1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
8 menu "Global build settings"
10 config JSON_ADD_IMAGE_INFO
11 bool "Create JSON info files per build image"
14 The JSON info files contain information about the device and
15 build images, stored next to the firmware images.
18 bool "Select all target specific packages by default"
23 bool "Select all kernel module packages by default"
26 bool "Select all userspace packages by default"
31 bool "Set build defaults for automatic builds (e.g. via buildbot)"
34 This option changes several defaults to be more suitable for
35 automatic builds. This includes the following changes:
36 - Deleting build directories after compiling (to save space)
37 - Enabling per-device rootfs support
40 config INSTALL_LOCAL_KEY
41 bool "Install local usign key into image"
44 config SIGNED_PACKAGES
45 bool "Cryptographically signed package lists"
49 bool "Cryptographically signed firmware images"
52 config SIGNATURE_CHECK
53 bool "Enable signature checking in opkg"
56 comment "General build options"
59 bool "Use the testing kernel version"
60 depends on HAS_TESTING_KERNEL
63 If the target supports a newer kernel version than the default,
64 you can use this config option to enable it
67 config DISPLAY_SUPPORT
68 bool "Show packages that require graphics support (local or remote)"
73 bool "Compile with support for patented functionality"
75 When this option is disabled, software which provides patented functionality
76 will not be built. In case software provides optional support for patented
77 functionality, this optional support will get disabled for this package.
81 bool "Compile with full language support"
83 When this option is enabled, packages are built with the full versions of
84 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
85 used, it is also built with locale support.
87 config SHADOW_PASSWORDS
93 prompt "Remove ipkg/opkg status data files in final images"
96 This removes all ipkg/opkg status data files from the target directory
97 before building the root filesystem.
99 config IPK_FILES_CHECKSUMS
101 prompt "Record files checksums in package metadata"
104 This makes file checksums part of package metadata. It increases size
105 but provides you with pkg_check command to check for flash coruptions.
107 config INCLUDE_CONFIG
108 bool "Include build configuration in firmware" if DEVEL
111 If enabled, config.buildinfo will be stored in /etc/build.config of firmware.
113 config COLLECT_KERNEL_DEBUG
115 prompt "Collect kernel debug information"
116 select KERNEL_DEBUG_INFO
119 This collects debugging symbols from the kernel and all compiled modules.
120 Useful for release builds, so that kernel issues can be debugged offline
123 menu "Kernel build options"
125 source "config/Config-kernel.in"
129 comment "Package build options"
133 prompt "Compile packages with debugging info"
136 Adds -g3 to the CFLAGS.
140 prompt "Enable IPv6 support in packages"
143 Enables IPv6 support in kernel (builtin) and packages.
145 comment "Stripping options"
148 prompt "Binary stripping method"
149 default USE_STRIP if EXTERNAL_TOOLCHAIN
150 default USE_STRIP if USE_GLIBC
153 Select the binary stripping method you wish to use.
158 This will install unstripped binaries (useful for native
159 compiling/debugging).
164 This will install binaries stripped using strip from binutils.
169 depends on !USE_GLIBC
171 This will install binaries stripped using sstrip.
176 prompt "Strip arguments"
178 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
179 default "--strip-all"
181 Specifies arguments passed to the strip command when stripping binaries.
183 config STRIP_KERNEL_EXPORTS
184 bool "Strip unnecessary exports from the kernel image"
186 Reduces kernel size by stripping unused kernel exports from the kernel
187 image. Note that this might make the kernel incompatible with any kernel
188 modules that were not selected at the time the kernel image was created.
191 bool "Strip unnecessary functions from libraries"
193 Reduces libraries to only those functions that are necessary for using all
194 selected packages (including those selected as <M>). Note that this will
195 make the system libraries incompatible with most of the packages that are
196 not selected during the build process.
199 prompt "Preferred standard C++ library"
200 default USE_LIBSTDCXX if USE_GLIBC
203 Select the preferred standard C++ library for all packages that support this.
212 comment "Hardening build options"
214 config PKG_CHECK_FORMAT_SECURITY
216 prompt "Enable gcc format-security"
219 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
220 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
225 prompt "User space ASLR PIE compilation"
226 select BUSYBOX_DEFAULT_PIE
229 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
230 This enables package build as Position Independent Executables (PIE)
231 to protect against "return-to-text" attacks. This belongs to the
232 feature of Address Space Layout Randomisation (ASLR), which is
233 implemented by the kernel and the ELF loader by randomising the
234 location of memory allocations. This makes memory addresses harder
235 to predict when an attacker is attempting a memory-corruption exploit.
236 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
240 prompt "User space Stack-Smashing Protection"
242 default PKG_CC_STACKPROTECTOR_REGULAR
244 Enable GCC Stack Smashing Protection (SSP) for userspace applications
245 config PKG_CC_STACKPROTECTOR_NONE
247 config PKG_CC_STACKPROTECTOR_REGULAR
249 select GCC_LIBSSP if !USE_MUSL
250 depends on KERNEL_CC_STACKPROTECTOR_REGULAR
251 config PKG_CC_STACKPROTECTOR_STRONG
253 select GCC_LIBSSP if !USE_MUSL
254 depends on KERNEL_CC_STACKPROTECTOR_STRONG
258 prompt "Kernel space Stack-Smashing Protection"
259 default KERNEL_CC_STACKPROTECTOR_REGULAR
260 depends on USE_MUSL || !(x86_64 || i386)
262 Enable GCC Stack-Smashing Protection (SSP) for the kernel
263 config KERNEL_CC_STACKPROTECTOR_NONE
265 config KERNEL_CC_STACKPROTECTOR_REGULAR
267 config KERNEL_CC_STACKPROTECTOR_STRONG
271 config KERNEL_STACKPROTECTOR
273 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
275 config KERNEL_STACKPROTECTOR_STRONG
277 default KERNEL_CC_STACKPROTECTOR_STRONG
280 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
281 default PKG_FORTIFY_SOURCE_1
283 Enable the _FORTIFY_SOURCE macro which introduces additional
284 checks to detect buffer-overflows in the following standard library
285 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
286 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
287 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
288 checks that shouldn't change the behavior of conforming programs,
289 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
290 added, but some conforming programs might fail.
291 config PKG_FORTIFY_SOURCE_NONE
293 config PKG_FORTIFY_SOURCE_1
295 config PKG_FORTIFY_SOURCE_2
300 prompt "Enable RELRO protection"
301 default PKG_RELRO_FULL
303 Enable a link-time protection known as RELRO (Relocation Read Only)
304 which helps to protect from certain type of exploitation techniques
305 altering the content of some ELF sections. "Partial" RELRO makes the
306 .dynamic section not writeable after initialization, introducing
307 almost no performance penalty, while "full" RELRO also marks the GOT
308 as read-only at the cost of initializing all of it at startup.
309 config PKG_RELRO_NONE
311 config PKG_RELRO_PARTIAL
313 config PKG_RELRO_FULL