1 # SPDX-License-Identifier: GPL-2.0-only
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
7 bool "Enable experimental features by default"
9 Set this option to build with latest bleeding edge features
10 which may or may not work as expected.
11 If you would like to help the development of OpenWrt, you are
12 encouraged to set this option and provide feedback (both
13 positive and negative). But do so only if you know how to
14 recover your device in case of flashing potentially non-working
17 If you plan to use this build in production, say NO!
19 menu "Global build settings"
21 config JSON_OVERVIEW_IMAGE_INFO
22 bool "Create JSON info file overview per target"
25 Create a JSON info file called profiles.json in the target
26 directory containing machine readable list of built profiles
30 bool "Select all target specific packages by default"
35 bool "Select all kernel module packages by default"
38 bool "Select all userspace packages by default"
43 bool "Set build defaults for automatic builds (e.g. via buildbot)"
45 This option changes several defaults to be more suitable for
46 automatic builds. This includes the following changes:
47 - Deleting build directories after compiling (to save space)
48 - Enabling per-device rootfs support
51 config SIGNED_PACKAGES
52 bool "Cryptographically signed package lists"
55 config SIGNATURE_CHECK
56 bool "Enable signature checking in opkg"
57 default SIGNED_PACKAGES
59 config DOWNLOAD_CHECK_CERTIFICATE
60 bool "Enable TLS certificate verification during package download"
63 comment "General build options"
66 bool "Use the testing kernel version"
67 depends on HAS_TESTING_KERNEL
70 If the target supports a newer kernel version than the default,
71 you can use this config option to enable it
74 config DISPLAY_SUPPORT
75 bool "Show packages that require graphics support (local or remote)"
78 bool "Compile with support for patented functionality"
80 When this option is disabled, software which provides patented functionality
81 will not be built. In case software provides optional support for patented
82 functionality, this optional support will get disabled for this package.
85 bool "Compile with full language support"
87 When this option is enabled, packages are built with the full versions of
88 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
89 used, it is also built with locale support.
91 config SHADOW_PASSWORDS
97 prompt "Remove ipkg/opkg status data files in final images"
99 This removes all ipkg/opkg status data files from the target directory
100 before building the root filesystem.
102 config IPK_FILES_CHECKSUMS
104 prompt "Record files checksums in package metadata"
106 This makes file checksums part of package metadata. It increases size
107 but provides you with pkg_check command to check for flash corruptions.
109 config INCLUDE_CONFIG
110 bool "Include build configuration in firmware" if DEVEL
112 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
114 config REPRODUCIBLE_DEBUG_INFO
115 bool "Make debug information reproducible"
118 This strips the local build path out of debug information. This has the
119 advantage of making it reproducible, but the disadvantage of making local
120 debugging using ./scripts/remote-gdb harder, since the debug data will
121 no longer point to the full path on the build host.
123 config COLLECT_KERNEL_DEBUG
125 prompt "Collect kernel debug information"
126 select KERNEL_DEBUG_INFO
129 This collects debugging symbols from the kernel and all compiled modules.
130 Useful for release builds, so that kernel issues can be debugged offline
133 menu "Kernel build options"
135 source "config/Config-kernel.in"
139 comment "Package build options"
143 prompt "Compile packages with debugging info"
145 Adds -g3 to the CFLAGS.
150 comment "Stripping options"
153 prompt "Binary stripping method"
154 default USE_STRIP if USE_GLIBC
157 Select the binary stripping method you wish to use.
162 This will install unstripped binaries (useful for native
163 compiling/debugging).
168 This will install binaries stripped using strip from binutils.
173 depends on !USE_GLIBC
175 This will install binaries stripped using sstrip.
180 prompt "Strip arguments"
182 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
183 default "--strip-all"
185 Specifies arguments passed to the strip command when stripping binaries.
189 prompt "Sstrip arguments"
190 depends on USE_SSTRIP
193 Specifies arguments passed to the sstrip command when stripping binaries.
195 config STRIP_KERNEL_EXPORTS
196 bool "Strip unnecessary exports from the kernel image"
198 Reduces kernel size by stripping unused kernel exports from the kernel
199 image. Note that this might make the kernel incompatible with any kernel
200 modules that were not selected at the time the kernel image was created.
203 bool "Strip unnecessary functions from libraries"
205 Reduces libraries to only those functions that are necessary for using all
206 selected packages (including those selected as <M>). Note that this will
207 make the system libraries incompatible with most of the packages that are
208 not selected during the build process.
210 comment "Hardening build options"
212 config PKG_CHECK_FORMAT_SECURITY
214 prompt "Enable gcc format-security"
217 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
218 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
222 prompt "User space ASLR PIE compilation"
223 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
224 default PKG_ASLR_PIE_REGULAR
226 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
227 This enables package build as Position Independent Executables (PIE)
228 to protect against "return-to-text" attacks. This belongs to the
229 feature of Address Space Layout Randomisation (ASLR), which is
230 implemented by the kernel and the ELF loader by randomising the
231 location of memory allocations. This makes memory addresses harder
232 to predict when an attacker is attempting a memory-corruption exploit.
233 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
235 Be ware that ASLR increases the binary size.
236 config PKG_ASLR_PIE_NONE
239 PIE is deactivated for all applications
240 config PKG_ASLR_PIE_REGULAR
243 PIE is activated for some binaries, mostly network exposed applications
244 config PKG_ASLR_PIE_ALL
246 select BUSYBOX_DEFAULT_PIE
248 PIE is activated for all applications
252 prompt "User space Stack-Smashing Protection"
253 default PKG_CC_STACKPROTECTOR_REGULAR
255 Enable GCC Stack Smashing Protection (SSP) for userspace applications
256 config PKG_CC_STACKPROTECTOR_NONE
258 config PKG_CC_STACKPROTECTOR_REGULAR
260 config PKG_CC_STACKPROTECTOR_STRONG
265 prompt "Kernel space Stack-Smashing Protection"
266 default KERNEL_CC_STACKPROTECTOR_REGULAR
268 Enable GCC Stack-Smashing Protection (SSP) for the kernel
269 config KERNEL_CC_STACKPROTECTOR_NONE
271 config KERNEL_CC_STACKPROTECTOR_REGULAR
273 config KERNEL_CC_STACKPROTECTOR_STRONG
277 config KERNEL_STACKPROTECTOR
279 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
281 config KERNEL_STACKPROTECTOR_STRONG
283 default KERNEL_CC_STACKPROTECTOR_STRONG
286 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
287 default PKG_FORTIFY_SOURCE_1
289 Enable the _FORTIFY_SOURCE macro which introduces additional
290 checks to detect buffer-overflows in the following standard library
291 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
292 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
293 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
294 checks that shouldn't change the behavior of conforming programs,
295 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
296 added, but some conforming programs might fail.
297 config PKG_FORTIFY_SOURCE_NONE
299 config PKG_FORTIFY_SOURCE_1
301 config PKG_FORTIFY_SOURCE_2
306 prompt "Enable RELRO protection"
307 default PKG_RELRO_FULL
309 Enable a link-time protection known as RELRO (Relocation Read Only)
310 which helps to protect from certain type of exploitation techniques
311 altering the content of some ELF sections. "Partial" RELRO makes the
312 .dynamic section not writeable after initialization, introducing
313 almost no performance penalty, while "full" RELRO also marks the GOT
314 as read-only at the cost of initializing all of it at startup.
315 config PKG_RELRO_NONE
317 config PKG_RELRO_PARTIAL
319 config PKG_RELRO_FULL
323 config TARGET_ROOTFS_SECURITY_LABELS
325 select KERNEL_SQUASHFS_XATTR
326 select KERNEL_EXT4_FS_SECURITY
327 select KERNEL_F2FS_FS_SECURITY
328 select KERNEL_UBIFS_FS_SECURITY
329 select KERNEL_JFFS2_FS_SECURITY
332 bool "Enable SELinux"
333 select KERNEL_SECURITY_SELINUX
334 select TARGET_ROOTFS_SECURITY_LABELS
335 select PACKAGE_procd-selinux
336 select PACKAGE_busybox-selinux
338 This option enables SELinux kernel features, applies security labels
339 in squashfs rootfs and selects the selinux-variants of busybox and procd.
341 Selecting this option results in about 0.5MiB of additional flash space
342 usage accounting for increased kernel and rootfs size.
345 prompt "default SELinux type"
346 depends on TARGET_ROOTFS_SECURITY_LABELS
347 default SELINUXTYPE_dssp
349 Select SELinux policy to be installed and used for applying rootfs labels.
351 config SELINUXTYPE_targeted
353 select PACKAGE_refpolicy
355 SELinux Reference Policy (refpolicy)
357 config SELINUXTYPE_dssp
359 select PACKAGE_selinux-policy
361 Defensec SELinux Security Policy -- OpenWrt edition
366 bool "Enable SECCOMP"
367 select KERNEL_SECCOMP
368 select PACKAGE_procd-seccomp
369 depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
370 depends on !TARGET_uml
373 This option enables seccomp kernel features to safely
374 execute untrusted bytecode and selects the seccomp-variants