STRONG
221 select GCC_LIBSSP if !USE_MUSL
222 depends on !GCC_VERSION_4_8
223 depends on KERNEL_CC_STACKPROTECTOR_STRONG
227 prompt "Kernel space Stack-Smashing Protection"
228 default KERNEL_CC_STACKPROTECTOR_REGULAR
229 depends on USE_MUSL || !(x86_64 || i386)
231 Enable GCC Stack-Smashing Protection (SSP) for the kernel
232 config KERNEL_CC_STACKPROTECTOR_NONE
234 config KERNEL_CC_STACKPROTECTOR_REGULAR
236 config KERNEL_CC_STACKPROTECTOR_STRONG
237 depends on !GCC_VERSION_4_8
242 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
243 default PKG_FORTIFY_SOURCE_1
245 Enable the _FORTIFY_SOURCE macro which introduces additional
246 checks to detect buffer-overflows in the following standard library
247 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
248 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
249 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
250 checks that shouldn't change the behavior of conforming programs,
251 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
252 added, but some conforming programs might fail.
253 config PKG_FORTIFY_SOURCE_NONE
255 config PKG_FORTIFY_SOURCE_1
257 config PKG_FORTIFY_SOURCE_2
262 prompt "Enable RELRO protection"
263 default PKG_RELRO_FULL
265 Enable a link-time protection known as RELRO (Relocation Read Only)
266 which helps to protect from certain type of exploitation techniques
267 altering the content of some ELF sections. "Partial" RELRO makes the
268 .dynamic section not writeable after initialization, introducing
269 almost no performance penalty, while "full" RELRO also marks the GOT
270 as read-only at the cost of initializing all of it at startup.
271 config PKG_RELRO_NONE
273 config PKG_RELRO_PARTIAL
275 config PKG_RELRO_FULL