menu "Global build settings"
+ config ALL_KMODS
+ bool "Select all kernel module packages by default"
+ default ALL
+
config ALL
- bool "Select all packages by default"
+ bool "Select all userspace packages by default"
default n
+ config SIGNED_PACKAGES
+ bool "Cryptographically signed package lists"
+ default y
+
comment "General build options"
config DISPLAY_SUPPORT
iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
used, it is also built with locale support.
- config BUILD_STATIC_TOOLS
- default n
- bool "Attempt to link host utilities statically"
- help
- Linking host utilities like sed or firmware-utils statically increases the
- portability of the generated ImageBuilder and SDK tarballs; however, it may
- fail on some Linux distributions.
-
config SHADOW_PASSWORDS
bool
prompt "Enable shadow password support"
prompt "Enable IPv6 support in packages"
default y
help
- Enable IPv6 support in packages (passes --enable-ipv6 to configure scripts).
+ Enables IPv6 support in kernel (builtin) and packages.
config PKG_BUILD_PARALLEL
bool
If you are unsure, select N.
- config PKG_CHECK_FORMAT_SECURITY
- bool
- prompt "Enable gcc format-security"
- default n
- help
- Add -Wformat -Werror=format-security to the CFLAGS. You can disable
- this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
- Makefile.
-
config PKG_BUILD_USE_JOBSERVER
bool
prompt "Use top-level make jobserver for packages"
choice
prompt "Binary stripping method"
default USE_STRIP if EXTERNAL_TOOLCHAIN
- default USE_STRIP if USE_GLIBC || USE_EGLIBC || USE_MUSL
+ default USE_STRIP if USE_GLIBC || USE_MUSL
default USE_SSTRIP
help
Select the binary stripping method you wish to use.
bool "sstrip"
depends on !DEBUG
depends on !USE_GLIBC
- depends on !USE_EGLIBC
help
This will install binaries stripped using sstrip.
endchoice
choice
prompt "Preferred standard C++ library"
- default USE_LIBSTDCXX if USE_EGLIBC
+ default USE_LIBSTDCXX if USE_GLIBC
default USE_UCLIBCXX
help
Select the preferred standard C++ library for all packages that support this.
bool "libstdc++"
endchoice
+ comment "Hardening build options"
+
+ config PKG_CHECK_FORMAT_SECURITY
+ bool
+ prompt "Enable gcc format-security"
+ default y
+ help
+ Add -Wformat -Werror=format-security to the CFLAGS. You can disable
+ this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
+ Makefile.
+
+ choice
+ prompt "User space Stack-Smashing Protection"
+ depends on USE_MUSL
+ default PKG_CC_STACKPROTECTOR_REGULAR
+ help
+ Enable GCC Stack Smashing Protection (SSP) for userspace applications
+ config PKG_CC_STACKPROTECTOR_NONE
+ bool "None"
+ config PKG_CC_STACKPROTECTOR_REGULAR
+ bool "Regular"
+ select SSP_SUPPORT if !USE_MUSL
+ depends on KERNEL_CC_STACKPROTECTOR_REGULAR
+ config PKG_CC_STACKPROTECTOR_STRONG
+ bool "Strong"
+ select SSP_SUPPORT if !USE_MUSL
+ depends on GCC_VERSION_5
+ depends on KERNEL_CC_STACKPROTECTOR_STRONG
+ endchoice
+
+ choice
+ prompt "Kernel space Stack-Smashing Protection"
+ default KERNEL_CC_STACKPROTECTOR_REGULAR
+ depends on USE_MUSL || !(x86_64 || i386)
+ help
+ Enable GCC Stack-Smashing Protection (SSP) for the kernel
+ config KERNEL_CC_STACKPROTECTOR_NONE
+ bool "None"
+ config KERNEL_CC_STACKPROTECTOR_REGULAR
+ bool "Regular"
+ config KERNEL_CC_STACKPROTECTOR_STRONG
+ depends on GCC_VERSION_5
+ bool "Strong"
+ endchoice
+
+ choice
+ prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
+ default PKG_FORTIFY_SOURCE_1
+ help
+ Enable the _FORTIFY_SOURCE macro which introduces additional
+ checks to detect buffer-overflows in the following standard library
+ functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
+ strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
+ gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
+ checks that shouldn't change the behavior of conforming programs,
+ while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
+ added, but some conforming programs might fail.
+ config PKG_FORTIFY_SOURCE_NONE
+ bool "None"
+ config PKG_FORTIFY_SOURCE_1
+ bool "Conservative"
+ config PKG_FORTIFY_SOURCE_2
+ bool "Aggressive"
+ endchoice
+
+ choice
+ prompt "Enable RELRO protection"
+ default PKG_RELRO_FULL
+ help
+ Enable a link-time protection known as RELRO (Relocation Read Only)
+ which helps to protect from certain type of exploitation techniques
+ altering the content of some ELF sections. "Partial" RELRO makes the
+ .dynamic section not writeable after initialization, introducing
+ almost no performance penalty, while "full" RELRO also marks the GOT
+ as read-only at the cost of initializing all of it at startup.
+ config PKG_RELRO_NONE
+ bool "None"
+ config PKG_RELRO_PARTIAL
+ bool "Partial"
+ config PKG_RELRO_FULL
+ bool "Full"
+ endchoice
+
endmenu