1 # SPDX-License-Identifier: GPL-2.0-only
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
7 bool "Enable experimental features by default"
9 Set this option to build with latest bleeding edge features
10 which may or may not work as expected.
11 If you would like to help the development of OpenWrt, you are
12 encouraged to set this option and provide feedback (both
13 positive and negative). But do so only if you know how to
14 recover your device in case of flashing potentially non-working
17 If you plan to use this build in production, say NO!
19 menu "Global build settings"
21 config JSON_OVERVIEW_IMAGE_INFO
22 bool "Create JSON info file overview per target"
25 Create a JSON info file called profiles.json in the target
26 directory containing machine readable list of built profiles
29 config JSON_CYCLONEDX_SBOM
30 bool "Create CycloneDX SBOM JSON"
33 Create a JSON files *.bom.cdx.json in the build
34 directory containing Software Bill Of Materials in CycloneDX
38 bool "Select all target specific packages by default"
43 bool "Select all kernel module packages by default"
46 bool "Select all userspace packages by default"
51 bool "Set build defaults for automatic builds (e.g. via buildbot)"
53 This option changes several defaults to be more suitable for
54 automatic builds. This includes the following changes:
55 - Deleting build directories after compiling (to save space)
56 - Enabling per-device rootfs support
59 config SIGNED_PACKAGES
60 bool "Cryptographically signed package lists"
63 config SIGNATURE_CHECK
64 bool "Enable signature checking in opkg"
65 default SIGNED_PACKAGES
67 config DOWNLOAD_CHECK_CERTIFICATE
68 bool "Enable TLS certificate verification during package download"
71 comment "General build options"
74 bool "Use the testing kernel version"
75 depends on HAS_TESTING_KERNEL
78 If the target supports a newer kernel version than the default,
79 you can use this config option to enable it
82 config DISPLAY_SUPPORT
83 bool "Show packages that require graphics support (local or remote)"
86 bool "Compile with support for patented functionality"
88 When this option is disabled, software which provides patented functionality
89 will not be built. In case software provides optional support for patented
90 functionality, this optional support will get disabled for this package.
93 bool "Compile with full language support"
95 When this option is enabled, packages are built with the full versions of
96 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
97 used, it is also built with locale support.
99 config SHADOW_PASSWORDS
105 prompt "Remove ipkg/opkg status data files in final images"
107 This removes all ipkg/opkg status data files from the target directory
108 before building the root filesystem.
110 config IPK_FILES_CHECKSUMS
112 prompt "Record files checksums in package metadata"
114 This makes file checksums part of package metadata. It increases size
115 but provides you with pkg_check command to check for flash corruptions.
117 config INCLUDE_CONFIG
118 bool "Include build configuration in firmware" if DEVEL
120 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
122 config REPRODUCIBLE_DEBUG_INFO
123 bool "Make debug information reproducible"
126 This strips the local build path out of debug information. This has the
127 advantage of making it reproducible, but the disadvantage of making local
128 debugging using ./scripts/remote-gdb harder, since the debug data will
129 no longer point to the full path on the build host.
131 config COLLECT_KERNEL_DEBUG
133 prompt "Collect kernel debug information"
134 select KERNEL_DEBUG_INFO
137 This collects debugging symbols from the kernel and all compiled modules.
138 Useful for release builds, so that kernel issues can be debugged offline
141 menu "Kernel build options"
143 source "config/Config-kernel.in"
147 comment "Package build options"
151 prompt "Compile packages with debugging info"
153 Adds -g3 to the CFLAGS.
155 config USE_GC_SECTIONS
157 prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
159 Places functions and data items into its own sections to use the linker's
160 garbage collection capabilites.
161 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections
165 prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
167 Adds LTO flags to the CFLAGS and LDFLAGS.
168 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
173 comment "Stripping options"
176 prompt "Binary stripping method"
177 default USE_STRIP if USE_GLIBC
180 Select the binary stripping method you wish to use.
185 This will install unstripped binaries (useful for native
186 compiling/debugging).
191 This will install binaries stripped using strip from binutils.
196 depends on !USE_GLIBC
198 This will install binaries stripped using sstrip.
203 prompt "Strip arguments"
205 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
206 default "--strip-all"
208 Specifies arguments passed to the strip command when stripping binaries.
212 prompt "Sstrip arguments"
213 depends on USE_SSTRIP
216 Specifies arguments passed to the sstrip command when stripping binaries.
218 config STRIP_KERNEL_EXPORTS
219 bool "Strip unnecessary exports from the kernel image"
221 Reduces kernel size by stripping unused kernel exports from the kernel
222 image. Note that this might make the kernel incompatible with any kernel
223 modules that were not selected at the time the kernel image was created.
226 bool "Strip unnecessary functions from libraries"
228 Reduces libraries to only those functions that are necessary for using all
229 selected packages (including those selected as <M>). Note that this will
230 make the system libraries incompatible with most of the packages that are
231 not selected during the build process.
233 comment "Hardening build options"
235 config PKG_CHECK_FORMAT_SECURITY
237 prompt "Enable gcc format-security"
240 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
241 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
245 prompt "User space ASLR PIE compilation"
246 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
247 default PKG_ASLR_PIE_REGULAR
249 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
250 This enables package build as Position Independent Executables (PIE)
251 to protect against "return-to-text" attacks. This belongs to the
252 feature of Address Space Layout Randomisation (ASLR), which is
253 implemented by the kernel and the ELF loader by randomising the
254 location of memory allocations. This makes memory addresses harder
255 to predict when an attacker is attempting a memory-corruption exploit.
256 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
258 Be ware that ASLR increases the binary size.
259 config PKG_ASLR_PIE_NONE
262 PIE is deactivated for all applications
263 config PKG_ASLR_PIE_REGULAR
266 PIE is activated for some binaries, mostly network exposed applications
267 config PKG_ASLR_PIE_ALL
269 select BUSYBOX_DEFAULT_PIE
271 PIE is activated for all applications
275 prompt "User space Stack-Smashing Protection"
276 default PKG_CC_STACKPROTECTOR_REGULAR
278 Enable GCC Stack Smashing Protection (SSP) for userspace applications
279 config PKG_CC_STACKPROTECTOR_NONE
281 config PKG_CC_STACKPROTECTOR_REGULAR
283 config PKG_CC_STACKPROTECTOR_STRONG
288 prompt "Kernel space Stack-Smashing Protection"
289 default KERNEL_CC_STACKPROTECTOR_REGULAR
291 Enable GCC Stack-Smashing Protection (SSP) for the kernel
292 config KERNEL_CC_STACKPROTECTOR_NONE
294 config KERNEL_CC_STACKPROTECTOR_REGULAR
296 config KERNEL_CC_STACKPROTECTOR_STRONG
300 config KERNEL_STACKPROTECTOR
302 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
304 config KERNEL_STACKPROTECTOR_STRONG
306 default KERNEL_CC_STACKPROTECTOR_STRONG
309 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
310 default PKG_FORTIFY_SOURCE_1
312 Enable the _FORTIFY_SOURCE macro which introduces additional
313 checks to detect buffer-overflows in the following standard library
314 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
315 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
316 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
317 checks that shouldn't change the behavior of conforming programs,
318 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
319 added, but some conforming programs might fail.
320 config PKG_FORTIFY_SOURCE_NONE
322 config PKG_FORTIFY_SOURCE_1
324 config PKG_FORTIFY_SOURCE_2
329 prompt "Enable RELRO protection"
330 default PKG_RELRO_FULL
332 Enable a link-time protection known as RELRO (Relocation Read Only)
333 which helps to protect from certain type of exploitation techniques
334 altering the content of some ELF sections. "Partial" RELRO makes the
335 .dynamic section not writeable after initialization, introducing
336 almost no performance penalty, while "full" RELRO also marks the GOT
337 as read-only at the cost of initializing all of it at startup.
338 config PKG_RELRO_NONE
340 config PKG_RELRO_PARTIAL
342 config PKG_RELRO_FULL
346 config TARGET_ROOTFS_SECURITY_LABELS
348 select KERNEL_SQUASHFS_XATTR
349 select KERNEL_EXT4_FS_SECURITY
350 select KERNEL_F2FS_FS_SECURITY
351 select KERNEL_UBIFS_FS_SECURITY
352 select KERNEL_JFFS2_FS_SECURITY
355 bool "Enable SELinux"
356 select KERNEL_SECURITY_SELINUX
357 select TARGET_ROOTFS_SECURITY_LABELS
358 select PACKAGE_procd-selinux
359 select PACKAGE_busybox-selinux
361 This option enables SELinux kernel features, applies security labels
362 in squashfs rootfs and selects the selinux-variants of busybox and procd.
364 Selecting this option results in about 0.5MiB of additional flash space
365 usage accounting for increased kernel and rootfs size.
368 prompt "default SELinux type"
369 depends on TARGET_ROOTFS_SECURITY_LABELS
370 default SELINUXTYPE_dssp
372 Select SELinux policy to be installed and used for applying rootfs labels.
374 config SELINUXTYPE_targeted
376 select PACKAGE_refpolicy
378 SELinux Reference Policy (refpolicy)
380 config SELINUXTYPE_dssp
382 select PACKAGE_selinux-policy
384 Defensec SELinux Security Policy -- OpenWrt edition
389 bool "Enable SECCOMP"
390 select KERNEL_SECCOMP
391 select PACKAGE_procd-seccomp
392 depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
393 depends on !TARGET_uml
396 This option enables seccomp kernel features to safely
397 execute untrusted bytecode and selects the seccomp-variants