projects / openwrt / staging / pepe2k.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
qualcommax: ipq807x: use ath11k_patch_mac for SXK80
[openwrt/staging/pepe2k.git] / config / Config-build.in
1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
5
6 config EXPERIMENTAL
7 bool "Enable experimental features by default"
8 help
9 Set this option to build with latest bleeding edge features
10 which may or may not work as expected.
11 If you would like to help the development of OpenWrt, you are
12 encouraged to set this option and provide feedback (both
13 positive and negative). But do so only if you know how to
14 recover your device in case of flashing potentially non-working
15 firmware.
16
17 If you plan to use this build in production, say NO!
18
19 menu "Global build settings"
20
21 config JSON_OVERVIEW_IMAGE_INFO
22 bool "Create JSON info file overview per target"
23 default y
24 help
25 Create a JSON info file called profiles.json in the target
26 directory containing machine readable list of built profiles
27 and resulting images.
28
29 config JSON_CYCLONEDX_SBOM
30 bool "Create CycloneDX SBOM JSON"
31 default BUILDBOT
32 help
33 Create a JSON files *.bom.cdx.json in the build
34 directory containing Software Bill Of Materials in CycloneDX
35 format.
36
37 config ALL_NONSHARED
38 bool "Select all target specific packages by default"
39 select ALL_KMODS
40 default BUILDBOT
41
42 config ALL_KMODS
43 bool "Select all kernel module packages by default"
44
45 config ALL
46 bool "Select all userspace packages by default"
47 select ALL_KMODS
48 select ALL_NONSHARED
49
50 config BUILDBOT
51 bool "Set build defaults for automatic builds (e.g. via buildbot)"
52 help
53 This option changes several defaults to be more suitable for
54 automatic builds. This includes the following changes:
55 - Deleting build directories after compiling (to save space)
56 - Enabling per-device rootfs support
57 ...
58
59 config SIGNED_PACKAGES
60 bool "Cryptographically signed package lists"
61 default y
62
63 config SIGNATURE_CHECK
64 bool "Enable signature checking in opkg"
65 default SIGNED_PACKAGES
66
67 config DOWNLOAD_CHECK_CERTIFICATE
68 bool "Enable TLS certificate verification during package download"
69 default y
70
71 config USE_APK
72 imply PACKAGE_apk-mbedtls
73 bool "Use APK instead of OPKG to build distribution (EXPERIMENTAL)"
74
75 comment "General build options"
76
77 config TESTING_KERNEL
78 bool "Use the testing kernel version"
79 depends on HAS_TESTING_KERNEL
80 default EXPERIMENTAL
81 help
82 If the target supports a newer kernel version than the default,
83 you can use this config option to enable it
84
85
86 config DISPLAY_SUPPORT
87 bool "Show packages that require graphics support (local or remote)"
88
89 config BUILD_PATENTED
90 bool "Compile with support for patented functionality"
91 help
92 When this option is disabled, software which provides patented functionality
93 will not be built. In case software provides optional support for patented
94 functionality, this optional support will get disabled for this package.
95
96 config BUILD_NLS
97 bool "Compile with full language support"
98 help
99 When this option is enabled, packages are built with the full versions of
100 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
101 used, it is also built with locale support.
102
103 config SHADOW_PASSWORDS
104 bool
105 default y
106
107 config CLEAN_IPKG
108 bool
109 prompt "Remove ipkg/opkg status data files in final images"
110 help
111 This removes all ipkg/opkg status data files from the target directory
112 before building the root filesystem.
113
114 config IPK_FILES_CHECKSUMS
115 bool
116 prompt "Record files checksums in package metadata"
117 depends on !USE_APK
118 help
119 This makes file checksums part of package metadata. It increases size
120 but provides you with pkg_check command to check for flash corruptions.
121
122 config INCLUDE_CONFIG
123 bool "Include build configuration in firmware" if DEVEL
124 help
125 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
126
127 config REPRODUCIBLE_DEBUG_INFO
128 bool "Make debug information reproducible"
129 default BUILDBOT
130 help
131 This strips the local build path out of debug information. This has the
132 advantage of making it reproducible, but the disadvantage of making local
133 debugging using ./scripts/remote-gdb harder, since the debug data will
134 no longer point to the full path on the build host.
135
136 config COLLECT_KERNEL_DEBUG
137 bool
138 prompt "Collect kernel debug information"
139 select KERNEL_DEBUG_INFO
140 default BUILDBOT
141 help
142 This collects debugging symbols from the kernel and all compiled modules.
143 Useful for release builds, so that kernel issues can be debugged offline
144 later.
145
146 menu "Kernel build options"
147
148 source "config/Config-kernel.in"
149
150 endmenu
151
152 comment "Package build options"
153
154 config DEBUG
155 bool
156 prompt "Compile packages with debugging info"
157 help
158 Adds -g3 to the CFLAGS.
159
160 config USE_GC_SECTIONS
161 bool
162 prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
163 help
164 Places functions and data items into its own sections to use the linker's
165 garbage collection capabilites.
166 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections
167
168 config USE_LTO
169 bool
170 prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
171 help
172 Adds LTO flags to the CFLAGS and LDFLAGS.
173 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
174
175 config MOLD
176 depends on (aarch64 || arm || i386 || i686 || m68k || powerpc || powerpc64 || sh4 || x86_64)
177 depends on !GCC_USE_VERSION_11
178 def_bool $(shell, ./config/check-hostcxx.sh 10 2 12)
179
180 config USE_MOLD
181 bool
182 prompt "Use the mold linker for all packages"
183 depends on MOLD
184 help
185 Link packages with mold, a modern linker
186 Packages can opt-out via setting PKG_BUILD_FLAGS:=no-mold
187
188 config IPV6
189 def_bool y
190
191 comment "Stripping options"
192
193 choice
194 prompt "Binary stripping method"
195 default USE_STRIP if USE_GLIBC
196 default USE_SSTRIP
197 help
198 Select the binary stripping method you wish to use.
199
200 config NO_STRIP
201 bool "none"
202 help
203 This will install unstripped binaries (useful for native
204 compiling/debugging).
205
206 config USE_STRIP
207 bool "strip"
208 help
209 This will install binaries stripped using strip from binutils.
210
211 config USE_SSTRIP
212 bool "sstrip"
213 depends on !USE_GLIBC
214 help
215 This will install binaries stripped using sstrip.
216 endchoice
217
218 config STRIP_ARGS
219 string
220 prompt "Strip arguments"
221 depends on USE_STRIP
222 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
223 default "--strip-all"
224 help
225 Specifies arguments passed to the strip command when stripping binaries.
226
227 config SSTRIP_DISCARD_TRAILING_ZEROES
228 bool "Strip trailing zero bytes"
229 depends on USE_SSTRIP && !USE_MOLD
230 default y
231 help
232 Use sstrip's -z option to discard trailing zero bytes
233
234 config STRIP_KERNEL_EXPORTS
235 bool "Strip unnecessary exports from the kernel image"
236 depends on !LINUX_6_6
237 help
238 Reduces kernel size by stripping unused kernel exports from the kernel
239 image. Note that this might make the kernel incompatible with any kernel
240 modules that were not selected at the time the kernel image was created.
241
242 config USE_MKLIBS
243 bool "Strip unnecessary functions from libraries"
244 help
245 Reduces libraries to only those functions that are necessary for using all
246 selected packages (including those selected as <M>). Note that this will
247 make the system libraries incompatible with most of the packages that are
248 not selected during the build process.
249
250 comment "Hardening build options"
251
252 config PKG_CHECK_FORMAT_SECURITY
253 bool
254 prompt "Enable gcc format-security"
255 default y
256 help
257 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
258 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
259 Makefile.
260
261 choice
262 prompt "User space ASLR PIE compilation"
263 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
264 default PKG_ASLR_PIE_REGULAR
265 help
266 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
267 This enables package build as Position Independent Executables (PIE)
268 to protect against "return-to-text" attacks. This belongs to the
269 feature of Address Space Layout Randomisation (ASLR), which is
270 implemented by the kernel and the ELF loader by randomising the
271 location of memory allocations. This makes memory addresses harder
272 to predict when an attacker is attempting a memory-corruption exploit.
273 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
274 Makefile.
275 Be ware that ASLR increases the binary size.
276 config PKG_ASLR_PIE_NONE
277 bool "None"
278 help
279 PIE is deactivated for all applications
280 config PKG_ASLR_PIE_REGULAR
281 bool "Regular"
282 help
283 PIE is activated for some binaries, mostly network exposed applications
284 config PKG_ASLR_PIE_ALL
285 bool "All"
286 select BUSYBOX_DEFAULT_PIE
287 help
288 PIE is activated for all applications
289 endchoice
290
291 choice
292 prompt "User space Stack-Smashing Protection"
293 default PKG_CC_STACKPROTECTOR_REGULAR
294 help
295 Enable GCC Stack Smashing Protection (SSP) for userspace applications
296 config PKG_CC_STACKPROTECTOR_NONE
297 bool "None"
298 config PKG_CC_STACKPROTECTOR_REGULAR
299 bool "Regular"
300 config PKG_CC_STACKPROTECTOR_STRONG
301 bool "Strong"
302 config PKG_CC_STACKPROTECTOR_ALL
303 bool "All"
304 endchoice
305
306 choice
307 prompt "Kernel space Stack-Smashing Protection"
308 default KERNEL_CC_STACKPROTECTOR_REGULAR
309 help
310 Enable GCC Stack-Smashing Protection (SSP) for the kernel
311 config KERNEL_CC_STACKPROTECTOR_NONE
312 bool "None"
313 config KERNEL_CC_STACKPROTECTOR_REGULAR
314 bool "Regular"
315 config KERNEL_CC_STACKPROTECTOR_STRONG
316 bool "Strong"
317 endchoice
318
319 config KERNEL_STACKPROTECTOR
320 bool
321 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
322
323 config KERNEL_STACKPROTECTOR_STRONG
324 bool
325 default KERNEL_CC_STACKPROTECTOR_STRONG
326
327 choice
328 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
329 default PKG_FORTIFY_SOURCE_1
330 help
331 Enable the _FORTIFY_SOURCE macro which introduces additional
332 checks to detect buffer-overflows in the following standard library
333 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
334 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
335 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
336 checks that shouldn't change the behavior of conforming programs,
337 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
338 added, but some conforming programs might fail.
339 config PKG_FORTIFY_SOURCE_NONE
340 bool "None"
341 config PKG_FORTIFY_SOURCE_1
342 bool "Conservative"
343 config PKG_FORTIFY_SOURCE_2
344 bool "Aggressive"
345 endchoice
346
347 choice
348 prompt "Enable RELRO protection"
349 default PKG_RELRO_FULL
350 help
351 Enable a link-time protection known as RELRO (Relocation Read Only)
352 which helps to protect from certain type of exploitation techniques
353 altering the content of some ELF sections. "Partial" RELRO makes the
354 .dynamic section not writeable after initialization, introducing
355 almost no performance penalty, while "full" RELRO also marks the GOT
356 as read-only at the cost of initializing all of it at startup.
357 config PKG_RELRO_NONE
358 bool "None"
359 config PKG_RELRO_PARTIAL
360 bool "Partial"
361 config PKG_RELRO_FULL
362 bool "Full"
363 endchoice
364
365 config TARGET_ROOTFS_SECURITY_LABELS
366 bool
367 select KERNEL_SQUASHFS_XATTR
368 select KERNEL_EXT4_FS_SECURITY
369 select KERNEL_F2FS_FS_SECURITY
370 select KERNEL_UBIFS_FS_SECURITY
371 select KERNEL_JFFS2_FS_SECURITY
372
373 config SELINUX
374 bool "Enable SELinux"
375 select KERNEL_SECURITY_SELINUX
376 select TARGET_ROOTFS_SECURITY_LABELS
377 select PACKAGE_procd-selinux
378 select PACKAGE_busybox-selinux
379 help
380 This option enables SELinux kernel features, applies security labels
381 in squashfs rootfs and selects the selinux-variants of busybox and procd.
382
383 Selecting this option results in about 0.5MiB of additional flash space
384 usage accounting for increased kernel and rootfs size.
385
386 choice
387 prompt "default SELinux type"
388 depends on TARGET_ROOTFS_SECURITY_LABELS
389 default SELINUXTYPE_dssp
390 help
391 Select SELinux policy to be installed and used for applying rootfs labels.
392
393 config SELINUXTYPE_targeted
394 bool "targeted"
395 select PACKAGE_refpolicy
396 help
397 SELinux Reference Policy (refpolicy)
398
399 config SELINUXTYPE_dssp
400 bool "dssp"
401 select PACKAGE_selinux-policy
402 help
403 Defensec SELinux Security Policy -- OpenWrt edition
404
405 endchoice
406
407 config SECCOMP
408 bool "Enable SECCOMP"
409 select KERNEL_SECCOMP
410 select PACKAGE_procd-seccomp
411 depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
412 depends on !TARGET_uml
413 default y
414 help
415 This option enables seccomp kernel features to safely
416 execute untrusted bytecode and selects the seccomp-variants
417 of procd
418
419 endmenu
Staging tree of Piotr Dymacz