1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 menu "Global build settings"
10 config JSON_ADD_IMAGE_INFO
11 bool "Create JSON info files per build image"
14 The JSON info files contain information about the device and
15 build images, stored next to the firmware images.
18 bool "Select all target specific packages by default"
23 bool "Select all kernel module packages by default"
26 bool "Select all userspace packages by default"
31 bool "Set build defaults for automatic builds (e.g. via buildbot)"
34 This option changes several defaults to be more suitable for
35 automatic builds. This includes the following changes:
36 - Deleting build directories after compiling (to save space)
37 - Enabling per-device rootfs support
40 config SIGNED_PACKAGES
41 bool "Cryptographically signed package lists"
44 config SIGNATURE_CHECK
45 bool "Enable signature checking in opkg"
46 default SIGNED_PACKAGES
48 comment "General build options"
51 bool "Use the testing kernel version"
52 depends on HAS_TESTING_KERNEL
55 If the target supports a newer kernel version than the default,
56 you can use this config option to enable it
59 config DISPLAY_SUPPORT
60 bool "Show packages that require graphics support (local or remote)"
65 bool "Compile with support for patented functionality"
67 When this option is disabled, software which provides patented functionality
68 will not be built. In case software provides optional support for patented
69 functionality, this optional support will get disabled for this package.
73 bool "Compile with full language support"
75 When this option is enabled, packages are built with the full versions of
76 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
77 used, it is also built with locale support.
79 config SHADOW_PASSWORDS
85 prompt "Remove ipkg/opkg status data files in final images"
88 This removes all ipkg/opkg status data files from the target directory
89 before building the root filesystem.
91 config IPK_FILES_CHECKSUMS
93 prompt "Record files checksums in package metadata"
96 This makes file checksums part of package metadata. It increases size
97 but provides you with pkg_check command to check for flash coruptions.
100 bool "Include build configuration in firmware" if DEVEL
103 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
105 config COLLECT_KERNEL_DEBUG
107 prompt "Collect kernel debug information"
108 select KERNEL_DEBUG_INFO
111 This collects debugging symbols from the kernel and all compiled modules.
112 Useful for release builds, so that kernel issues can be debugged offline
115 menu "Kernel build options"
117 source "config/Config-kernel.in"
121 comment "Package build options"
125 prompt "Compile packages with debugging info"
128 Adds -g3 to the CFLAGS.
132 prompt "Enable IPv6 support in packages"
135 Enables IPv6 support in kernel (builtin) and packages.
137 comment "Stripping options"
140 prompt "Binary stripping method"
141 default USE_STRIP if EXTERNAL_TOOLCHAIN
142 default USE_STRIP if USE_GLIBC
145 Select the binary stripping method you wish to use.
150 This will install unstripped binaries (useful for native
151 compiling/debugging).
156 This will install binaries stripped using strip from binutils.
161 depends on !USE_GLIBC
163 This will install binaries stripped using sstrip.
168 prompt "Strip arguments"
170 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
171 default "--strip-all"
173 Specifies arguments passed to the strip command when stripping binaries.
175 config STRIP_KERNEL_EXPORTS
176 bool "Strip unnecessary exports from the kernel image"
178 Reduces kernel size by stripping unused kernel exports from the kernel
179 image. Note that this might make the kernel incompatible with any kernel
180 modules that were not selected at the time the kernel image was created.
183 bool "Strip unnecessary functions from libraries"
185 Reduces libraries to only those functions that are necessary for using all
186 selected packages (including those selected as <M>). Note that this will
187 make the system libraries incompatible with most of the packages that are
188 not selected during the build process.
191 prompt "Preferred standard C++ library"
192 default USE_LIBSTDCXX if USE_GLIBC
195 Select the preferred standard C++ library for all packages that support this.
202 depends on !USE_UCLIBC
208 comment "Hardening build options"
210 config PKG_CHECK_FORMAT_SECURITY
212 prompt "Enable gcc format-security"
215 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
216 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
220 prompt "User space ASLR PIE compilation"
221 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
222 default PKG_ASLR_PIE_REGULAR
224 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
225 This enables package build as Position Independent Executables (PIE)
226 to protect against "return-to-text" attacks. This belongs to the
227 feature of Address Space Layout Randomisation (ASLR), which is
228 implemented by the kernel and the ELF loader by randomising the
229 location of memory allocations. This makes memory addresses harder
230 to predict when an attacker is attempting a memory-corruption exploit.
231 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
233 Be ware that ASLR increases the binary size.
234 config PKG_ASLR_PIE_NONE
237 PIE is deactivated for all applications
238 config PKG_ASLR_PIE_REGULAR
241 PIE is activated for some binaries, mostly network exposed applications
242 config PKG_ASLR_PIE_ALL
244 select BUSYBOX_DEFAULT_PIE
246 PIE is activated for all applications
250 prompt "User space Stack-Smashing Protection"
252 default PKG_CC_STACKPROTECTOR_REGULAR
254 Enable GCC Stack Smashing Protection (SSP) for userspace applications
255 config PKG_CC_STACKPROTECTOR_NONE
257 config PKG_CC_STACKPROTECTOR_REGULAR
259 select GCC_LIBSSP if !USE_MUSL
260 depends on KERNEL_CC_STACKPROTECTOR_REGULAR
261 config PKG_CC_STACKPROTECTOR_STRONG
263 select GCC_LIBSSP if !USE_MUSL
264 depends on KERNEL_CC_STACKPROTECTOR_STRONG
268 prompt "Kernel space Stack-Smashing Protection"
269 default KERNEL_CC_STACKPROTECTOR_REGULAR
270 depends on USE_MUSL || !(x86_64 || i386)
272 Enable GCC Stack-Smashing Protection (SSP) for the kernel
273 config KERNEL_CC_STACKPROTECTOR_NONE
275 config KERNEL_CC_STACKPROTECTOR_REGULAR
277 config KERNEL_CC_STACKPROTECTOR_STRONG
281 config KERNEL_STACKPROTECTOR
283 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
285 config KERNEL_STACKPROTECTOR_STRONG
287 default KERNEL_CC_STACKPROTECTOR_STRONG
290 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
291 default PKG_FORTIFY_SOURCE_1
293 Enable the _FORTIFY_SOURCE macro which introduces additional
294 checks to detect buffer-overflows in the following standard library
295 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
296 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
297 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
298 checks that shouldn't change the behavior of conforming programs,
299 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
300 added, but some conforming programs might fail.
301 config PKG_FORTIFY_SOURCE_NONE
303 config PKG_FORTIFY_SOURCE_1
305 config PKG_FORTIFY_SOURCE_2
310 prompt "Enable RELRO protection"
311 default PKG_RELRO_FULL
313 Enable a link-time protection known as RELRO (Relocation Read Only)
314 which helps to protect from certain type of exploitation techniques
315 altering the content of some ELF sections. "Partial" RELRO makes the
316 .dynamic section not writeable after initialization, introducing
317 almost no performance penalty, while "full" RELRO also marks the GOT
318 as read-only at the cost of initializing all of it at startup.
319 config PKG_RELRO_NONE
321 config PKG_RELRO_PARTIAL
323 config PKG_RELRO_FULL