1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 menu "Global build settings"
10 config JSON_OVERVIEW_IMAGE_INFO
11 bool "Create JSON info file overview per target"
14 Create a JSON info file called profiles.json in the target
15 directory containing machine readable list of built profiles
19 bool "Select all target specific packages by default"
24 bool "Select all kernel module packages by default"
27 bool "Select all userspace packages by default"
32 bool "Set build defaults for automatic builds (e.g. via buildbot)"
35 This option changes several defaults to be more suitable for
36 automatic builds. This includes the following changes:
37 - Deleting build directories after compiling (to save space)
38 - Enabling per-device rootfs support
41 config SIGNED_PACKAGES
42 bool "Cryptographically signed package lists"
45 config SIGNATURE_CHECK
46 bool "Enable signature checking in opkg"
47 default SIGNED_PACKAGES
49 comment "General build options"
52 bool "Use the testing kernel version"
53 depends on HAS_TESTING_KERNEL
56 If the target supports a newer kernel version than the default,
57 you can use this config option to enable it
60 config DISPLAY_SUPPORT
61 bool "Show packages that require graphics support (local or remote)"
66 bool "Compile with support for patented functionality"
68 When this option is disabled, software which provides patented functionality
69 will not be built. In case software provides optional support for patented
70 functionality, this optional support will get disabled for this package.
74 bool "Compile with full language support"
76 When this option is enabled, packages are built with the full versions of
77 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
78 used, it is also built with locale support.
80 config SHADOW_PASSWORDS
86 prompt "Remove ipkg/opkg status data files in final images"
89 This removes all ipkg/opkg status data files from the target directory
90 before building the root filesystem.
92 config IPK_FILES_CHECKSUMS
94 prompt "Record files checksums in package metadata"
97 This makes file checksums part of package metadata. It increases size
98 but provides you with pkg_check command to check for flash coruptions.
100 config INCLUDE_CONFIG
101 bool "Include build configuration in firmware" if DEVEL
104 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
106 config REPRODUCIBLE_DEBUG_INFO
107 bool "Make debug information reproducible"
110 This strips the local build path out of debug information. This has the
111 advantage of making it reproducible, but the disadvantage of making local
112 debugging using ./scripts/remote-gdb harder, since the debug data will
113 no longer point to the full path on the build host.
115 config COLLECT_KERNEL_DEBUG
117 prompt "Collect kernel debug information"
118 select KERNEL_DEBUG_INFO
121 This collects debugging symbols from the kernel and all compiled modules.
122 Useful for release builds, so that kernel issues can be debugged offline
125 menu "Kernel build options"
127 source "config/Config-kernel.in"
131 comment "Package build options"
135 prompt "Compile packages with debugging info"
138 Adds -g3 to the CFLAGS.
142 prompt "Enable IPv6 support in packages"
145 Enables IPv6 support in kernel (builtin) and packages.
147 comment "Stripping options"
150 prompt "Binary stripping method"
151 default USE_STRIP if EXTERNAL_TOOLCHAIN
152 default USE_STRIP if USE_GLIBC
155 Select the binary stripping method you wish to use.
160 This will install unstripped binaries (useful for native
161 compiling/debugging).
166 This will install binaries stripped using strip from binutils.
171 depends on !USE_GLIBC
173 This will install binaries stripped using sstrip.
178 prompt "Strip arguments"
180 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
181 default "--strip-all"
183 Specifies arguments passed to the strip command when stripping binaries.
187 prompt "Sstrip arguments"
188 depends on USE_SSTRIP
191 Specifies arguments passed to the sstrip command when stripping binaries.
193 config STRIP_KERNEL_EXPORTS
194 bool "Strip unnecessary exports from the kernel image"
196 Reduces kernel size by stripping unused kernel exports from the kernel
197 image. Note that this might make the kernel incompatible with any kernel
198 modules that were not selected at the time the kernel image was created.
201 bool "Strip unnecessary functions from libraries"
203 Reduces libraries to only those functions that are necessary for using all
204 selected packages (including those selected as <M>). Note that this will
205 make the system libraries incompatible with most of the packages that are
206 not selected during the build process.
209 prompt "Preferred standard C++ library"
210 default USE_LIBSTDCXX if USE_GLIBC
213 Select the preferred standard C++ library for all packages that support this.
220 depends on !USE_UCLIBC
226 comment "Hardening build options"
228 config PKG_CHECK_FORMAT_SECURITY
230 prompt "Enable gcc format-security"
233 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
234 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
238 prompt "User space ASLR PIE compilation"
239 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
240 default PKG_ASLR_PIE_REGULAR
242 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
243 This enables package build as Position Independent Executables (PIE)
244 to protect against "return-to-text" attacks. This belongs to the
245 feature of Address Space Layout Randomisation (ASLR), which is
246 implemented by the kernel and the ELF loader by randomising the
247 location of memory allocations. This makes memory addresses harder
248 to predict when an attacker is attempting a memory-corruption exploit.
249 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
251 Be ware that ASLR increases the binary size.
252 config PKG_ASLR_PIE_NONE
255 PIE is deactivated for all applications
256 config PKG_ASLR_PIE_REGULAR
259 PIE is activated for some binaries, mostly network exposed applications
260 config PKG_ASLR_PIE_ALL
262 select BUSYBOX_DEFAULT_PIE
264 PIE is activated for all applications
268 prompt "User space Stack-Smashing Protection"
269 default PKG_CC_STACKPROTECTOR_REGULAR
271 Enable GCC Stack Smashing Protection (SSP) for userspace applications
272 config PKG_CC_STACKPROTECTOR_NONE
274 config PKG_CC_STACKPROTECTOR_REGULAR
276 config PKG_CC_STACKPROTECTOR_STRONG
281 prompt "Kernel space Stack-Smashing Protection"
282 default KERNEL_CC_STACKPROTECTOR_REGULAR
284 Enable GCC Stack-Smashing Protection (SSP) for the kernel
285 config KERNEL_CC_STACKPROTECTOR_NONE
287 config KERNEL_CC_STACKPROTECTOR_REGULAR
289 config KERNEL_CC_STACKPROTECTOR_STRONG
293 config KERNEL_STACKPROTECTOR
295 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
297 config KERNEL_STACKPROTECTOR_STRONG
299 default KERNEL_CC_STACKPROTECTOR_STRONG
302 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
303 default PKG_FORTIFY_SOURCE_1
305 Enable the _FORTIFY_SOURCE macro which introduces additional
306 checks to detect buffer-overflows in the following standard library
307 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
308 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
309 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
310 checks that shouldn't change the behavior of conforming programs,
311 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
312 added, but some conforming programs might fail.
313 config PKG_FORTIFY_SOURCE_NONE
315 config PKG_FORTIFY_SOURCE_1
317 config PKG_FORTIFY_SOURCE_2
322 prompt "Enable RELRO protection"
323 default PKG_RELRO_FULL
325 Enable a link-time protection known as RELRO (Relocation Read Only)
326 which helps to protect from certain type of exploitation techniques
327 altering the content of some ELF sections. "Partial" RELRO makes the
328 .dynamic section not writeable after initialization, introducing
329 almost no performance penalty, while "full" RELRO also marks the GOT
330 as read-only at the cost of initializing all of it at startup.
331 config PKG_RELRO_NONE
333 config PKG_RELRO_PARTIAL
335 config PKG_RELRO_FULL
339 config TARGET_ROOTFS_SECURITY_LABELS
341 select KERNEL_SQUASHFS_XATTR
342 select KERNEL_EXT4_FS_SECURITY
343 select KERNEL_F2FS_FS_SECURITY
344 select KERNEL_UBIFS_FS_SECURITY
345 select KERNEL_JFFS2_FS_SECURITY
348 bool "Enable SELinux"
349 select KERNEL_SECURITY_SELINUX
350 select TARGET_ROOTFS_SECURITY_LABELS
351 select PACKAGE_procd-selinux
352 select PACKAGE_busybox-selinux
354 This option enables SELinux kernel features, applies security labels
355 in squashfs rootfs and selects the selinux-variants of busybox and procd.
357 Selecting this option results in about 0.5MiB of additional flash space
358 usage accounting for increased kernel and rootfs size.
361 prompt "default SELinux type"
362 depends on TARGET_ROOTFS_SECURITY_LABELS
363 default SELINUXTYPE_dssp
365 Select SELinux policy to be installed and used for applying rootfs labels.
367 config SELINUXTYPE_targeted
369 select PACKAGE_refpolicy
371 SELinux Reference Policy (refpolicy)
373 config SELINUXTYPE_dssp
375 select PACKAGE_selinux-policy
377 Defensec SELinux Security Policy -- OpenWrt edition