1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 menu "Global build settings"
11 bool "Select all target specific packages by default"
16 bool "Select all kernel module packages by default"
19 bool "Select all userspace packages by default"
24 bool "Set build defaults for automatic builds (e.g. via buildbot)"
27 This option changes several defaults to be more suitable for
28 automatic builds. This includes the following changes:
29 - Deleting build directories after compiling (to save space)
30 - Enabling per-device rootfs support
33 config SIGNED_PACKAGES
34 bool "Cryptographically signed package lists"
37 comment "General build options"
40 bool "Use the testing kernel version"
41 depends on HAS_TESTING_KERNEL
44 If the target supports a newer kernel version than the default,
45 you can use this config option to enable it
48 config DISPLAY_SUPPORT
49 bool "Show packages that require graphics support (local or remote)"
54 bool "Compile with support for patented functionality"
56 When this option is disabled, software which provides patented functionality
57 will not be built. In case software provides optional support for patented
58 functionality, this optional support will get disabled for this package.
62 bool "Compile with full language support"
64 When this option is enabled, packages are built with the full versions of
65 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
66 used, it is also built with locale support.
68 config SHADOW_PASSWORDS
74 prompt "Remove ipkg/opkg status data files in final images"
77 This removes all ipkg/opkg status data files from the target directory
78 before building the root filesystem.
80 config IPK_FILES_CHECKSUMS
82 prompt "Record files checksums in package metadata"
85 This makes file checksums part of package metadata. It increases size
86 but provides you with pkg_check command to check for flash coruptions.
89 bool "Include build configuration in firmware" if DEVEL
92 If enabled, config.seed will be stored in /etc/build.config of firmware.
94 config COLLECT_KERNEL_DEBUG
96 prompt "Collect kernel debug information"
97 select KERNEL_DEBUG_INFO
100 This collects debugging symbols from the kernel and all compiled modules.
101 Useful for release builds, so that kernel issues can be debugged offline
104 menu "Kernel build options"
106 source "config/Config-kernel.in"
110 comment "Package build options"
114 prompt "Compile packages with debugging info"
117 Adds -g3 to the CFLAGS.
121 prompt "Enable IPv6 support in packages"
124 Enables IPv6 support in kernel (builtin) and packages.
126 comment "Stripping options"
129 prompt "Binary stripping method"
130 default USE_STRIP if EXTERNAL_TOOLCHAIN
131 default USE_STRIP if USE_GLIBC
134 Select the binary stripping method you wish to use.
139 This will install unstripped binaries (useful for native
140 compiling/debugging).
145 This will install binaries stripped using strip from binutils.
150 depends on !USE_GLIBC
152 This will install binaries stripped using sstrip.
157 prompt "Strip arguments"
159 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
160 default "--strip-all"
162 Specifies arguments passed to the strip command when stripping binaries.
164 config STRIP_KERNEL_EXPORTS
165 bool "Strip unnecessary exports from the kernel image"
167 Reduces kernel size by stripping unused kernel exports from the kernel
168 image. Note that this might make the kernel incompatible with any kernel
169 modules that were not selected at the time the kernel image was created.
172 bool "Strip unnecessary functions from libraries"
174 Reduces libraries to only those functions that are necessary for using all
175 selected packages (including those selected as <M>). Note that this will
176 make the system libraries incompatible with most of the packages that are
177 not selected during the build process.
180 prompt "Preferred standard C++ library"
181 default USE_LIBSTDCXX if USE_GLIBC
184 Select the preferred standard C++ library for all packages that support this.
193 comment "Hardening build options"
195 config PKG_CHECK_FORMAT_SECURITY
197 prompt "Enable gcc format-security"
200 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
201 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
206 prompt "User space ASLR PIE compilation"
207 select BUSYBOX_DEFAULT_PIE
210 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
211 This enables package build as Position Independent Executables (PIE)
212 to protect against "return-to-text" attacks. This belongs to the
213 feature of Address Space Layout Randomisation (ASLR), which is
214 implemented by the kernel and the ELF loader by randomising the
215 location of memory allocations. This makes memory addresses harder
216 to predict when an attacker is attempting a memory-corruption exploit.
217 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
221 prompt "User space Stack-Smashing Protection"
223 default PKG_CC_STACKPROTECTOR_REGULAR
225 Enable GCC Stack Smashing Protection (SSP) for userspace applications
226 config PKG_CC_STACKPROTECTOR_NONE
228 config PKG_CC_STACKPROTECTOR_REGULAR
230 select GCC_LIBSSP if !USE_MUSL
231 depends on KERNEL_CC_STACKPROTECTOR_REGULAR
232 config PKG_CC_STACKPROTECTOR_STRONG
234 select GCC_LIBSSP if !USE_MUSL
235 depends on !GCC_VERSION_4_8
236 depends on KERNEL_CC_STACKPROTECTOR_STRONG
240 prompt "Kernel space Stack-Smashing Protection"
241 default KERNEL_CC_STACKPROTECTOR_REGULAR
242 depends on USE_MUSL || !(x86_64 || i386)
244 Enable GCC Stack-Smashing Protection (SSP) for the kernel
245 config KERNEL_CC_STACKPROTECTOR_NONE
247 config KERNEL_CC_STACKPROTECTOR_REGULAR
249 config KERNEL_CC_STACKPROTECTOR_STRONG
250 depends on !GCC_VERSION_4_8
254 config KERNEL_STACKPROTECTOR
256 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
258 config KERNEL_STACKPROTECTOR_STRONG
260 default KERNEL_CC_STACKPROTECTOR_STRONG
263 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
264 default PKG_FORTIFY_SOURCE_1
266 Enable the _FORTIFY_SOURCE macro which introduces additional
267 checks to detect buffer-overflows in the following standard library
268 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
269 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
270 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
271 checks that shouldn't change the behavior of conforming programs,
272 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
273 added, but some conforming programs might fail.
274 config PKG_FORTIFY_SOURCE_NONE
276 config PKG_FORTIFY_SOURCE_1
278 config PKG_FORTIFY_SOURCE_2
283 prompt "Enable RELRO protection"
284 default PKG_RELRO_FULL
286 Enable a link-time protection known as RELRO (Relocation Read Only)
287 which helps to protect from certain type of exploitation techniques
288 altering the content of some ELF sections. "Partial" RELRO makes the
289 .dynamic section not writeable after initialization, introducing
290 almost no performance penalty, while "full" RELRO also marks the GOT
291 as read-only at the cost of initializing all of it at startup.
292 config PKG_RELRO_NONE
294 config PKG_RELRO_PARTIAL
296 config PKG_RELRO_FULL