projects / openwrt / staging / pepe2k.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
bcm53xx: simplify patch adding switch ports
[openwrt/staging/pepe2k.git] / config / Config-build.in
1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
5
6 config EXPERIMENTAL
7 bool "Enable experimental features by default"
8 default n
9 help
10 Set this option to build with latest bleeding edge features
11 which may or may not work as expected.
12 If you would like to help the development of OpenWrt, you are
13 encouraged to set this option and provide feedback (both
14 positive and negative). But do so only if you know how to
15 recover your device in case of flashing potentially non-working
16 firmware.
17
18 If you plan to use this build in production, say NO!
19
20 menu "Global build settings"
21
22 config JSON_OVERVIEW_IMAGE_INFO
23 bool "Create JSON info file overview per target"
24 default BUILDBOT
25 help
26 Create a JSON info file called profiles.json in the target
27 directory containing machine readable list of built profiles
28 and resulting images.
29
30 config ALL_NONSHARED
31 bool "Select all target specific packages by default"
32 select ALL_KMODS
33 default BUILDBOT
34
35 config ALL_KMODS
36 bool "Select all kernel module packages by default"
37
38 config ALL
39 bool "Select all userspace packages by default"
40 select ALL_KMODS
41 select ALL_NONSHARED
42
43 config BUILDBOT
44 bool "Set build defaults for automatic builds (e.g. via buildbot)"
45 default n
46 help
47 This option changes several defaults to be more suitable for
48 automatic builds. This includes the following changes:
49 - Deleting build directories after compiling (to save space)
50 - Enabling per-device rootfs support
51 ...
52
53 config SIGNED_PACKAGES
54 bool "Cryptographically signed package lists"
55 default y
56
57 config SIGNATURE_CHECK
58 bool "Enable signature checking in opkg"
59 default SIGNED_PACKAGES
60
61 config DOWNLOAD_CHECK_CERTIFICATE
62 bool "Enable TLS certificate verification during package download"
63 default y
64
65 comment "General build options"
66
67 config TESTING_KERNEL
68 bool "Use the testing kernel version"
69 depends on HAS_TESTING_KERNEL
70 default EXPERIMENTAL
71 help
72 If the target supports a newer kernel version than the default,
73 you can use this config option to enable it
74
75
76 config DISPLAY_SUPPORT
77 bool "Show packages that require graphics support (local or remote)"
78 default n
79
80 config BUILD_PATENTED
81 default n
82 bool "Compile with support for patented functionality"
83 help
84 When this option is disabled, software which provides patented functionality
85 will not be built. In case software provides optional support for patented
86 functionality, this optional support will get disabled for this package.
87
88 config BUILD_NLS
89 default n
90 bool "Compile with full language support"
91 help
92 When this option is enabled, packages are built with the full versions of
93 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
94 used, it is also built with locale support.
95
96 config SHADOW_PASSWORDS
97 bool
98 default y
99
100 config CLEAN_IPKG
101 bool
102 prompt "Remove ipkg/opkg status data files in final images"
103 default n
104 help
105 This removes all ipkg/opkg status data files from the target directory
106 before building the root filesystem.
107
108 config IPK_FILES_CHECKSUMS
109 bool
110 prompt "Record files checksums in package metadata"
111 default n
112 help
113 This makes file checksums part of package metadata. It increases size
114 but provides you with pkg_check command to check for flash coruptions.
115
116 config INCLUDE_CONFIG
117 bool "Include build configuration in firmware" if DEVEL
118 default n
119 help
120 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
121
122 config REPRODUCIBLE_DEBUG_INFO
123 bool "Make debug information reproducible"
124 default BUILDBOT
125 help
126 This strips the local build path out of debug information. This has the
127 advantage of making it reproducible, but the disadvantage of making local
128 debugging using ./scripts/remote-gdb harder, since the debug data will
129 no longer point to the full path on the build host.
130
131 config COLLECT_KERNEL_DEBUG
132 bool
133 prompt "Collect kernel debug information"
134 select KERNEL_DEBUG_INFO
135 default BUILDBOT
136 help
137 This collects debugging symbols from the kernel and all compiled modules.
138 Useful for release builds, so that kernel issues can be debugged offline
139 later.
140
141 menu "Kernel build options"
142
143 source "config/Config-kernel.in"
144
145 endmenu
146
147 comment "Package build options"
148
149 config DEBUG
150 bool
151 prompt "Compile packages with debugging info"
152 default n
153 help
154 Adds -g3 to the CFLAGS.
155
156 config IPV6
157 bool
158 prompt "Enable IPv6 support in packages"
159 default y
160 help
161 Enables IPv6 support in kernel (builtin) and packages.
162
163 comment "Stripping options"
164
165 choice
166 prompt "Binary stripping method"
167 default USE_STRIP if USE_GLIBC
168 default USE_SSTRIP
169 help
170 Select the binary stripping method you wish to use.
171
172 config NO_STRIP
173 bool "none"
174 help
175 This will install unstripped binaries (useful for native
176 compiling/debugging).
177
178 config USE_STRIP
179 bool "strip"
180 help
181 This will install binaries stripped using strip from binutils.
182
183
184 config USE_SSTRIP
185 bool "sstrip"
186 depends on !USE_GLIBC
187 help
188 This will install binaries stripped using sstrip.
189 endchoice
190
191 config STRIP_ARGS
192 string
193 prompt "Strip arguments"
194 depends on USE_STRIP
195 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
196 default "--strip-all"
197 help
198 Specifies arguments passed to the strip command when stripping binaries.
199
200 config SSTRIP_ARGS
201 string
202 prompt "Sstrip arguments"
203 depends on USE_SSTRIP
204 default "-z"
205 help
206 Specifies arguments passed to the sstrip command when stripping binaries.
207
208 config STRIP_KERNEL_EXPORTS
209 bool "Strip unnecessary exports from the kernel image"
210 help
211 Reduces kernel size by stripping unused kernel exports from the kernel
212 image. Note that this might make the kernel incompatible with any kernel
213 modules that were not selected at the time the kernel image was created.
214
215 config USE_MKLIBS
216 bool "Strip unnecessary functions from libraries"
217 help
218 Reduces libraries to only those functions that are necessary for using all
219 selected packages (including those selected as <M>). Note that this will
220 make the system libraries incompatible with most of the packages that are
221 not selected during the build process.
222
223 choice
224 prompt "Preferred standard C++ library"
225 default USE_LIBSTDCXX if USE_GLIBC
226 default USE_UCLIBCXX
227 help
228 Select the preferred standard C++ library for all packages that support this.
229
230 config USE_UCLIBCXX
231 bool "uClibc++"
232
233 config USE_LIBSTDCXX
234 bool "libstdc++"
235 endchoice
236
237 comment "Hardening build options"
238
239 config PKG_CHECK_FORMAT_SECURITY
240 bool
241 prompt "Enable gcc format-security"
242 default y
243 help
244 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
245 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
246 Makefile.
247
248 choice
249 prompt "User space ASLR PIE compilation"
250 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
251 default PKG_ASLR_PIE_REGULAR
252 help
253 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
254 This enables package build as Position Independent Executables (PIE)
255 to protect against "return-to-text" attacks. This belongs to the
256 feature of Address Space Layout Randomisation (ASLR), which is
257 implemented by the kernel and the ELF loader by randomising the
258 location of memory allocations. This makes memory addresses harder
259 to predict when an attacker is attempting a memory-corruption exploit.
260 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
261 Makefile.
262 Be ware that ASLR increases the binary size.
263 config PKG_ASLR_PIE_NONE
264 bool "None"
265 help
266 PIE is deactivated for all applications
267 config PKG_ASLR_PIE_REGULAR
268 bool "Regular"
269 help
270 PIE is activated for some binaries, mostly network exposed applications
271 config PKG_ASLR_PIE_ALL
272 bool "All"
273 select BUSYBOX_DEFAULT_PIE
274 help
275 PIE is activated for all applications
276 endchoice
277
278 choice
279 prompt "User space Stack-Smashing Protection"
280 default PKG_CC_STACKPROTECTOR_REGULAR
281 help
282 Enable GCC Stack Smashing Protection (SSP) for userspace applications
283 config PKG_CC_STACKPROTECTOR_NONE
284 bool "None"
285 config PKG_CC_STACKPROTECTOR_REGULAR
286 bool "Regular"
287 config PKG_CC_STACKPROTECTOR_STRONG
288 bool "Strong"
289 endchoice
290
291 choice
292 prompt "Kernel space Stack-Smashing Protection"
293 default KERNEL_CC_STACKPROTECTOR_REGULAR
294 help
295 Enable GCC Stack-Smashing Protection (SSP) for the kernel
296 config KERNEL_CC_STACKPROTECTOR_NONE
297 bool "None"
298 config KERNEL_CC_STACKPROTECTOR_REGULAR
299 bool "Regular"
300 config KERNEL_CC_STACKPROTECTOR_STRONG
301 bool "Strong"
302 endchoice
303
304 config KERNEL_STACKPROTECTOR
305 bool
306 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
307
308 config KERNEL_STACKPROTECTOR_STRONG
309 bool
310 default KERNEL_CC_STACKPROTECTOR_STRONG
311
312 choice
313 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
314 default PKG_FORTIFY_SOURCE_1
315 help
316 Enable the _FORTIFY_SOURCE macro which introduces additional
317 checks to detect buffer-overflows in the following standard library
318 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
319 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
320 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
321 checks that shouldn't change the behavior of conforming programs,
322 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
323 added, but some conforming programs might fail.
324 config PKG_FORTIFY_SOURCE_NONE
325 bool "None"
326 config PKG_FORTIFY_SOURCE_1
327 bool "Conservative"
328 config PKG_FORTIFY_SOURCE_2
329 bool "Aggressive"
330 endchoice
331
332 choice
333 prompt "Enable RELRO protection"
334 default PKG_RELRO_FULL
335 help
336 Enable a link-time protection known as RELRO (Relocation Read Only)
337 which helps to protect from certain type of exploitation techniques
338 altering the content of some ELF sections. "Partial" RELRO makes the
339 .dynamic section not writeable after initialization, introducing
340 almost no performance penalty, while "full" RELRO also marks the GOT
341 as read-only at the cost of initializing all of it at startup.
342 config PKG_RELRO_NONE
343 bool "None"
344 config PKG_RELRO_PARTIAL
345 bool "Partial"
346 config PKG_RELRO_FULL
347 bool "Full"
348 endchoice
349
350 config TARGET_ROOTFS_SECURITY_LABELS
351 bool
352 select KERNEL_SQUASHFS_XATTR
353 select KERNEL_EXT4_FS_SECURITY
354 select KERNEL_F2FS_FS_SECURITY
355 select KERNEL_UBIFS_FS_SECURITY
356 select KERNEL_JFFS2_FS_SECURITY
357
358 config SELINUX
359 bool "Enable SELinux"
360 select KERNEL_SECURITY_SELINUX
361 select TARGET_ROOTFS_SECURITY_LABELS
362 select PACKAGE_procd-selinux
363 select PACKAGE_busybox-selinux
364 help
365 This option enables SELinux kernel features, applies security labels
366 in squashfs rootfs and selects the selinux-variants of busybox and procd.
367
368 Selecting this option results in about 0.5MiB of additional flash space
369 usage accounting for increased kernel and rootfs size.
370
371 choice
372 prompt "default SELinux type"
373 depends on TARGET_ROOTFS_SECURITY_LABELS
374 default SELINUXTYPE_dssp
375 help
376 Select SELinux policy to be installed and used for applying rootfs labels.
377
378 config SELINUXTYPE_targeted
379 bool "targeted"
380 select PACKAGE_refpolicy
381 help
382 SELinux Reference Policy (refpolicy)
383
384 config SELINUXTYPE_dssp
385 bool "dssp"
386 select PACKAGE_selinux-policy
387 help
388 Defensec SELinux Security Policy -- OpenWrt edition
389
390 endchoice
391
392 endmenu
Staging tree of Piotr Dymacz