1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
9 bool "Enable experimental features by default"
12 Set this option to build with latest bleeding edge features
13 which may or may not work as expected.
14 If you would like to help the development of OpenWrt, you are
15 encouraged to set this option and provide feedback (both
16 positive and negative). But do so only if you know how to
17 recover your device in case of flashing potentially non-working
20 If you plan to use this build in production, say NO!
22 menu "Global build settings"
24 config JSON_OVERVIEW_IMAGE_INFO
25 bool "Create JSON info file overview per target"
28 Create a JSON info file called profiles.json in the target
29 directory containing machine readable list of built profiles
33 bool "Select all target specific packages by default"
38 bool "Select all kernel module packages by default"
41 bool "Select all userspace packages by default"
46 bool "Set build defaults for automatic builds (e.g. via buildbot)"
49 This option changes several defaults to be more suitable for
50 automatic builds. This includes the following changes:
51 - Deleting build directories after compiling (to save space)
52 - Enabling per-device rootfs support
55 config SIGNED_PACKAGES
56 bool "Cryptographically signed package lists"
59 config SIGNATURE_CHECK
60 bool "Enable signature checking in opkg"
61 default SIGNED_PACKAGES
63 comment "General build options"
66 bool "Use the testing kernel version"
67 depends on HAS_TESTING_KERNEL
70 If the target supports a newer kernel version than the default,
71 you can use this config option to enable it
74 config DISPLAY_SUPPORT
75 bool "Show packages that require graphics support (local or remote)"
80 bool "Compile with support for patented functionality"
82 When this option is disabled, software which provides patented functionality
83 will not be built. In case software provides optional support for patented
84 functionality, this optional support will get disabled for this package.
88 bool "Compile with full language support"
90 When this option is enabled, packages are built with the full versions of
91 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
92 used, it is also built with locale support.
94 config SHADOW_PASSWORDS
100 prompt "Remove ipkg/opkg status data files in final images"
103 This removes all ipkg/opkg status data files from the target directory
104 before building the root filesystem.
106 config IPK_FILES_CHECKSUMS
108 prompt "Record files checksums in package metadata"
111 This makes file checksums part of package metadata. It increases size
112 but provides you with pkg_check command to check for flash coruptions.
114 config INCLUDE_CONFIG
115 bool "Include build configuration in firmware" if DEVEL
118 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
120 config REPRODUCIBLE_DEBUG_INFO
121 bool "Make debug information reproducible"
124 This strips the local build path out of debug information. This has the
125 advantage of making it reproducible, but the disadvantage of making local
126 debugging using ./scripts/remote-gdb harder, since the debug data will
127 no longer point to the full path on the build host.
129 config COLLECT_KERNEL_DEBUG
131 prompt "Collect kernel debug information"
132 select KERNEL_DEBUG_INFO
135 This collects debugging symbols from the kernel and all compiled modules.
136 Useful for release builds, so that kernel issues can be debugged offline
139 menu "Kernel build options"
141 source "config/Config-kernel.in"
145 comment "Package build options"
149 prompt "Compile packages with debugging info"
152 Adds -g3 to the CFLAGS.
156 prompt "Enable IPv6 support in packages"
159 Enables IPv6 support in kernel (builtin) and packages.
161 comment "Stripping options"
164 prompt "Binary stripping method"
165 default USE_STRIP if EXTERNAL_TOOLCHAIN
166 default USE_STRIP if USE_GLIBC
169 Select the binary stripping method you wish to use.
174 This will install unstripped binaries (useful for native
175 compiling/debugging).
180 This will install binaries stripped using strip from binutils.
185 depends on !USE_GLIBC
187 This will install binaries stripped using sstrip.
192 prompt "Strip arguments"
194 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
195 default "--strip-all"
197 Specifies arguments passed to the strip command when stripping binaries.
201 prompt "Sstrip arguments"
202 depends on USE_SSTRIP
205 Specifies arguments passed to the sstrip command when stripping binaries.
207 config STRIP_KERNEL_EXPORTS
208 bool "Strip unnecessary exports from the kernel image"
210 Reduces kernel size by stripping unused kernel exports from the kernel
211 image. Note that this might make the kernel incompatible with any kernel
212 modules that were not selected at the time the kernel image was created.
215 bool "Strip unnecessary functions from libraries"
217 Reduces libraries to only those functions that are necessary for using all
218 selected packages (including those selected as <M>). Note that this will
219 make the system libraries incompatible with most of the packages that are
220 not selected during the build process.
223 prompt "Preferred standard C++ library"
224 default USE_LIBSTDCXX if USE_GLIBC
227 Select the preferred standard C++ library for all packages that support this.
236 comment "Hardening build options"
238 config PKG_CHECK_FORMAT_SECURITY
240 prompt "Enable gcc format-security"
243 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
244 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
248 prompt "User space ASLR PIE compilation"
249 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
250 default PKG_ASLR_PIE_REGULAR
252 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
253 This enables package build as Position Independent Executables (PIE)
254 to protect against "return-to-text" attacks. This belongs to the
255 feature of Address Space Layout Randomisation (ASLR), which is
256 implemented by the kernel and the ELF loader by randomising the
257 location of memory allocations. This makes memory addresses harder
258 to predict when an attacker is attempting a memory-corruption exploit.
259 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
261 Be ware that ASLR increases the binary size.
262 config PKG_ASLR_PIE_NONE
265 PIE is deactivated for all applications
266 config PKG_ASLR_PIE_REGULAR
269 PIE is activated for some binaries, mostly network exposed applications
270 config PKG_ASLR_PIE_ALL
272 select BUSYBOX_DEFAULT_PIE
274 PIE is activated for all applications
278 prompt "User space Stack-Smashing Protection"
279 default PKG_CC_STACKPROTECTOR_REGULAR
281 Enable GCC Stack Smashing Protection (SSP) for userspace applications
282 config PKG_CC_STACKPROTECTOR_NONE
284 config PKG_CC_STACKPROTECTOR_REGULAR
286 config PKG_CC_STACKPROTECTOR_STRONG
291 prompt "Kernel space Stack-Smashing Protection"
292 default KERNEL_CC_STACKPROTECTOR_REGULAR
294 Enable GCC Stack-Smashing Protection (SSP) for the kernel
295 config KERNEL_CC_STACKPROTECTOR_NONE
297 config KERNEL_CC_STACKPROTECTOR_REGULAR
299 config KERNEL_CC_STACKPROTECTOR_STRONG
303 config KERNEL_STACKPROTECTOR
305 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
307 config KERNEL_STACKPROTECTOR_STRONG
309 default KERNEL_CC_STACKPROTECTOR_STRONG
312 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
313 default PKG_FORTIFY_SOURCE_1
315 Enable the _FORTIFY_SOURCE macro which introduces additional
316 checks to detect buffer-overflows in the following standard library
317 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
318 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
319 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
320 checks that shouldn't change the behavior of conforming programs,
321 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
322 added, but some conforming programs might fail.
323 config PKG_FORTIFY_SOURCE_NONE
325 config PKG_FORTIFY_SOURCE_1
327 config PKG_FORTIFY_SOURCE_2
332 prompt "Enable RELRO protection"
333 default PKG_RELRO_FULL
335 Enable a link-time protection known as RELRO (Relocation Read Only)
336 which helps to protect from certain type of exploitation techniques
337 altering the content of some ELF sections. "Partial" RELRO makes the
338 .dynamic section not writeable after initialization, introducing
339 almost no performance penalty, while "full" RELRO also marks the GOT
340 as read-only at the cost of initializing all of it at startup.
341 config PKG_RELRO_NONE
343 config PKG_RELRO_PARTIAL
345 config PKG_RELRO_FULL
349 config TARGET_ROOTFS_SECURITY_LABELS
351 select KERNEL_SQUASHFS_XATTR
352 select KERNEL_EXT4_FS_SECURITY
353 select KERNEL_F2FS_FS_SECURITY
354 select KERNEL_UBIFS_FS_SECURITY
355 select KERNEL_JFFS2_FS_SECURITY
358 bool "Enable SELinux"
359 select KERNEL_SECURITY_SELINUX
360 select TARGET_ROOTFS_SECURITY_LABELS
361 select PACKAGE_procd-selinux
362 select PACKAGE_busybox-selinux
364 This option enables SELinux kernel features, applies security labels
365 in squashfs rootfs and selects the selinux-variants of busybox and procd.
367 Selecting this option results in about 0.5MiB of additional flash space
368 usage accounting for increased kernel and rootfs size.
371 prompt "default SELinux type"
372 depends on TARGET_ROOTFS_SECURITY_LABELS
373 default SELINUXTYPE_dssp
375 Select SELinux policy to be installed and used for applying rootfs labels.
377 config SELINUXTYPE_targeted
379 select PACKAGE_refpolicy
381 SELinux Reference Policy (refpolicy)
383 config SELINUXTYPE_dssp
385 select PACKAGE_selinux-policy
387 Defensec SELinux Security Policy -- OpenWrt edition