1 # SPDX-License-Identifier: GPL-2.0-only
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
7 bool "Enable experimental features by default"
10 Set this option to build with latest bleeding edge features
11 which may or may not work as expected.
12 If you would like to help the development of OpenWrt, you are
13 encouraged to set this option and provide feedback (both
14 positive and negative). But do so only if you know how to
15 recover your device in case of flashing potentially non-working
18 If you plan to use this build in production, say NO!
20 menu "Global build settings"
22 config JSON_OVERVIEW_IMAGE_INFO
23 bool "Create JSON info file overview per target"
26 Create a JSON info file called profiles.json in the target
27 directory containing machine readable list of built profiles
31 bool "Select all target specific packages by default"
36 bool "Select all kernel module packages by default"
39 bool "Select all userspace packages by default"
44 bool "Set build defaults for automatic builds (e.g. via buildbot)"
47 This option changes several defaults to be more suitable for
48 automatic builds. This includes the following changes:
49 - Deleting build directories after compiling (to save space)
50 - Enabling per-device rootfs support
53 config SIGNED_PACKAGES
54 bool "Cryptographically signed package lists"
57 config SIGNATURE_CHECK
58 bool "Enable signature checking in opkg"
59 default SIGNED_PACKAGES
61 config DOWNLOAD_CHECK_CERTIFICATE
62 bool "Enable TLS certificate verification during package download"
65 comment "General build options"
68 bool "Use the testing kernel version"
69 depends on HAS_TESTING_KERNEL
72 If the target supports a newer kernel version than the default,
73 you can use this config option to enable it
76 config DISPLAY_SUPPORT
77 bool "Show packages that require graphics support (local or remote)"
82 bool "Compile with support for patented functionality"
84 When this option is disabled, software which provides patented functionality
85 will not be built. In case software provides optional support for patented
86 functionality, this optional support will get disabled for this package.
90 bool "Compile with full language support"
92 When this option is enabled, packages are built with the full versions of
93 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
94 used, it is also built with locale support.
96 config SHADOW_PASSWORDS
102 prompt "Remove ipkg/opkg status data files in final images"
105 This removes all ipkg/opkg status data files from the target directory
106 before building the root filesystem.
108 config IPK_FILES_CHECKSUMS
110 prompt "Record files checksums in package metadata"
113 This makes file checksums part of package metadata. It increases size
114 but provides you with pkg_check command to check for flash corruptions.
116 config INCLUDE_CONFIG
117 bool "Include build configuration in firmware" if DEVEL
120 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
122 config REPRODUCIBLE_DEBUG_INFO
123 bool "Make debug information reproducible"
126 This strips the local build path out of debug information. This has the
127 advantage of making it reproducible, but the disadvantage of making local
128 debugging using ./scripts/remote-gdb harder, since the debug data will
129 no longer point to the full path on the build host.
131 config COLLECT_KERNEL_DEBUG
133 prompt "Collect kernel debug information"
134 select KERNEL_DEBUG_INFO
137 This collects debugging symbols from the kernel and all compiled modules.
138 Useful for release builds, so that kernel issues can be debugged offline
141 menu "Kernel build options"
143 source "config/Config-kernel.in"
147 comment "Package build options"
151 prompt "Compile packages with debugging info"
154 Adds -g3 to the CFLAGS.
158 prompt "Enable IPv6 support in packages"
161 Enables IPv6 support in kernel (builtin) and packages.
163 comment "Stripping options"
166 prompt "Binary stripping method"
167 default USE_STRIP if USE_GLIBC
170 Select the binary stripping method you wish to use.
175 This will install unstripped binaries (useful for native
176 compiling/debugging).
181 This will install binaries stripped using strip from binutils.
186 depends on !USE_GLIBC
188 This will install binaries stripped using sstrip.
193 prompt "Strip arguments"
195 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
196 default "--strip-all"
198 Specifies arguments passed to the strip command when stripping binaries.
202 prompt "Sstrip arguments"
203 depends on USE_SSTRIP
206 Specifies arguments passed to the sstrip command when stripping binaries.
208 config STRIP_KERNEL_EXPORTS
209 bool "Strip unnecessary exports from the kernel image"
211 Reduces kernel size by stripping unused kernel exports from the kernel
212 image. Note that this might make the kernel incompatible with any kernel
213 modules that were not selected at the time the kernel image was created.
216 bool "Strip unnecessary functions from libraries"
218 Reduces libraries to only those functions that are necessary for using all
219 selected packages (including those selected as <M>). Note that this will
220 make the system libraries incompatible with most of the packages that are
221 not selected during the build process.
223 comment "Hardening build options"
225 config PKG_CHECK_FORMAT_SECURITY
227 prompt "Enable gcc format-security"
230 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
231 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
235 prompt "User space ASLR PIE compilation"
236 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
237 default PKG_ASLR_PIE_REGULAR
239 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
240 This enables package build as Position Independent Executables (PIE)
241 to protect against "return-to-text" attacks. This belongs to the
242 feature of Address Space Layout Randomisation (ASLR), which is
243 implemented by the kernel and the ELF loader by randomising the
244 location of memory allocations. This makes memory addresses harder
245 to predict when an attacker is attempting a memory-corruption exploit.
246 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
248 Be ware that ASLR increases the binary size.
249 config PKG_ASLR_PIE_NONE
252 PIE is deactivated for all applications
253 config PKG_ASLR_PIE_REGULAR
256 PIE is activated for some binaries, mostly network exposed applications
257 config PKG_ASLR_PIE_ALL
259 select BUSYBOX_DEFAULT_PIE
261 PIE is activated for all applications
265 prompt "User space Stack-Smashing Protection"
266 default PKG_CC_STACKPROTECTOR_REGULAR
268 Enable GCC Stack Smashing Protection (SSP) for userspace applications
269 config PKG_CC_STACKPROTECTOR_NONE
271 config PKG_CC_STACKPROTECTOR_REGULAR
273 config PKG_CC_STACKPROTECTOR_STRONG
278 prompt "Kernel space Stack-Smashing Protection"
279 default KERNEL_CC_STACKPROTECTOR_REGULAR
281 Enable GCC Stack-Smashing Protection (SSP) for the kernel
282 config KERNEL_CC_STACKPROTECTOR_NONE
284 config KERNEL_CC_STACKPROTECTOR_REGULAR
286 config KERNEL_CC_STACKPROTECTOR_STRONG
290 config KERNEL_STACKPROTECTOR
292 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
294 config KERNEL_STACKPROTECTOR_STRONG
296 default KERNEL_CC_STACKPROTECTOR_STRONG
299 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
300 default PKG_FORTIFY_SOURCE_1
302 Enable the _FORTIFY_SOURCE macro which introduces additional
303 checks to detect buffer-overflows in the following standard library
304 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
305 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
306 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
307 checks that shouldn't change the behavior of conforming programs,
308 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
309 added, but some conforming programs might fail.
310 config PKG_FORTIFY_SOURCE_NONE
312 config PKG_FORTIFY_SOURCE_1
314 config PKG_FORTIFY_SOURCE_2
319 prompt "Enable RELRO protection"
320 default PKG_RELRO_FULL
322 Enable a link-time protection known as RELRO (Relocation Read Only)
323 which helps to protect from certain type of exploitation techniques
324 altering the content of some ELF sections. "Partial" RELRO makes the
325 .dynamic section not writeable after initialization, introducing
326 almost no performance penalty, while "full" RELRO also marks the GOT
327 as read-only at the cost of initializing all of it at startup.
328 config PKG_RELRO_NONE
330 config PKG_RELRO_PARTIAL
332 config PKG_RELRO_FULL
336 config TARGET_ROOTFS_SECURITY_LABELS
338 select KERNEL_SQUASHFS_XATTR
339 select KERNEL_EXT4_FS_SECURITY
340 select KERNEL_F2FS_FS_SECURITY
341 select KERNEL_UBIFS_FS_SECURITY
342 select KERNEL_JFFS2_FS_SECURITY
345 bool "Enable SELinux"
346 select KERNEL_SECURITY_SELINUX
347 select TARGET_ROOTFS_SECURITY_LABELS
348 select PACKAGE_procd-selinux
349 select PACKAGE_busybox-selinux
351 This option enables SELinux kernel features, applies security labels
352 in squashfs rootfs and selects the selinux-variants of busybox and procd.
354 Selecting this option results in about 0.5MiB of additional flash space
355 usage accounting for increased kernel and rootfs size.
358 prompt "default SELinux type"
359 depends on TARGET_ROOTFS_SECURITY_LABELS
360 default SELINUXTYPE_dssp
362 Select SELinux policy to be installed and used for applying rootfs labels.
364 config SELINUXTYPE_targeted
366 select PACKAGE_refpolicy
368 SELinux Reference Policy (refpolicy)
370 config SELINUXTYPE_dssp
372 select PACKAGE_selinux-policy
374 Defensec SELinux Security Policy -- OpenWrt edition
379 bool "Enable SECCOMP"
380 select KERNEL_SECCOMP
381 select PACKAGE_procd-seccomp
382 depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
383 depends on !TARGET_uml
386 This option enables seccomp kernel features to safely
387 execute untrusted bytecode and selects the seccomp-variants