1 # SPDX-License-Identifier: GPL-2.0-only
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
7 bool "Enable experimental features by default"
10 Set this option to build with latest bleeding edge features
11 which may or may not work as expected.
12 If you would like to help the development of OpenWrt, you are
13 encouraged to set this option and provide feedback (both
14 positive and negative). But do so only if you know how to
15 recover your device in case of flashing potentially non-working
18 If you plan to use this build in production, say NO!
20 menu "Global build settings"
22 config JSON_OVERVIEW_IMAGE_INFO
23 bool "Create JSON info file overview per target"
26 Create a JSON info file called profiles.json in the target
27 directory containing machine readable list of built profiles
31 bool "Select all target specific packages by default"
36 bool "Select all kernel module packages by default"
39 bool "Select all userspace packages by default"
44 bool "Set build defaults for automatic builds (e.g. via buildbot)"
47 This option changes several defaults to be more suitable for
48 automatic builds. This includes the following changes:
49 - Deleting build directories after compiling (to save space)
50 - Enabling per-device rootfs support
53 config SIGNED_PACKAGES
54 bool "Cryptographically signed package lists"
57 config SIGNATURE_CHECK
58 bool "Enable signature checking in opkg"
59 default SIGNED_PACKAGES
61 comment "General build options"
64 bool "Use the testing kernel version"
65 depends on HAS_TESTING_KERNEL
68 If the target supports a newer kernel version than the default,
69 you can use this config option to enable it
72 config DISPLAY_SUPPORT
73 bool "Show packages that require graphics support (local or remote)"
78 bool "Compile with support for patented functionality"
80 When this option is disabled, software which provides patented functionality
81 will not be built. In case software provides optional support for patented
82 functionality, this optional support will get disabled for this package.
86 bool "Compile with full language support"
88 When this option is enabled, packages are built with the full versions of
89 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
90 used, it is also built with locale support.
92 config SHADOW_PASSWORDS
98 prompt "Remove ipkg/opkg status data files in final images"
101 This removes all ipkg/opkg status data files from the target directory
102 before building the root filesystem.
104 config IPK_FILES_CHECKSUMS
106 prompt "Record files checksums in package metadata"
109 This makes file checksums part of package metadata. It increases size
110 but provides you with pkg_check command to check for flash corruptions.
112 config INCLUDE_CONFIG
113 bool "Include build configuration in firmware" if DEVEL
116 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
118 config REPRODUCIBLE_DEBUG_INFO
119 bool "Make debug information reproducible"
122 This strips the local build path out of debug information. This has the
123 advantage of making it reproducible, but the disadvantage of making local
124 debugging using ./scripts/remote-gdb harder, since the debug data will
125 no longer point to the full path on the build host.
127 config COLLECT_KERNEL_DEBUG
129 prompt "Collect kernel debug information"
130 select KERNEL_DEBUG_INFO
133 This collects debugging symbols from the kernel and all compiled modules.
134 Useful for release builds, so that kernel issues can be debugged offline
137 menu "Kernel build options"
139 source "config/Config-kernel.in"
143 comment "Package build options"
147 prompt "Compile packages with debugging info"
150 Adds -g3 to the CFLAGS.
155 comment "Stripping options"
158 prompt "Binary stripping method"
159 default USE_STRIP if EXTERNAL_TOOLCHAIN
160 default USE_STRIP if USE_GLIBC
163 Select the binary stripping method you wish to use.
168 This will install unstripped binaries (useful for native
169 compiling/debugging).
174 This will install binaries stripped using strip from binutils.
179 depends on !USE_GLIBC
181 This will install binaries stripped using sstrip.
186 prompt "Strip arguments"
188 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
189 default "--strip-all"
191 Specifies arguments passed to the strip command when stripping binaries.
195 prompt "Sstrip arguments"
196 depends on USE_SSTRIP
199 Specifies arguments passed to the sstrip command when stripping binaries.
201 config STRIP_KERNEL_EXPORTS
202 bool "Strip unnecessary exports from the kernel image"
204 Reduces kernel size by stripping unused kernel exports from the kernel
205 image. Note that this might make the kernel incompatible with any kernel
206 modules that were not selected at the time the kernel image was created.
209 bool "Strip unnecessary functions from libraries"
211 Reduces libraries to only those functions that are necessary for using all
212 selected packages (including those selected as <M>). Note that this will
213 make the system libraries incompatible with most of the packages that are
214 not selected during the build process.
216 comment "Hardening build options"
218 config PKG_CHECK_FORMAT_SECURITY
220 prompt "Enable gcc format-security"
223 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
224 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
228 prompt "User space ASLR PIE compilation"
229 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
230 default PKG_ASLR_PIE_REGULAR
232 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
233 This enables package build as Position Independent Executables (PIE)
234 to protect against "return-to-text" attacks. This belongs to the
235 feature of Address Space Layout Randomisation (ASLR), which is
236 implemented by the kernel and the ELF loader by randomising the
237 location of memory allocations. This makes memory addresses harder
238 to predict when an attacker is attempting a memory-corruption exploit.
239 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
241 Be ware that ASLR increases the binary size.
242 config PKG_ASLR_PIE_NONE
245 PIE is deactivated for all applications
246 config PKG_ASLR_PIE_REGULAR
249 PIE is activated for some binaries, mostly network exposed applications
250 config PKG_ASLR_PIE_ALL
252 select BUSYBOX_DEFAULT_PIE
254 PIE is activated for all applications
258 prompt "User space Stack-Smashing Protection"
259 default PKG_CC_STACKPROTECTOR_REGULAR
261 Enable GCC Stack Smashing Protection (SSP) for userspace applications
262 config PKG_CC_STACKPROTECTOR_NONE
264 config PKG_CC_STACKPROTECTOR_REGULAR
266 config PKG_CC_STACKPROTECTOR_STRONG
271 prompt "Kernel space Stack-Smashing Protection"
272 default KERNEL_CC_STACKPROTECTOR_REGULAR
274 Enable GCC Stack-Smashing Protection (SSP) for the kernel
275 config KERNEL_CC_STACKPROTECTOR_NONE
277 config KERNEL_CC_STACKPROTECTOR_REGULAR
279 config KERNEL_CC_STACKPROTECTOR_STRONG
283 config KERNEL_STACKPROTECTOR
285 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
287 config KERNEL_STACKPROTECTOR_STRONG
289 default KERNEL_CC_STACKPROTECTOR_STRONG
292 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
293 default PKG_FORTIFY_SOURCE_1
295 Enable the _FORTIFY_SOURCE macro which introduces additional
296 checks to detect buffer-overflows in the following standard library
297 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
298 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
299 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
300 checks that shouldn't change the behavior of conforming programs,
301 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
302 added, but some conforming programs might fail.
303 config PKG_FORTIFY_SOURCE_NONE
305 config PKG_FORTIFY_SOURCE_1
307 config PKG_FORTIFY_SOURCE_2
312 prompt "Enable RELRO protection"
313 default PKG_RELRO_FULL
315 Enable a link-time protection known as RELRO (Relocation Read Only)
316 which helps to protect from certain type of exploitation techniques
317 altering the content of some ELF sections. "Partial" RELRO makes the
318 .dynamic section not writeable after initialization, introducing
319 almost no performance penalty, while "full" RELRO also marks the GOT
320 as read-only at the cost of initializing all of it at startup.
321 config PKG_RELRO_NONE
323 config PKG_RELRO_PARTIAL
325 config PKG_RELRO_FULL
329 config TARGET_ROOTFS_SECURITY_LABELS
331 select KERNEL_SQUASHFS_XATTR
332 select KERNEL_EXT4_FS_SECURITY
333 select KERNEL_F2FS_FS_SECURITY
334 select KERNEL_UBIFS_FS_SECURITY
335 select KERNEL_JFFS2_FS_SECURITY
338 bool "Enable SELinux"
339 select KERNEL_SECURITY_SELINUX
340 select TARGET_ROOTFS_SECURITY_LABELS
341 select PACKAGE_procd-selinux
342 select PACKAGE_busybox-selinux
344 This option enables SELinux kernel features, applies security labels
345 in squashfs rootfs and selects the selinux-variants of busybox and procd.
347 Selecting this option results in about 0.5MiB of additional flash space
348 usage accounting for increased kernel and rootfs size.
351 prompt "default SELinux type"
352 depends on TARGET_ROOTFS_SECURITY_LABELS
353 default SELINUXTYPE_dssp
355 Select SELinux policy to be installed and used for applying rootfs labels.
357 config SELINUXTYPE_targeted
359 select PACKAGE_refpolicy
361 SELinux Reference Policy (refpolicy)
363 config SELINUXTYPE_dssp
365 select PACKAGE_selinux-policy
367 Defensec SELinux Security Policy -- OpenWrt edition
372 bool "Enable SECCOMP"
373 select KERNEL_SECCOMP
374 select PACKAGE_procd-seccomp
375 depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
376 depends on !TARGET_uml
379 This option enables seccomp kernel features to safely
380 execute untrusted bytecode and selects the seccomp-variants