projects / openwrt / openwrt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
build: add hardened builds with PIE (ASLR) support
[openwrt/openwrt.git] / config / Config-build.in
1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 menu "Global build settings"
9
10 config ALL_NONSHARED
11 bool "Select all target specific packages by default"
12 select ALL_KMODS
13 default BUILDBOT
14
15 config ALL_KMODS
16 bool "Select all kernel module packages by default"
17
18 config ALL
19 bool "Select all userspace packages by default"
20 select ALL_KMODS
21 select ALL_NONSHARED
22
23 config BUILDBOT
24 bool "Set build defaults for automatic builds (e.g. via buildbot)"
25 default n
26 help
27 This option changes several defaults to be more suitable for
28 automatic builds. This includes the following changes:
29 - Deleting build directories after compiling (to save space)
30 - Enabling per-device rootfs support
31 ...
32
33 config SIGNED_PACKAGES
34 bool "Cryptographically signed package lists"
35 default y
36
37 comment "General build options"
38
39 config DISPLAY_SUPPORT
40 bool "Show packages that require graphics support (local or remote)"
41 default n
42
43 config BUILD_PATENTED
44 default n
45 bool "Compile with support for patented functionality"
46 help
47 When this option is disabled, software which provides patented functionality
48 will not be built. In case software provides optional support for patented
49 functionality, this optional support will get disabled for this package.
50
51 config BUILD_NLS
52 default n
53 bool "Compile with full language support"
54 help
55 When this option is enabled, packages are built with the full versions of
56 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
57 used, it is also built with locale support.
58
59 config SHADOW_PASSWORDS
60 bool
61 default y
62
63 config CLEAN_IPKG
64 bool
65 prompt "Remove ipkg/opkg status data files in final images"
66 default n
67 help
68 This removes all ipkg/opkg status data files from the target directory
69 before building the root filesystem.
70
71 config INCLUDE_CONFIG
72 bool "Include build configuration in firmware" if DEVEL
73 default n
74 help
75 If enabled, config.seed will be stored in /etc/build.config of firmware.
76
77 config COLLECT_KERNEL_DEBUG
78 bool
79 prompt "Collect kernel debug information"
80 select KERNEL_DEBUG_INFO
81 default BUILDBOT
82 help
83 This collects debugging symbols from the kernel and all compiled modules.
84 Useful for release builds, so that kernel issues can be debugged offline
85 later.
86
87 menu "Kernel build options"
88
89 source "config/Config-kernel.in"
90
91 endmenu
92
93 comment "Package build options"
94
95 config DEBUG
96 bool
97 prompt "Compile packages with debugging info"
98 default n
99 help
100 Adds -g3 to the CFLAGS.
101
102 config IPV6
103 bool
104 prompt "Enable IPv6 support in packages"
105 default y
106 help
107 Enables IPv6 support in kernel (builtin) and packages.
108
109 comment "Stripping options"
110
111 choice
112 prompt "Binary stripping method"
113 default USE_STRIP if EXTERNAL_TOOLCHAIN
114 default USE_STRIP if USE_GLIBC
115 default USE_SSTRIP
116 help
117 Select the binary stripping method you wish to use.
118
119 config NO_STRIP
120 bool "none"
121 help
122 This will install unstripped binaries (useful for native
123 compiling/debugging).
124
125 config USE_STRIP
126 bool "strip"
127 help
128 This will install binaries stripped using strip from binutils.
129
130
131 config USE_SSTRIP
132 bool "sstrip"
133 depends on !USE_GLIBC
134 help
135 This will install binaries stripped using sstrip.
136 endchoice
137
138 config STRIP_ARGS
139 string
140 prompt "Strip arguments"
141 depends on USE_STRIP
142 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
143 default "--strip-all"
144 help
145 Specifies arguments passed to the strip command when stripping binaries.
146
147 config STRIP_KERNEL_EXPORTS
148 bool "Strip unnecessary exports from the kernel image"
149 help
150 Reduces kernel size by stripping unused kernel exports from the kernel
151 image. Note that this might make the kernel incompatible with any kernel
152 modules that were not selected at the time the kernel image was created.
153
154 config USE_MKLIBS
155 bool "Strip unnecessary functions from libraries"
156 help
157 Reduces libraries to only those functions that are necessary for using all
158 selected packages (including those selected as <M>). Note that this will
159 make the system libraries incompatible with most of the packages that are
160 not selected during the build process.
161
162 choice
163 prompt "Preferred standard C++ library"
164 default USE_LIBSTDCXX if USE_GLIBC
165 default USE_UCLIBCXX
166 help
167 Select the preferred standard C++ library for all packages that support this.
168
169 config USE_UCLIBCXX
170 bool "uClibc++"
171
172 config USE_LIBSTDCXX
173 bool "libstdc++"
174 endchoice
175
176 comment "Hardening build options"
177
178 config PKG_CHECK_FORMAT_SECURITY
179 bool
180 prompt "Enable gcc format-security"
181 default y
182 help
183 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
184 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
185 Makefile.
186
187 config PKG_ASLR_PIE
188 bool
189 prompt "User space ASLR PIE compilation"
190 select BUSYBOX_DEFAULT_PIE
191 default n
192 help
193 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
194 This enables package build as Position Independent Executables (PIE)
195 to protect against "return-to-text" attacks. This belongs to the
196 feature of Address Space Layout Randomisation (ASLR), which is
197 implemented by the kernel and the ELF loader by randomising the
198 location of memory allocations. This makes memory addresses harder
199 to predict when an attacker is attempting a memory-corruption exploit.
200 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
201 Makefile.
202
203 choice
204 prompt "User space Stack-Smashing Protection"
205 depends on USE_MUSL
206 default PKG_CC_STACKPROTECTOR_REGULAR
207 help
208 Enable GCC Stack Smashing Protection (SSP) for userspace applications
209 config PKG_CC_STACKPROTECTOR_NONE
210 bool "None"
211 config PKG_CC_STACKPROTECTOR_REGULAR
212 bool "Regular"
213 select SSP_SUPPORT if !USE_MUSL
214 depends on KERNEL_CC_STACKPROTECTOR_REGULAR
215 config PKG_CC_STACKPROTECTOR_STRONG
216 bool "Strong"
217 select SSP_SUPPORT if !USE_MUSL
218 depends on !GCC_VERSION_4_8
219 depends on KERNEL_CC_STACKPROTECTOR_STRONG
220 endchoice
221
222 choice
223 prompt "Kernel space Stack-Smashing Protection"
224 default KERNEL_CC_STACKPROTECTOR_REGULAR
225 depends on USE_MUSL || !(x86_64 || i386)
226 help
227 Enable GCC Stack-Smashing Protection (SSP) for the kernel
228 config KERNEL_CC_STACKPROTECTOR_NONE
229 bool "None"
230 config KERNEL_CC_STACKPROTECTOR_REGULAR
231 bool "Regular"
232 config KERNEL_CC_STACKPROTECTOR_STRONG
233 depends on !GCC_VERSION_4_8
234 bool "Strong"
235 endchoice
236
237 choice
238 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
239 default PKG_FORTIFY_SOURCE_1
240 help
241 Enable the _FORTIFY_SOURCE macro which introduces additional
242 checks to detect buffer-overflows in the following standard library
243 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
244 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
245 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
246 checks that shouldn't change the behavior of conforming programs,
247 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
248 added, but some conforming programs might fail.
249 config PKG_FORTIFY_SOURCE_NONE
250 bool "None"
251 config PKG_FORTIFY_SOURCE_1
252 bool "Conservative"
253 config PKG_FORTIFY_SOURCE_2
254 bool "Aggressive"
255 endchoice
256
257 choice
258 prompt "Enable RELRO protection"
259 default PKG_RELRO_FULL
260 help
261 Enable a link-time protection known as RELRO (Relocation Read Only)
262 which helps to protect from certain type of exploitation techniques
263 altering the content of some ELF sections. "Partial" RELRO makes the
264 .dynamic section not writeable after initialization, introducing
265 almost no performance penalty, while "full" RELRO also marks the GOT
266 as read-only at the cost of initializing all of it at startup.
267 config PKG_RELRO_NONE
268 bool "None"
269 config PKG_RELRO_PARTIAL
270 bool "Partial"
271 config PKG_RELRO_FULL
272 bool "Full"
273 endchoice
274
275 endmenu
OpenWrt Source Repository