1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 menu "Global build settings"
10 config JSON_OVERVIEW_IMAGE_INFO
11 bool "Create JSON info file overview per target"
14 Create a JSON info file called profiles.json in the target
15 directory containing machine readable list of built profiles
19 bool "Select all target specific packages by default"
24 bool "Select all kernel module packages by default"
27 bool "Select all userspace packages by default"
32 bool "Set build defaults for automatic builds (e.g. via buildbot)"
35 This option changes several defaults to be more suitable for
36 automatic builds. This includes the following changes:
37 - Deleting build directories after compiling (to save space)
38 - Enabling per-device rootfs support
41 config SIGNED_PACKAGES
42 bool "Cryptographically signed package lists"
45 config SIGNATURE_CHECK
46 bool "Enable signature checking in opkg"
47 default SIGNED_PACKAGES
49 comment "General build options"
52 bool "Use the testing kernel version"
53 depends on HAS_TESTING_KERNEL
56 If the target supports a newer kernel version than the default,
57 you can use this config option to enable it
60 config DISPLAY_SUPPORT
61 bool "Show packages that require graphics support (local or remote)"
66 bool "Compile with support for patented functionality"
68 When this option is disabled, software which provides patented functionality
69 will not be built. In case software provides optional support for patented
70 functionality, this optional support will get disabled for this package.
74 bool "Compile with full language support"
76 When this option is enabled, packages are built with the full versions of
77 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
78 used, it is also built with locale support.
80 config SHADOW_PASSWORDS
86 prompt "Remove ipkg/opkg status data files in final images"
89 This removes all ipkg/opkg status data files from the target directory
90 before building the root filesystem.
92 config IPK_FILES_CHECKSUMS
94 prompt "Record files checksums in package metadata"
97 This makes file checksums part of package metadata. It increases size
98 but provides you with pkg_check command to check for flash coruptions.
100 config INCLUDE_CONFIG
101 bool "Include build configuration in firmware" if DEVEL
104 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
106 config COLLECT_KERNEL_DEBUG
108 prompt "Collect kernel debug information"
109 select KERNEL_DEBUG_INFO
112 This collects debugging symbols from the kernel and all compiled modules.
113 Useful for release builds, so that kernel issues can be debugged offline
116 menu "Kernel build options"
118 source "config/Config-kernel.in"
122 comment "Package build options"
126 prompt "Compile packages with debugging info"
129 Adds -g3 to the CFLAGS.
133 prompt "Enable IPv6 support in packages"
136 Enables IPv6 support in kernel (builtin) and packages.
138 comment "Stripping options"
141 prompt "Binary stripping method"
142 default USE_STRIP if EXTERNAL_TOOLCHAIN
143 default USE_STRIP if USE_GLIBC
146 Select the binary stripping method you wish to use.
151 This will install unstripped binaries (useful for native
152 compiling/debugging).
157 This will install binaries stripped using strip from binutils.
162 depends on !USE_GLIBC
164 This will install binaries stripped using sstrip.
169 prompt "Strip arguments"
171 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
172 default "--strip-all"
174 Specifies arguments passed to the strip command when stripping binaries.
176 config STRIP_KERNEL_EXPORTS
177 bool "Strip unnecessary exports from the kernel image"
179 Reduces kernel size by stripping unused kernel exports from the kernel
180 image. Note that this might make the kernel incompatible with any kernel
181 modules that were not selected at the time the kernel image was created.
184 bool "Strip unnecessary functions from libraries"
186 Reduces libraries to only those functions that are necessary for using all
187 selected packages (including those selected as <M>). Note that this will
188 make the system libraries incompatible with most of the packages that are
189 not selected during the build process.
192 prompt "Preferred standard C++ library"
193 default USE_LIBSTDCXX if USE_GLIBC
196 Select the preferred standard C++ library for all packages that support this.
203 depends on !USE_UCLIBC
209 comment "Hardening build options"
211 config PKG_CHECK_FORMAT_SECURITY
213 prompt "Enable gcc format-security"
216 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
217 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
221 prompt "User space ASLR PIE compilation"
222 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
223 default PKG_ASLR_PIE_REGULAR
225 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
226 This enables package build as Position Independent Executables (PIE)
227 to protect against "return-to-text" attacks. This belongs to the
228 feature of Address Space Layout Randomisation (ASLR), which is
229 implemented by the kernel and the ELF loader by randomising the
230 location of memory allocations. This makes memory addresses harder
231 to predict when an attacker is attempting a memory-corruption exploit.
232 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
234 Be ware that ASLR increases the binary size.
235 config PKG_ASLR_PIE_NONE
238 PIE is deactivated for all applications
239 config PKG_ASLR_PIE_REGULAR
242 PIE is activated for some binaries, mostly network exposed applications
243 config PKG_ASLR_PIE_ALL
245 select BUSYBOX_DEFAULT_PIE
247 PIE is activated for all applications
251 prompt "User space Stack-Smashing Protection"
253 default PKG_CC_STACKPROTECTOR_REGULAR
255 Enable GCC Stack Smashing Protection (SSP) for userspace applications
256 config PKG_CC_STACKPROTECTOR_NONE
258 config PKG_CC_STACKPROTECTOR_REGULAR
260 select GCC_LIBSSP if !USE_MUSL
261 depends on KERNEL_CC_STACKPROTECTOR_REGULAR
262 config PKG_CC_STACKPROTECTOR_STRONG
264 select GCC_LIBSSP if !USE_MUSL
265 depends on KERNEL_CC_STACKPROTECTOR_STRONG
269 prompt "Kernel space Stack-Smashing Protection"
270 default KERNEL_CC_STACKPROTECTOR_REGULAR
271 depends on USE_MUSL || !(x86_64 || i386)
273 Enable GCC Stack-Smashing Protection (SSP) for the kernel
274 config KERNEL_CC_STACKPROTECTOR_NONE
276 config KERNEL_CC_STACKPROTECTOR_REGULAR
278 config KERNEL_CC_STACKPROTECTOR_STRONG
282 config KERNEL_STACKPROTECTOR
284 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
286 config KERNEL_STACKPROTECTOR_STRONG
288 default KERNEL_CC_STACKPROTECTOR_STRONG
291 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
292 default PKG_FORTIFY_SOURCE_1
294 Enable the _FORTIFY_SOURCE macro which introduces additional
295 checks to detect buffer-overflows in the following standard library
296 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
297 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
298 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
299 checks that shouldn't change the behavior of conforming programs,
300 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
301 added, but some conforming programs might fail.
302 config PKG_FORTIFY_SOURCE_NONE
304 config PKG_FORTIFY_SOURCE_1
306 config PKG_FORTIFY_SOURCE_2
311 prompt "Enable RELRO protection"
312 default PKG_RELRO_FULL
314 Enable a link-time protection known as RELRO (Relocation Read Only)
315 which helps to protect from certain type of exploitation techniques
316 altering the content of some ELF sections. "Partial" RELRO makes the
317 .dynamic section not writeable after initialization, introducing
318 almost no performance penalty, while "full" RELRO also marks the GOT
319 as read-only at the cost of initializing all of it at startup.
320 config PKG_RELRO_NONE
322 config PKG_RELRO_PARTIAL
324 config PKG_RELRO_FULL