projects / openwrt / openwrt.git / blob
? search:


b42fb8bc11c4d4d8010025fe0deb6432791aabdf
[openwrt/openwrt.git] / config / Config-build.in
1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
5
6 config EXPERIMENTAL
7 bool "Enable experimental features by default"
8 help
9 Set this option to build with latest bleeding edge features
10 which may or may not work as expected.
11 If you would like to help the development of OpenWrt, you are
12 encouraged to set this option and provide feedback (both
13 positive and negative). But do so only if you know how to
14 recover your device in case of flashing potentially non-working
15 firmware.
16
17 If you plan to use this build in production, say NO!
18
19 menu "Global build settings"
20
21 config JSON_OVERVIEW_IMAGE_INFO
22 bool "Create JSON info file overview per target"
23 default y
24 help
25 Create a JSON info file called profiles.json in the target
26 directory containing machine readable list of built profiles
27 and resulting images.
28
29 config JSON_CYCLONEDX_SBOM
30 bool "Create CycloneDX SBOM JSON"
31 default BUILDBOT
32 help
33 Create a JSON files *.bom.cdx.json in the build
34 directory containing Software Bill Of Materials in CycloneDX
35 format.
36
37 config ALL_NONSHARED
38 bool "Select all target specific packages by default"
39 select ALL_KMODS
40 default BUILDBOT
41
42 config ALL_KMODS
43 bool "Select all kernel module packages by default"
44
45 config ALL
46 bool "Select all userspace packages by default"
47 select ALL_KMODS
48 select ALL_NONSHARED
49
50 config BUILDBOT
51 bool "Set build defaults for automatic builds (e.g. via buildbot)"
52 help
53 This option changes several defaults to be more suitable for
54 automatic builds. This includes the following changes:
55 - Deleting build directories after compiling (to save space)
56 - Enabling per-device rootfs support
57 ...
58
59 config SIGNED_PACKAGES
60 bool "Cryptographically signed package lists"
61 default y
62
63 config SIGNATURE_CHECK
64 bool "Enable signature checking in opkg"
65 default SIGNED_PACKAGES
66
67 config DOWNLOAD_CHECK_CERTIFICATE
68 bool "Enable TLS certificate verification during package download"
69 default y
70
71 config USE_APK
72 imply PACKAGE_apk-mbedtls
73 bool "Use APK instead of OPKG to build distribution"
74 default y
75
76 comment "General build options"
77
78 config TESTING_KERNEL
79 bool "Use the testing kernel version"
80 depends on HAS_TESTING_KERNEL
81 default EXPERIMENTAL
82 help
83 If the target supports a newer kernel version than the default,
84 you can use this config option to enable it
85
86
87 config DISPLAY_SUPPORT
88 bool "Show packages that require graphics support (local or remote)"
89
90 config BUILD_PATENTED
91 bool "Compile with support for patented functionality"
92 help
93 When this option is disabled, software which provides patented functionality
94 will not be built. In case software provides optional support for patented
95 functionality, this optional support will get disabled for this package.
96
97 config BUILD_NLS
98 bool "Compile with full language support"
99 help
100 When this option is enabled, packages are built with the full versions of
101 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
102 used, it is also built with locale support.
103
104 config SHADOW_PASSWORDS
105 bool
106 default y
107
108 config CLEAN_IPKG
109 bool
110 prompt "Remove ipkg/opkg status data files in final images"
111 depends on !USE_APK
112 help
113 This removes all ipkg/opkg status data files from the target directory
114 before building the root filesystem.
115
116 config IPK_FILES_CHECKSUMS
117 bool
118 prompt "Record files checksums in package metadata"
119 depends on !USE_APK
120 help
121 This makes file checksums part of package metadata. It increases size
122 but provides you with pkg_check command to check for flash corruptions.
123
124 config INCLUDE_CONFIG
125 bool "Include build configuration in firmware" if DEVEL
126 help
127 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
128
129 config REPRODUCIBLE_DEBUG_INFO
130 bool "Make debug information reproducible"
131 default BUILDBOT
132 help
133 This strips the local build path out of debug information. This has the
134 advantage of making it reproducible, but the disadvantage of making local
135 debugging using ./scripts/remote-gdb harder, since the debug data will
136 no longer point to the full path on the build host.
137
138 config COLLECT_KERNEL_DEBUG
139 bool
140 prompt "Collect kernel debug information"
141 select KERNEL_DEBUG_INFO
142 default BUILDBOT
143 help
144 This collects debugging symbols from the kernel and all compiled modules.
145 Useful for release builds, so that kernel issues can be debugged offline
146 later.
147
148 menu "Kernel build options"
149
150 source "config/Config-kernel.in"
151
152 endmenu
153
154 comment "Package build options"
155
156 config DEBUG
157 bool
158 prompt "Compile packages with debugging info"
159 help
160 Adds -g3 to the CFLAGS.
161
162 config USE_GC_SECTIONS
163 bool
164 prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
165 help
166 Places functions and data items into its own sections to use the linker's
167 garbage collection capabilites.
168 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections
169
170 config USE_LTO
171 bool
172 prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
173 help
174 Adds LTO flags to the CFLAGS and LDFLAGS.
175 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
176
177 config MOLD
178 depends on (aarch64 || arm || i386 || i686 || loongarch64 || m68k || powerpc || powerpc64 || riscv64 || sh4 || x86_64)
179 depends on !HOST_OS_MACOS
180 def_bool $(shell, ./config/check-hostcxx.sh 10 2 12)
181
182 config USE_MOLD
183 bool
184 prompt "Use the mold linker for all packages"
185 depends on MOLD
186 help
187 Link packages with mold, a modern linker
188 Packages can opt-out via setting PKG_BUILD_FLAGS:=no-mold
189
190 config IPV6
191 def_bool y
192
193 comment "Stripping options"
194
195 choice
196 prompt "Binary stripping method"
197 default USE_STRIP if USE_GLIBC
198 default USE_SSTRIP
199 help
200 Select the binary stripping method you wish to use.
201
202 config NO_STRIP
203 bool "none"
204 help
205 This will install unstripped binaries (useful for native
206 compiling/debugging).
207
208 config USE_STRIP
209 bool "strip"
210 help
211 This will install binaries stripped using strip from binutils.
212
213 config USE_SSTRIP
214 bool "sstrip"
215 depends on !USE_GLIBC
216 help
217 This will install binaries stripped using sstrip.
218 endchoice
219
220 config STRIP_ARGS
221 string
222 prompt "Strip arguments"
223 depends on USE_STRIP
224 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
225 default "--strip-all"
226 help
227 Specifies arguments passed to the strip command when stripping binaries.
228
229 config SSTRIP_DISCARD_TRAILING_ZEROES
230 bool "Strip trailing zero bytes"
231 depends on USE_SSTRIP && !USE_MOLD
232 default y
233 help
234 Use sstrip's -z option to discard trailing zero bytes
235
236 config STRIP_KERNEL_EXPORTS
237 bool "Strip unnecessary exports from the kernel image"
238 depends on BROKEN
239 help
240 Reduces kernel size by stripping unused kernel exports from the kernel
241 image. Note that this might make the kernel incompatible with any kernel
242 modules that were not selected at the time the kernel image was created.
243
244 config USE_MKLIBS
245 bool "Strip unnecessary functions from libraries"
246 help
247 Reduces libraries to only those functions that are necessary for using all
248 selected packages (including those selected as <M>). Note that this will
249 make the system libraries incompatible with most of the packages that are
250 not selected during the build process.
251
252 comment "Hardening build options"
253
254 config PKG_FANALYZER
255 bool
256 prompt "Enable gcc fanalyzer"
257 default n
258 help
259 Add -fanalyzer to the CFLAGS. As a result of this option, a static analysis
260 of the program flow is conducted, allowing interprocedural paths to be
261 identified and warnings to be issued if problems are identified.
262
263 config PKG_CHECK_FORMAT_SECURITY
264 bool
265 prompt "Enable gcc format-security"
266 default y
267 help
268 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
269 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
270 Makefile.
271
272 choice
273 prompt "User space ASLR PIE compilation"
274 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
275 default PKG_ASLR_PIE_REGULAR
276 help
277 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
278 This enables package build as Position Independent Executables (PIE)
279 to protect against "return-to-text" attacks. This belongs to the
280 feature of Address Space Layout Randomisation (ASLR), which is
281 implemented by the kernel and the ELF loader by randomising the
282 location of memory allocations. This makes memory addresses harder
283 to predict when an attacker is attempting a memory-corruption exploit.
284 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
285 Makefile.
286 Be ware that ASLR increases the binary size.
287 config PKG_ASLR_PIE_NONE
288 bool "None"
289 help
290 PIE is deactivated for all applications
291 config PKG_ASLR_PIE_REGULAR
292 bool "Regular"
293 help
294 PIE is activated for some binaries, mostly network exposed applications
295 config PKG_ASLR_PIE_ALL
296 bool "All"
297 select BUSYBOX_DEFAULT_PIE
298 help
299 PIE is activated for all applications
300 endchoice
301
302 choice
303 prompt "User space Stack-Smashing Protection"
304 default PKG_CC_STACKPROTECTOR_REGULAR
305 help
306 Enable GCC Stack Smashing Protection (SSP) for userspace applications
307 config PKG_CC_STACKPROTECTOR_NONE
308 bool "None"
309 help
310 No stack smashing protection.
311 config PKG_CC_STACKPROTECTOR_REGULAR
312 bool "Regular"
313 help
314 Protects functions with vulnerable objects.
315 This includes functions with buffers larger than 8 bytes or calls to alloca.
316 config PKG_CC_STACKPROTECTOR_STRONG
317 bool "Strong"
318 help
319 Like Regular, but also protects functions with
320 local arrays or references to local frame addresses.
321 config PKG_CC_STACKPROTECTOR_ALL
322 bool "All"
323 help
324 Protects all functions.
325 endchoice
326
327 choice
328 prompt "Kernel space Stack-Smashing Protection"
329 default KERNEL_CC_STACKPROTECTOR_REGULAR
330 help
331 Enable GCC Stack-Smashing Protection (SSP) for the kernel
332 config KERNEL_CC_STACKPROTECTOR_NONE
333 bool "None"
334 help
335 No stack smashing protection.
336 config KERNEL_CC_STACKPROTECTOR_REGULAR
337 bool "Regular"
338 help
339 Protects functions with vulnerable objects.
340 This includes functions with buffers larger than 8 bytes or calls to alloca.
341 config KERNEL_CC_STACKPROTECTOR_STRONG
342 bool "Strong"
343 help
344 Like Regular, but also protects functions with
345 local arrays or references to local frame addresses.
346 endchoice
347
348 config KERNEL_STACKPROTECTOR
349 bool
350 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
351
352 config KERNEL_STACKPROTECTOR_STRONG
353 bool
354 default KERNEL_CC_STACKPROTECTOR_STRONG
355
356 choice
357 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
358 default PKG_FORTIFY_SOURCE_1
359 help
360 Enable the _FORTIFY_SOURCE macro which introduces additional
361 checks to detect buffer-overflows in the following standard library
362 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
363 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
364 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
365 checks that shouldn't change the behavior of conforming programs,
366 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
367 added, but some conforming programs might fail.
368 config PKG_FORTIFY_SOURCE_NONE
369 bool "None"
370 config PKG_FORTIFY_SOURCE_1
371 bool "Conservative Level 1"
372 config PKG_FORTIFY_SOURCE_2
373 bool "Aggressive Level 2"
374 config PKG_FORTIFY_SOURCE_3
375 bool "Aggressive Level 3"
376 endchoice
377
378 choice
379 prompt "Enable RELRO protection"
380 default PKG_RELRO_FULL
381 help
382 Enable a link-time protection known as RELRO (Relocation Read Only)
383 which helps to protect from certain type of exploitation techniques
384 altering the content of some ELF sections. "Partial" RELRO makes the
385 .dynamic section not writeable after initialization, introducing
386 almost no performance penalty, while "full" RELRO also marks the GOT
387 as read-only at the cost of initializing all of it at startup.
388 config PKG_RELRO_NONE
389 bool "None"
390 config PKG_RELRO_PARTIAL
391 bool "Partial"
392 config PKG_RELRO_FULL
393 bool "Full"
394 endchoice
395
396 config PKG_DT_RELR
397 bool "Link with relative relocations (RELR)"
398 depends on (aarch64 || i386 || loongarch64 || x86_64)
399 default y
400 help
401 Link all applications with -Wl,-z,pack-relative-relocs.
402 This will reduce the size of many applications.
403 This is only supported on a limited number of architectures.
404
405 config TARGET_ROOTFS_SECURITY_LABELS
406 bool
407 select KERNEL_SQUASHFS_XATTR
408 select KERNEL_EROFS_FS_SECURITY
409 select KERNEL_EXT4_FS_SECURITY
410 select KERNEL_F2FS_FS_SECURITY
411 select KERNEL_UBIFS_FS_SECURITY
412 select KERNEL_JFFS2_FS_SECURITY
413
414 config SELINUX
415 bool "Enable SELinux"
416 select KERNEL_SECURITY_SELINUX
417 select TARGET_ROOTFS_SECURITY_LABELS
418 select PACKAGE_procd-selinux
419 select PACKAGE_busybox-selinux
420 help
421 This option enables SELinux kernel features, applies security labels
422 in squashfs rootfs and selects the selinux-variants of busybox and procd.
423
424 Selecting this option results in about 0.5MiB of additional flash space
425 usage accounting for increased kernel and rootfs size.
426
427 choice
428 prompt "default SELinux type"
429 depends on TARGET_ROOTFS_SECURITY_LABELS
430 default SELINUXTYPE_dssp
431 help
432 Select SELinux policy to be installed and used for applying rootfs labels.
433
434 config SELINUXTYPE_targeted
435 bool "targeted"
436 select PACKAGE_refpolicy
437 help
438 SELinux Reference Policy (refpolicy)
439
440 config SELINUXTYPE_dssp
441 bool "dssp"
442 select PACKAGE_selinux-policy
443 help
444 Defensec SELinux Security Policy -- OpenWrt edition
445
446 endchoice
447
448 config USE_SECCOMP
449 bool "Enable SECCOMP"
450 select KERNEL_SECCOMP
451 depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || loongarch64 || powerpc || x86_64)
452 depends on !TARGET_uml
453 default y
454 help
455 This option enables seccomp kernel features to safely
456 execute untrusted bytecode and selects the seccomp-variants
457 of procd
458
459 endmenu
OpenWrt Source Repository