1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 menu "Global build settings"
11 bool "Select all target specific packages by default"
16 bool "Select all kernel module packages by default"
19 bool "Select all userspace packages by default"
24 bool "Set build defaults for automatic builds (e.g. via buildbot)"
27 This option changes several defaults to be more suitable for
28 automatic builds. This includes the following changes:
29 - Deleting build directories after compiling (to save space)
30 - Enabling per-device rootfs support
33 config SIGNED_PACKAGES
34 bool "Cryptographically signed package lists"
37 comment "General build options"
39 config DISPLAY_SUPPORT
40 bool "Show packages that require graphics support (local or remote)"
45 bool "Compile with support for patented functionality"
47 When this option is disabled, software which provides patented functionality
48 will not be built. In case software provides optional support for patented
49 functionality, this optional support will get disabled for this package.
53 bool "Compile with full language support"
55 When this option is enabled, packages are built with the full versions of
56 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
57 used, it is also built with locale support.
59 config SHADOW_PASSWORDS
65 prompt "Remove ipkg/opkg status data files in final images"
68 This removes all ipkg/opkg status data files from the target directory
69 before building the root filesystem.
71 config IPK_FILES_CHECKSUMS
73 prompt "Record files checksums in package metadata"
76 This makes file checksums part of package metadata. It increases size
77 but provides you with pkg_check command to check for flash coruptions.
80 bool "Include build configuration in firmware" if DEVEL
83 If enabled, config.seed will be stored in /etc/build.config of firmware.
85 config COLLECT_KERNEL_DEBUG
87 prompt "Collect kernel debug information"
88 select KERNEL_DEBUG_INFO
91 This collects debugging symbols from the kernel and all compiled modules.
92 Useful for release builds, so that kernel issues can be debugged offline
95 menu "Kernel build options"
97 source "config/Config-kernel.in"
101 comment "Package build options"
105 prompt "Compile packages with debugging info"
108 Adds -g3 to the CFLAGS.
112 prompt "Enable IPv6 support in packages"
115 Enables IPv6 support in kernel (builtin) and packages.
117 comment "Stripping options"
120 prompt "Binary stripping method"
121 default USE_STRIP if EXTERNAL_TOOLCHAIN
122 default USE_STRIP if USE_GLIBC
125 Select the binary stripping method you wish to use.
130 This will install unstripped binaries (useful for native
131 compiling/debugging).
136 This will install binaries stripped using strip from binutils.
141 depends on !USE_GLIBC
143 This will install binaries stripped using sstrip.
148 prompt "Strip arguments"
150 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
151 default "--strip-all"
153 Specifies arguments passed to the strip command when stripping binaries.
155 config STRIP_KERNEL_EXPORTS
156 bool "Strip unnecessary exports from the kernel image"
158 Reduces kernel size by stripping unused kernel exports from the kernel
159 image. Note that this might make the kernel incompatible with any kernel
160 modules that were not selected at the time the kernel image was created.
163 bool "Strip unnecessary functions from libraries"
165 Reduces libraries to only those functions that are necessary for using all
166 selected packages (including those selected as <M>). Note that this will
167 make the system libraries incompatible with most of the packages that are
168 not selected during the build process.
171 prompt "Preferred standard C++ library"
172 default USE_LIBSTDCXX if USE_GLIBC
175 Select the preferred standard C++ library for all packages that support this.
184 comment "Hardening build options"
186 config PKG_CHECK_FORMAT_SECURITY
188 prompt "Enable gcc format-security"
191 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
192 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
197 prompt "User space ASLR PIE compilation"
198 select BUSYBOX_DEFAULT_PIE
201 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
202 This enables package build as Position Independent Executables (PIE)
203 to protect against "return-to-text" attacks. This belongs to the
204 feature of Address Space Layout Randomisation (ASLR), which is
205 implemented by the kernel and the ELF loader by randomising the
206 location of memory allocations. This makes memory addresses harder
207 to predict when an attacker is attempting a memory-corruption exploit.
208 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
212 prompt "User space Stack-Smashing Protection"
214 default PKG_CC_STACKPROTECTOR_REGULAR
216 Enable GCC Stack Smashing Protection (SSP) for userspace applications
217 config PKG_CC_STACKPROTECTOR_NONE
219 config PKG_CC_STACKPROTECTOR_REGULAR
221 select GCC_LIBSSP if !USE_MUSL
222 depends on KERNEL_CC_STACKPROTECTOR_REGULAR
223 config PKG_CC_STACKPROTECTOR_STRONG
225 select GCC_LIBSSP if !USE_MUSL
226 depends on !GCC_VERSION_4_8
227 depends on KERNEL_CC_STACKPROTECTOR_STRONG
231 prompt "Kernel space Stack-Smashing Protection"
232 default KERNEL_CC_STACKPROTECTOR_REGULAR
233 depends on USE_MUSL || !(x86_64 || i386)
235 Enable GCC Stack-Smashing Protection (SSP) for the kernel
236 config KERNEL_CC_STACKPROTECTOR_NONE
238 config KERNEL_CC_STACKPROTECTOR_REGULAR
240 config KERNEL_CC_STACKPROTECTOR_STRONG
241 depends on !GCC_VERSION_4_8
245 config KERNEL_STACKPROTECTOR
247 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
249 config KERNEL_STACKPROTECTOR_STRONG
251 default KERNEL_CC_STACKPROTECTOR_STRONG
254 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
255 default PKG_FORTIFY_SOURCE_1
257 Enable the _FORTIFY_SOURCE macro which introduces additional
258 checks to detect buffer-overflows in the following standard library
259 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
260 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
261 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
262 checks that shouldn't change the behavior of conforming programs,
263 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
264 added, but some conforming programs might fail.
265 config PKG_FORTIFY_SOURCE_NONE
267 config PKG_FORTIFY_SOURCE_1
269 config PKG_FORTIFY_SOURCE_2
274 prompt "Enable RELRO protection"
275 default PKG_RELRO_FULL
277 Enable a link-time protection known as RELRO (Relocation Read Only)
278 which helps to protect from certain type of exploitation techniques
279 altering the content of some ELF sections. "Partial" RELRO makes the
280 .dynamic section not writeable after initialization, introducing
281 almost no performance penalty, while "full" RELRO also marks the GOT
282 as read-only at the cost of initializing all of it at startup.
283 config PKG_RELRO_NONE
285 config PKG_RELRO_PARTIAL
287 config PKG_RELRO_FULL