projects / openwrt / openwrt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
config: build: dont allow STRIP_KERNEL_EXPORTS on kernel 6.6
[openwrt/openwrt.git] / config / Config-build.in
1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
5
6 config EXPERIMENTAL
7 bool "Enable experimental features by default"
8 help
9 Set this option to build with latest bleeding edge features
10 which may or may not work as expected.
11 If you would like to help the development of OpenWrt, you are
12 encouraged to set this option and provide feedback (both
13 positive and negative). But do so only if you know how to
14 recover your device in case of flashing potentially non-working
15 firmware.
16
17 If you plan to use this build in production, say NO!
18
19 menu "Global build settings"
20
21 config JSON_OVERVIEW_IMAGE_INFO
22 bool "Create JSON info file overview per target"
23 default y
24 help
25 Create a JSON info file called profiles.json in the target
26 directory containing machine readable list of built profiles
27 and resulting images.
28
29 config JSON_CYCLONEDX_SBOM
30 bool "Create CycloneDX SBOM JSON"
31 default BUILDBOT
32 help
33 Create a JSON files *.bom.cdx.json in the build
34 directory containing Software Bill Of Materials in CycloneDX
35 format.
36
37 config ALL_NONSHARED
38 bool "Select all target specific packages by default"
39 select ALL_KMODS
40 default BUILDBOT
41
42 config ALL_KMODS
43 bool "Select all kernel module packages by default"
44
45 config ALL
46 bool "Select all userspace packages by default"
47 select ALL_KMODS
48 select ALL_NONSHARED
49
50 config BUILDBOT
51 bool "Set build defaults for automatic builds (e.g. via buildbot)"
52 help
53 This option changes several defaults to be more suitable for
54 automatic builds. This includes the following changes:
55 - Deleting build directories after compiling (to save space)
56 - Enabling per-device rootfs support
57 ...
58
59 config SIGNED_PACKAGES
60 bool "Cryptographically signed package lists"
61 default y
62
63 config SIGNATURE_CHECK
64 bool "Enable signature checking in opkg"
65 default SIGNED_PACKAGES
66
67 config DOWNLOAD_CHECK_CERTIFICATE
68 bool "Enable TLS certificate verification during package download"
69 default y
70
71 comment "General build options"
72
73 config TESTING_KERNEL
74 bool "Use the testing kernel version"
75 depends on HAS_TESTING_KERNEL
76 default EXPERIMENTAL
77 help
78 If the target supports a newer kernel version than the default,
79 you can use this config option to enable it
80
81
82 config DISPLAY_SUPPORT
83 bool "Show packages that require graphics support (local or remote)"
84
85 config BUILD_PATENTED
86 bool "Compile with support for patented functionality"
87 help
88 When this option is disabled, software which provides patented functionality
89 will not be built. In case software provides optional support for patented
90 functionality, this optional support will get disabled for this package.
91
92 config BUILD_NLS
93 bool "Compile with full language support"
94 help
95 When this option is enabled, packages are built with the full versions of
96 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
97 used, it is also built with locale support.
98
99 config SHADOW_PASSWORDS
100 bool
101 default y
102
103 config CLEAN_IPKG
104 bool
105 prompt "Remove ipkg/opkg status data files in final images"
106 help
107 This removes all ipkg/opkg status data files from the target directory
108 before building the root filesystem.
109
110 config IPK_FILES_CHECKSUMS
111 bool
112 prompt "Record files checksums in package metadata"
113 help
114 This makes file checksums part of package metadata. It increases size
115 but provides you with pkg_check command to check for flash corruptions.
116
117 config INCLUDE_CONFIG
118 bool "Include build configuration in firmware" if DEVEL
119 help
120 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
121
122 config REPRODUCIBLE_DEBUG_INFO
123 bool "Make debug information reproducible"
124 default BUILDBOT
125 help
126 This strips the local build path out of debug information. This has the
127 advantage of making it reproducible, but the disadvantage of making local
128 debugging using ./scripts/remote-gdb harder, since the debug data will
129 no longer point to the full path on the build host.
130
131 config COLLECT_KERNEL_DEBUG
132 bool
133 prompt "Collect kernel debug information"
134 select KERNEL_DEBUG_INFO
135 default BUILDBOT
136 help
137 This collects debugging symbols from the kernel and all compiled modules.
138 Useful for release builds, so that kernel issues can be debugged offline
139 later.
140
141 menu "Kernel build options"
142
143 source "config/Config-kernel.in"
144
145 endmenu
146
147 comment "Package build options"
148
149 config DEBUG
150 bool
151 prompt "Compile packages with debugging info"
152 help
153 Adds -g3 to the CFLAGS.
154
155 config USE_GC_SECTIONS
156 bool
157 prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
158 help
159 Places functions and data items into its own sections to use the linker's
160 garbage collection capabilites.
161 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections
162
163 config USE_LTO
164 bool
165 prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
166 help
167 Adds LTO flags to the CFLAGS and LDFLAGS.
168 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
169
170 config MOLD
171 depends on (aarch64 || arm || i386 || i686 || m68k || powerpc || powerpc64 || sh4 || x86_64)
172 depends on !GCC_USE_VERSION_11
173 def_bool $(shell, ./config/check-hostcxx.sh 10 2 12)
174
175 config USE_MOLD
176 bool
177 prompt "Use the mold linker for all packages"
178 depends on MOLD
179 help
180 Link packages with mold, a modern linker
181 Packages can opt-out via setting PKG_BUILD_FLAGS:=no-mold
182
183 config IPV6
184 def_bool y
185
186 comment "Stripping options"
187
188 choice
189 prompt "Binary stripping method"
190 default USE_STRIP if USE_GLIBC
191 default USE_SSTRIP
192 help
193 Select the binary stripping method you wish to use.
194
195 config NO_STRIP
196 bool "none"
197 help
198 This will install unstripped binaries (useful for native
199 compiling/debugging).
200
201 config USE_STRIP
202 bool "strip"
203 help
204 This will install binaries stripped using strip from binutils.
205
206 config USE_SSTRIP
207 bool "sstrip"
208 depends on !USE_GLIBC
209 help
210 This will install binaries stripped using sstrip.
211 endchoice
212
213 config STRIP_ARGS
214 string
215 prompt "Strip arguments"
216 depends on USE_STRIP
217 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
218 default "--strip-all"
219 help
220 Specifies arguments passed to the strip command when stripping binaries.
221
222 config SSTRIP_DISCARD_TRAILING_ZEROES
223 bool "Strip trailing zero bytes"
224 depends on USE_SSTRIP && !USE_MOLD
225 default y
226 help
227 Use sstrip's -z option to discard trailing zero bytes
228
229 config STRIP_KERNEL_EXPORTS
230 bool "Strip unnecessary exports from the kernel image"
231 depends on !LINUX_6_6
232 help
233 Reduces kernel size by stripping unused kernel exports from the kernel
234 image. Note that this might make the kernel incompatible with any kernel
235 modules that were not selected at the time the kernel image was created.
236
237 config USE_MKLIBS
238 bool "Strip unnecessary functions from libraries"
239 help
240 Reduces libraries to only those functions that are necessary for using all
241 selected packages (including those selected as <M>). Note that this will
242 make the system libraries incompatible with most of the packages that are
243 not selected during the build process.
244
245 comment "Hardening build options"
246
247 config PKG_CHECK_FORMAT_SECURITY
248 bool
249 prompt "Enable gcc format-security"
250 default y
251 help
252 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
253 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
254 Makefile.
255
256 choice
257 prompt "User space ASLR PIE compilation"
258 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
259 default PKG_ASLR_PIE_REGULAR
260 help
261 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
262 This enables package build as Position Independent Executables (PIE)
263 to protect against "return-to-text" attacks. This belongs to the
264 feature of Address Space Layout Randomisation (ASLR), which is
265 implemented by the kernel and the ELF loader by randomising the
266 location of memory allocations. This makes memory addresses harder
267 to predict when an attacker is attempting a memory-corruption exploit.
268 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
269 Makefile.
270 Be ware that ASLR increases the binary size.
271 config PKG_ASLR_PIE_NONE
272 bool "None"
273 help
274 PIE is deactivated for all applications
275 config PKG_ASLR_PIE_REGULAR
276 bool "Regular"
277 help
278 PIE is activated for some binaries, mostly network exposed applications
279 config PKG_ASLR_PIE_ALL
280 bool "All"
281 select BUSYBOX_DEFAULT_PIE
282 help
283 PIE is activated for all applications
284 endchoice
285
286 choice
287 prompt "User space Stack-Smashing Protection"
288 default PKG_CC_STACKPROTECTOR_REGULAR
289 help
290 Enable GCC Stack Smashing Protection (SSP) for userspace applications
291 config PKG_CC_STACKPROTECTOR_NONE
292 bool "None"
293 config PKG_CC_STACKPROTECTOR_REGULAR
294 bool "Regular"
295 config PKG_CC_STACKPROTECTOR_STRONG
296 bool "Strong"
297 config PKG_CC_STACKPROTECTOR_ALL
298 bool "All"
299 endchoice
300
301 choice
302 prompt "Kernel space Stack-Smashing Protection"
303 default KERNEL_CC_STACKPROTECTOR_REGULAR
304 help
305 Enable GCC Stack-Smashing Protection (SSP) for the kernel
306 config KERNEL_CC_STACKPROTECTOR_NONE
307 bool "None"
308 config KERNEL_CC_STACKPROTECTOR_REGULAR
309 bool "Regular"
310 config KERNEL_CC_STACKPROTECTOR_STRONG
311 bool "Strong"
312 endchoice
313
314 config KERNEL_STACKPROTECTOR
315 bool
316 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
317
318 config KERNEL_STACKPROTECTOR_STRONG
319 bool
320 default KERNEL_CC_STACKPROTECTOR_STRONG
321
322 choice
323 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
324 default PKG_FORTIFY_SOURCE_1
325 help
326 Enable the _FORTIFY_SOURCE macro which introduces additional
327 checks to detect buffer-overflows in the following standard library
328 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
329 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
330 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
331 checks that shouldn't change the behavior of conforming programs,
332 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
333 added, but some conforming programs might fail.
334 config PKG_FORTIFY_SOURCE_NONE
335 bool "None"
336 config PKG_FORTIFY_SOURCE_1
337 bool "Conservative"
338 config PKG_FORTIFY_SOURCE_2
339 bool "Aggressive"
340 endchoice
341
342 choice
343 prompt "Enable RELRO protection"
344 default PKG_RELRO_FULL
345 help
346 Enable a link-time protection known as RELRO (Relocation Read Only)
347 which helps to protect from certain type of exploitation techniques
348 altering the content of some ELF sections. "Partial" RELRO makes the
349 .dynamic section not writeable after initialization, introducing
350 almost no performance penalty, while "full" RELRO also marks the GOT
351 as read-only at the cost of initializing all of it at startup.
352 config PKG_RELRO_NONE
353 bool "None"
354 config PKG_RELRO_PARTIAL
355 bool "Partial"
356 config PKG_RELRO_FULL
357 bool "Full"
358 endchoice
359
360 config TARGET_ROOTFS_SECURITY_LABELS
361 bool
362 select KERNEL_SQUASHFS_XATTR
363 select KERNEL_EXT4_FS_SECURITY
364 select KERNEL_F2FS_FS_SECURITY
365 select KERNEL_UBIFS_FS_SECURITY
366 select KERNEL_JFFS2_FS_SECURITY
367
368 config SELINUX
369 bool "Enable SELinux"
370 select KERNEL_SECURITY_SELINUX
371 select TARGET_ROOTFS_SECURITY_LABELS
372 select PACKAGE_procd-selinux
373 select PACKAGE_busybox-selinux
374 help
375 This option enables SELinux kernel features, applies security labels
376 in squashfs rootfs and selects the selinux-variants of busybox and procd.
377
378 Selecting this option results in about 0.5MiB of additional flash space
379 usage accounting for increased kernel and rootfs size.
380
381 choice
382 prompt "default SELinux type"
383 depends on TARGET_ROOTFS_SECURITY_LABELS
384 default SELINUXTYPE_dssp
385 help
386 Select SELinux policy to be installed and used for applying rootfs labels.
387
388 config SELINUXTYPE_targeted
389 bool "targeted"
390 select PACKAGE_refpolicy
391 help
392 SELinux Reference Policy (refpolicy)
393
394 config SELINUXTYPE_dssp
395 bool "dssp"
396 select PACKAGE_selinux-policy
397 help
398 Defensec SELinux Security Policy -- OpenWrt edition
399
400 endchoice
401
402 config SECCOMP
403 bool "Enable SECCOMP"
404 select KERNEL_SECCOMP
405 select PACKAGE_procd-seccomp
406 depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
407 depends on !TARGET_uml
408 default y
409 help
410 This option enables seccomp kernel features to safely
411 execute untrusted bytecode and selects the seccomp-variants
412 of procd
413
414 endmenu
OpenWrt Source Repository