1 # SPDX-License-Identifier: GPL-2.0-only
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
7 bool "Enable experimental features by default"
10 Set this option to build with latest bleeding edge features
11 which may or may not work as expected.
12 If you would like to help the development of OpenWrt, you are
13 encouraged to set this option and provide feedback (both
14 positive and negative). But do so only if you know how to
15 recover your device in case of flashing potentially non-working
18 If you plan to use this build in production, say NO!
20 menu "Global build settings"
22 config JSON_OVERVIEW_IMAGE_INFO
23 bool "Create JSON info file overview per target"
26 Create a JSON info file called profiles.json in the target
27 directory containing machine readable list of built profiles
31 bool "Select all target specific packages by default"
36 bool "Select all kernel module packages by default"
39 bool "Select all userspace packages by default"
44 bool "Set build defaults for automatic builds (e.g. via buildbot)"
47 This option changes several defaults to be more suitable for
48 automatic builds. This includes the following changes:
49 - Deleting build directories after compiling (to save space)
50 - Enabling per-device rootfs support
53 config SIGNED_PACKAGES
54 bool "Cryptographically signed package lists"
57 config SIGNATURE_CHECK
58 bool "Enable signature checking in opkg"
59 default SIGNED_PACKAGES
61 config DOWNLOAD_CHECK_CERTIFICATE
62 bool "Enable TLS certificate verification during package download"
65 comment "General build options"
68 bool "Use the testing kernel version"
69 depends on HAS_TESTING_KERNEL
72 If the target supports a newer kernel version than the default,
73 you can use this config option to enable it
76 config DISPLAY_SUPPORT
77 bool "Show packages that require graphics support (local or remote)"
82 bool "Compile with support for patented functionality"
84 When this option is disabled, software which provides patented functionality
85 will not be built. In case software provides optional support for patented
86 functionality, this optional support will get disabled for this package.
90 bool "Compile with full language support"
92 When this option is enabled, packages are built with the full versions of
93 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
94 used, it is also built with locale support.
96 config SHADOW_PASSWORDS
102 prompt "Remove ipkg/opkg status data files in final images"
105 This removes all ipkg/opkg status data files from the target directory
106 before building the root filesystem.
108 config IPK_FILES_CHECKSUMS
110 prompt "Record files checksums in package metadata"
113 This makes file checksums part of package metadata. It increases size
114 but provides you with pkg_check command to check for flash corruptions.
116 config INCLUDE_CONFIG
117 bool "Include build configuration in firmware" if DEVEL
120 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
122 config REPRODUCIBLE_DEBUG_INFO
123 bool "Make debug information reproducible"
126 This strips the local build path out of debug information. This has the
127 advantage of making it reproducible, but the disadvantage of making local
128 debugging using ./scripts/remote-gdb harder, since the debug data will
129 no longer point to the full path on the build host.
131 config COLLECT_KERNEL_DEBUG
133 prompt "Collect kernel debug information"
134 select KERNEL_DEBUG_INFO
137 This collects debugging symbols from the kernel and all compiled modules.
138 Useful for release builds, so that kernel issues can be debugged offline
141 menu "Kernel build options"
143 source "config/Config-kernel.in"
147 comment "Package build options"
151 prompt "Compile packages with debugging info"
154 Adds -g3 to the CFLAGS.
159 comment "Stripping options"
162 prompt "Binary stripping method"
163 default USE_STRIP if USE_GLIBC
166 Select the binary stripping method you wish to use.
171 This will install unstripped binaries (useful for native
172 compiling/debugging).
177 This will install binaries stripped using strip from binutils.
182 depends on !USE_GLIBC
184 This will install binaries stripped using sstrip.
189 prompt "Strip arguments"
191 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
192 default "--strip-all"
194 Specifies arguments passed to the strip command when stripping binaries.
198 prompt "Sstrip arguments"
199 depends on USE_SSTRIP
202 Specifies arguments passed to the sstrip command when stripping binaries.
204 config STRIP_KERNEL_EXPORTS
205 bool "Strip unnecessary exports from the kernel image"
207 Reduces kernel size by stripping unused kernel exports from the kernel
208 image. Note that this might make the kernel incompatible with any kernel
209 modules that were not selected at the time the kernel image was created.
212 bool "Strip unnecessary functions from libraries"
214 Reduces libraries to only those functions that are necessary for using all
215 selected packages (including those selected as <M>). Note that this will
216 make the system libraries incompatible with most of the packages that are
217 not selected during the build process.
219 comment "Hardening build options"
221 config PKG_CHECK_FORMAT_SECURITY
223 prompt "Enable gcc format-security"
226 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
227 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
231 prompt "User space ASLR PIE compilation"
232 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
233 default PKG_ASLR_PIE_REGULAR
235 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
236 This enables package build as Position Independent Executables (PIE)
237 to protect against "return-to-text" attacks. This belongs to the
238 feature of Address Space Layout Randomisation (ASLR), which is
239 implemented by the kernel and the ELF loader by randomising the
240 location of memory allocations. This makes memory addresses harder
241 to predict when an attacker is attempting a memory-corruption exploit.
242 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
244 Be ware that ASLR increases the binary size.
245 config PKG_ASLR_PIE_NONE
248 PIE is deactivated for all applications
249 config PKG_ASLR_PIE_REGULAR
252 PIE is activated for some binaries, mostly network exposed applications
253 config PKG_ASLR_PIE_ALL
255 select BUSYBOX_DEFAULT_PIE
257 PIE is activated for all applications
261 prompt "User space Stack-Smashing Protection"
262 default PKG_CC_STACKPROTECTOR_REGULAR
264 Enable GCC Stack Smashing Protection (SSP) for userspace applications
265 config PKG_CC_STACKPROTECTOR_NONE
267 config PKG_CC_STACKPROTECTOR_REGULAR
269 config PKG_CC_STACKPROTECTOR_STRONG
274 prompt "Kernel space Stack-Smashing Protection"
275 default KERNEL_CC_STACKPROTECTOR_REGULAR
277 Enable GCC Stack-Smashing Protection (SSP) for the kernel
278 config KERNEL_CC_STACKPROTECTOR_NONE
280 config KERNEL_CC_STACKPROTECTOR_REGULAR
282 config KERNEL_CC_STACKPROTECTOR_STRONG
286 config KERNEL_STACKPROTECTOR
288 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
290 config KERNEL_STACKPROTECTOR_STRONG
292 default KERNEL_CC_STACKPROTECTOR_STRONG
295 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
296 default PKG_FORTIFY_SOURCE_1
298 Enable the _FORTIFY_SOURCE macro which introduces additional
299 checks to detect buffer-overflows in the following standard library
300 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
301 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
302 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
303 checks that shouldn't change the behavior of conforming programs,
304 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
305 added, but some conforming programs might fail.
306 config PKG_FORTIFY_SOURCE_NONE
308 config PKG_FORTIFY_SOURCE_1
310 config PKG_FORTIFY_SOURCE_2
315 prompt "Enable RELRO protection"
316 default PKG_RELRO_FULL
318 Enable a link-time protection known as RELRO (Relocation Read Only)
319 which helps to protect from certain type of exploitation techniques
320 altering the content of some ELF sections. "Partial" RELRO makes the
321 .dynamic section not writeable after initialization, introducing
322 almost no performance penalty, while "full" RELRO also marks the GOT
323 as read-only at the cost of initializing all of it at startup.
324 config PKG_RELRO_NONE
326 config PKG_RELRO_PARTIAL
328 config PKG_RELRO_FULL
332 config TARGET_ROOTFS_SECURITY_LABELS
334 select KERNEL_SQUASHFS_XATTR
335 select KERNEL_EXT4_FS_SECURITY
336 select KERNEL_F2FS_FS_SECURITY
337 select KERNEL_UBIFS_FS_SECURITY
338 select KERNEL_JFFS2_FS_SECURITY
341 bool "Enable SELinux"
342 select KERNEL_SECURITY_SELINUX
343 select TARGET_ROOTFS_SECURITY_LABELS
344 select PACKAGE_procd-selinux
345 select PACKAGE_busybox-selinux
347 This option enables SELinux kernel features, applies security labels
348 in squashfs rootfs and selects the selinux-variants of busybox and procd.
350 Selecting this option results in about 0.5MiB of additional flash space
351 usage accounting for increased kernel and rootfs size.
354 prompt "default SELinux type"
355 depends on TARGET_ROOTFS_SECURITY_LABELS
356 default SELINUXTYPE_dssp
358 Select SELinux policy to be installed and used for applying rootfs labels.
360 config SELINUXTYPE_targeted
362 select PACKAGE_refpolicy
364 SELinux Reference Policy (refpolicy)
366 config SELINUXTYPE_dssp
368 select PACKAGE_selinux-policy
370 Defensec SELinux Security Policy -- OpenWrt edition
375 bool "Enable SECCOMP"
376 select KERNEL_SECCOMP
377 select PACKAGE_procd-seccomp
378 depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
379 depends on !TARGET_uml
382 This option enables seccomp kernel features to safely
383 execute untrusted bytecode and selects the seccomp-variants