# Copyright (C) 2006-2013 OpenWrt.org
+# Copyright (C) 2016 LEDE Project
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
menu "Global build settings"
+ config ALL_NONSHARED
+ bool "Select all target specific packages by default"
+ select ALL_KMODS
+ default BUILDBOT
+
+ config ALL_KMODS
+ bool "Select all kernel module packages by default"
+
config ALL
- bool "Select all packages by default"
+ bool "Select all userspace packages by default"
+ select ALL_KMODS
+ select ALL_NONSHARED
+
+ config BUILDBOT
+ bool "Set build defaults for automatic builds (e.g. via buildbot)"
default n
+ help
+ This option changes several defaults to be more suitable for
+ automatic builds. This includes the following changes:
+ - Deleting build directories after compiling (to save space)
+ - Enabling per-device rootfs support
+ ...
+
+ config SIGNED_PACKAGES
+ bool "Cryptographically signed package lists"
+ default y
comment "General build options"
default n
config BUILD_PATENTED
- default y
+ default n
bool "Compile with support for patented functionality"
help
When this option is disabled, software which provides patented functionality
config SHADOW_PASSWORDS
bool
- prompt "Enable shadow password support"
default y
- help
- Enable shadow password support.
config CLEAN_IPKG
bool
This removes all ipkg/opkg status data files from the target directory
before building the root filesystem.
+ config INCLUDE_CONFIG
+ bool "Include build configuration in firmware" if DEVEL
+ default n
+ help
+ If enabled, config.seed will be stored in /etc/build.config of firmware.
+
config COLLECT_KERNEL_DEBUG
bool
prompt "Collect kernel debug information"
select KERNEL_DEBUG_INFO
- default n
+ default BUILDBOT
help
This collects debugging symbols from the kernel and all compiled modules.
Useful for release builds, so that kernel issues can be debugged offline
later.
- comment "Kernel build options"
+ menu "Kernel build options"
source "config/Config-kernel.in"
+ endmenu
+
comment "Package build options"
config DEBUG
prompt "Enable IPv6 support in packages"
default y
help
- Enable IPv6 support in packages (passes --enable-ipv6 to configure scripts).
-
- config PKG_BUILD_PARALLEL
- bool
- prompt "Compile certain packages parallelized"
- default y
- help
- This adds a -jX option to certain packages that are known to behave well
- for parallel build. By default, the package make processes use the main
- jobserver, in which case this option only takes effect when you add -jX
- to the make command.
-
- If you are unsure, select N.
-
- config PKG_BUILD_USE_JOBSERVER
- bool
- prompt "Use top-level make jobserver for packages"
- depends on PKG_BUILD_PARALLEL
- default y
- help
- This passes the main make process jobserver fds to package builds,
- enabling full parallelization across different packages.
-
- Note that disabling this may overcommit CPU resources depending on the
- -j level of the main make process, the number of package submake jobs
- selected below and the number of actual CPUs present.
- Example: If the main make is passed a -j4 and the submake -j
- is also set to 4, we may end up with 16 parallel make processes
- in the worst case.
-
- config PKG_BUILD_JOBS
- int
- prompt "Number of package submake jobs (2-512)"
- range 2 512
- default 2
- depends on PKG_BUILD_PARALLEL && !PKG_BUILD_USE_JOBSERVER
- help
- The number of jobs (-jX) to pass to packages submake.
-
- config PKG_DEFAULT_PARALLEL
- bool
- prompt "Parallelize the default package build rule (May break build)"
- depends on PKG_BUILD_PARALLEL
- depends on BROKEN
- default n
- help
- Always set the default package build rules to parallel build.
-
- WARNING: This may break build or kill your cat, as it builds packages
- with multiple jobs that are probably not tested in a parallel build
- environment.
-
- Only say Y if you don't mind fixing broken packages. Before reporting
- build bugs, set this to N and re-run the build.
+ Enables IPv6 support in kernel (builtin) and packages.
comment "Stripping options"
choice
prompt "Binary stripping method"
default USE_STRIP if EXTERNAL_TOOLCHAIN
- default USE_STRIP if USE_GLIBC || USE_MUSL
+ default USE_STRIP if USE_GLIBC
default USE_SSTRIP
help
Select the binary stripping method you wish to use.
bool "none"
help
This will install unstripped binaries (useful for native
- compiling/debugging).
+ compiling/debugging).
config USE_STRIP
bool "strip"
config USE_SSTRIP
bool "sstrip"
- depends on !DEBUG
depends on !USE_GLIBC
help
This will install binaries stripped using sstrip.
config PKG_CHECK_FORMAT_SECURITY
bool
prompt "Enable gcc format-security"
- default n
+ default y
help
Add -Wformat -Werror=format-security to the CFLAGS. You can disable
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
Makefile.
+ config PKG_ASLR_PIE
+ bool
+ prompt "User space ASLR PIE compilation"
+ select BUSYBOX_DEFAULT_PIE
+ default n
+ help
+ Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
+ This enables package build as Position Independent Executables (PIE)
+ to protect against "return-to-text" attacks. This belongs to the
+ feature of Address Space Layout Randomisation (ASLR), which is
+ implemented by the kernel and the ELF loader by randomising the
+ location of memory allocations. This makes memory addresses harder
+ to predict when an attacker is attempting a memory-corruption exploit.
+ You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
+ Makefile.
+
choice
prompt "User space Stack-Smashing Protection"
- default PKG_CC_STACKPROTECTOR_NONE
+ depends on USE_MUSL
+ default PKG_CC_STACKPROTECTOR_REGULAR
help
Enable GCC Stack Smashing Protection (SSP) for userspace applications
config PKG_CC_STACKPROTECTOR_NONE
bool "None"
config PKG_CC_STACKPROTECTOR_REGULAR
bool "Regular"
- select SSP_SUPPORT
+ select GCC_LIBSSP if !USE_MUSL
depends on KERNEL_CC_STACKPROTECTOR_REGULAR
config PKG_CC_STACKPROTECTOR_STRONG
bool "Strong"
- select SSP_SUPPORT
- depends on GCC_VERSION_4_9_LINARO
+ select GCC_LIBSSP if !USE_MUSL
+ depends on !GCC_VERSION_4_8
depends on KERNEL_CC_STACKPROTECTOR_STRONG
endchoice
choice
prompt "Kernel space Stack-Smashing Protection"
- default KERNEL_CC_STACKPROTECTOR_NONE
+ default KERNEL_CC_STACKPROTECTOR_REGULAR
+ depends on USE_MUSL || !(x86_64 || i386)
help
Enable GCC Stack-Smashing Protection (SSP) for the kernel
config KERNEL_CC_STACKPROTECTOR_NONE
config KERNEL_CC_STACKPROTECTOR_REGULAR
bool "Regular"
config KERNEL_CC_STACKPROTECTOR_STRONG
- depends on GCC_VERSION_4_9_LINARO
+ depends on !GCC_VERSION_4_8
bool "Strong"
endchoice
choice
prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
+ default PKG_FORTIFY_SOURCE_1
help
Enable the _FORTIFY_SOURCE macro which introduces additional
checks to detect buffer-overflows in the following standard library
choice
prompt "Enable RELRO protection"
+ default PKG_RELRO_FULL
help
Enable a link-time protection known as RELRO (Relocation Read Only)
which helps to protect from certain type of exploitation techniques