menu "Global build settings"
+ config JSON_ADD_IMAGE_INFO
+ bool "Create JSON info files per build image"
+ default BUILDBOT
+ help
+ The JSON info files contain information about the device and
+ build images, stored next to the firmware images.
+
config ALL_NONSHARED
bool "Select all target specific packages by default"
select ALL_KMODS
bool "Cryptographically signed package lists"
default y
+ config SIGNATURE_CHECK
+ bool "Enable signature checking in opkg"
+ default SIGNED_PACKAGES
+
comment "General build options"
+ config TESTING_KERNEL
+ bool "Use the testing kernel version"
+ depends on HAS_TESTING_KERNEL
+ default n
+ help
+ If the target supports a newer kernel version than the default,
+ you can use this config option to enable it
+
+
config DISPLAY_SUPPORT
bool "Show packages that require graphics support (local or remote)"
default n
This removes all ipkg/opkg status data files from the target directory
before building the root filesystem.
+ config IPK_FILES_CHECKSUMS
+ bool
+ prompt "Record files checksums in package metadata"
+ default n
+ help
+ This makes file checksums part of package metadata. It increases size
+ but provides you with pkg_check command to check for flash coruptions.
+
config INCLUDE_CONFIG
bool "Include build configuration in firmware" if DEVEL
default n
help
- If enabled, config.seed will be stored in /etc/build.config of firmware.
+ If enabled, buildinfo files will be stored in /etc/build.* of firmware.
config COLLECT_KERNEL_DEBUG
bool
config USE_UCLIBCXX
bool "uClibc++"
+ config USE_LIBCXX
+ bool "libc++"
+ depends on !USE_UCLIBC
+
config USE_LIBSTDCXX
bool "libstdc++"
endchoice
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
Makefile.
- config PKG_ASLR_PIE
- bool
+ choice
prompt "User space ASLR PIE compilation"
- select BUSYBOX_DEFAULT_PIE
- default n
+ default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
+ default PKG_ASLR_PIE_REGULAR
help
Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
This enables package build as Position Independent Executables (PIE)
to predict when an attacker is attempting a memory-corruption exploit.
You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
Makefile.
+ Be ware that ASLR increases the binary size.
+ config PKG_ASLR_PIE_NONE
+ bool "None"
+ help
+ PIE is deactivated for all applications
+ config PKG_ASLR_PIE_REGULAR
+ bool "Regular"
+ help
+ PIE is activated for some binaries, mostly network exposed applications
+ config PKG_ASLR_PIE_ALL
+ bool "All"
+ select BUSYBOX_DEFAULT_PIE
+ help
+ PIE is activated for all applications
+ endchoice
choice
prompt "User space Stack-Smashing Protection"
config PKG_CC_STACKPROTECTOR_STRONG
bool "Strong"
select GCC_LIBSSP if !USE_MUSL
- depends on !GCC_VERSION_4_8
depends on KERNEL_CC_STACKPROTECTOR_STRONG
endchoice
config KERNEL_CC_STACKPROTECTOR_REGULAR
bool "Regular"
config KERNEL_CC_STACKPROTECTOR_STRONG
- depends on !GCC_VERSION_4_8
bool "Strong"
endchoice
+ config KERNEL_STACKPROTECTOR
+ bool
+ default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
+
+ config KERNEL_STACKPROTECTOR_STRONG
+ bool
+ default KERNEL_CC_STACKPROTECTOR_STRONG
+
choice
prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
default PKG_FORTIFY_SOURCE_1