+# SPDX-License-Identifier: GPL-2.0-only
+#
# Copyright (C) 2006-2013 OpenWrt.org
# Copyright (C) 2016 LEDE Project
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
+
+config EXPERIMENTAL
+ bool "Enable experimental features by default"
+ help
+ Set this option to build with latest bleeding edge features
+ which may or may not work as expected.
+ If you would like to help the development of OpenWrt, you are
+ encouraged to set this option and provide feedback (both
+ positive and negative). But do so only if you know how to
+ recover your device in case of flashing potentially non-working
+ firmware.
+
+ If you plan to use this build in production, say NO!
menu "Global build settings"
+ config JSON_OVERVIEW_IMAGE_INFO
+ bool "Create JSON info file overview per target"
+ default y
+ help
+ Create a JSON info file called profiles.json in the target
+ directory containing machine readable list of built profiles
+ and resulting images.
+
+ config JSON_CYCLONEDX_SBOM
+ bool "Create CycloneDX SBOM JSON"
+ default BUILDBOT
+ help
+ Create a JSON files *.bom.cdx.json in the build
+ directory containing Software Bill Of Materials in CycloneDX
+ format.
+
config ALL_NONSHARED
bool "Select all target specific packages by default"
- default ALL || BUILDBOT
+ select ALL_KMODS
+ default BUILDBOT
config ALL_KMODS
bool "Select all kernel module packages by default"
- default ALL
config ALL
bool "Select all userspace packages by default"
- default n
+ select ALL_KMODS
+ select ALL_NONSHARED
config BUILDBOT
bool "Set build defaults for automatic builds (e.g. via buildbot)"
- default n
help
This option changes several defaults to be more suitable for
automatic builds. This includes the following changes:
bool "Cryptographically signed package lists"
default y
+ config SIGNATURE_CHECK
+ bool "Enable signature checking in opkg"
+ default SIGNED_PACKAGES
+
+ config DOWNLOAD_CHECK_CERTIFICATE
+ bool "Enable TLS certificate verification during package download"
+ default y
+
comment "General build options"
+ config TESTING_KERNEL
+ bool "Use the testing kernel version"
+ depends on HAS_TESTING_KERNEL
+ default EXPERIMENTAL
+ help
+ If the target supports a newer kernel version than the default,
+ you can use this config option to enable it
+
+
config DISPLAY_SUPPORT
bool "Show packages that require graphics support (local or remote)"
- default n
config BUILD_PATENTED
- default y
bool "Compile with support for patented functionality"
help
When this option is disabled, software which provides patented functionality
functionality, this optional support will get disabled for this package.
config BUILD_NLS
- default n
bool "Compile with full language support"
help
When this option is enabled, packages are built with the full versions of
config CLEAN_IPKG
bool
prompt "Remove ipkg/opkg status data files in final images"
- default n
help
This removes all ipkg/opkg status data files from the target directory
before building the root filesystem.
+ config IPK_FILES_CHECKSUMS
+ bool
+ prompt "Record files checksums in package metadata"
+ help
+ This makes file checksums part of package metadata. It increases size
+ but provides you with pkg_check command to check for flash corruptions.
+
config INCLUDE_CONFIG
bool "Include build configuration in firmware" if DEVEL
- default n
help
- If enabled, config.seed will be stored in /etc/build.config of firmware.
+ If enabled, buildinfo files will be stored in /etc/build.* of firmware.
+
+ config REPRODUCIBLE_DEBUG_INFO
+ bool "Make debug information reproducible"
+ default BUILDBOT
+ help
+ This strips the local build path out of debug information. This has the
+ advantage of making it reproducible, but the disadvantage of making local
+ debugging using ./scripts/remote-gdb harder, since the debug data will
+ no longer point to the full path on the build host.
config COLLECT_KERNEL_DEBUG
bool
config DEBUG
bool
prompt "Compile packages with debugging info"
- default n
help
Adds -g3 to the CFLAGS.
- config IPV6
+ config USE_GC_SECTIONS
bool
- prompt "Enable IPv6 support in packages"
- default y
+ prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
help
- Enables IPv6 support in kernel (builtin) and packages.
+ Places functions and data items into its own sections to use the linker's
+ garbage collection capabilites.
+ Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections
+
+ config USE_LTO
+ bool
+ prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
+ help
+ Adds LTO flags to the CFLAGS and LDFLAGS.
+ Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
+
+ config MOLD
+ depends on (aarch64 || arm || i386 || i686 || m68k || powerpc || powerpc64 || sh4 || x86_64)
+ depends on !GCC_USE_VERSION_11
+ def_bool $(shell, ./config/check-hostcxx.sh 10 2 12)
+
+ config USE_MOLD
+ bool
+ prompt "Use the mold linker for all packages"
+ depends on MOLD
+ help
+ Link packages with mold, a modern linker
+ Packages can opt-out via setting PKG_BUILD_FLAGS:=no-mold
+
+ config IPV6
+ def_bool y
comment "Stripping options"
choice
prompt "Binary stripping method"
- default USE_STRIP if EXTERNAL_TOOLCHAIN
default USE_STRIP if USE_GLIBC
default USE_SSTRIP
help
help
This will install binaries stripped using strip from binutils.
-
config USE_SSTRIP
bool "sstrip"
depends on !USE_GLIBC
help
Specifies arguments passed to the strip command when stripping binaries.
+ config SSTRIP_DISCARD_TRAILING_ZEROES
+ bool "Strip trailing zero bytes"
+ depends on USE_SSTRIP && !USE_MOLD
+ default y
+ help
+ Use sstrip's -z option to discard trailing zero bytes
+
config STRIP_KERNEL_EXPORTS
bool "Strip unnecessary exports from the kernel image"
help
make the system libraries incompatible with most of the packages that are
not selected during the build process.
- choice
- prompt "Preferred standard C++ library"
- default USE_LIBSTDCXX if USE_GLIBC
- default USE_UCLIBCXX
- help
- Select the preferred standard C++ library for all packages that support this.
-
- config USE_UCLIBCXX
- bool "uClibc++"
-
- config USE_LIBSTDCXX
- bool "libstdc++"
- endchoice
-
comment "Hardening build options"
config PKG_CHECK_FORMAT_SECURITY
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
Makefile.
+ choice
+ prompt "User space ASLR PIE compilation"
+ default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
+ default PKG_ASLR_PIE_REGULAR
+ help
+ Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
+ This enables package build as Position Independent Executables (PIE)
+ to protect against "return-to-text" attacks. This belongs to the
+ feature of Address Space Layout Randomisation (ASLR), which is
+ implemented by the kernel and the ELF loader by randomising the
+ location of memory allocations. This makes memory addresses harder
+ to predict when an attacker is attempting a memory-corruption exploit.
+ You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
+ Makefile.
+ Be ware that ASLR increases the binary size.
+ config PKG_ASLR_PIE_NONE
+ bool "None"
+ help
+ PIE is deactivated for all applications
+ config PKG_ASLR_PIE_REGULAR
+ bool "Regular"
+ help
+ PIE is activated for some binaries, mostly network exposed applications
+ config PKG_ASLR_PIE_ALL
+ bool "All"
+ select BUSYBOX_DEFAULT_PIE
+ help
+ PIE is activated for all applications
+ endchoice
+
choice
prompt "User space Stack-Smashing Protection"
- depends on USE_MUSL
default PKG_CC_STACKPROTECTOR_REGULAR
help
Enable GCC Stack Smashing Protection (SSP) for userspace applications
bool "None"
config PKG_CC_STACKPROTECTOR_REGULAR
bool "Regular"
- select SSP_SUPPORT if !USE_MUSL
- depends on KERNEL_CC_STACKPROTECTOR_REGULAR
config PKG_CC_STACKPROTECTOR_STRONG
bool "Strong"
- select SSP_SUPPORT if !USE_MUSL
- depends on !GCC_VERSION_4_8
- depends on KERNEL_CC_STACKPROTECTOR_STRONG
endchoice
choice
prompt "Kernel space Stack-Smashing Protection"
default KERNEL_CC_STACKPROTECTOR_REGULAR
- depends on USE_MUSL || !(x86_64 || i386)
help
Enable GCC Stack-Smashing Protection (SSP) for the kernel
config KERNEL_CC_STACKPROTECTOR_NONE
config KERNEL_CC_STACKPROTECTOR_REGULAR
bool "Regular"
config KERNEL_CC_STACKPROTECTOR_STRONG
- depends on !GCC_VERSION_4_8
bool "Strong"
endchoice
+ config KERNEL_STACKPROTECTOR
+ bool
+ default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
+
+ config KERNEL_STACKPROTECTOR_STRONG
+ bool
+ default KERNEL_CC_STACKPROTECTOR_STRONG
+
choice
prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
default PKG_FORTIFY_SOURCE_1
bool "Full"
endchoice
+ config TARGET_ROOTFS_SECURITY_LABELS
+ bool
+ select KERNEL_SQUASHFS_XATTR
+ select KERNEL_EXT4_FS_SECURITY
+ select KERNEL_F2FS_FS_SECURITY
+ select KERNEL_UBIFS_FS_SECURITY
+ select KERNEL_JFFS2_FS_SECURITY
+
+ config SELINUX
+ bool "Enable SELinux"
+ select KERNEL_SECURITY_SELINUX
+ select TARGET_ROOTFS_SECURITY_LABELS
+ select PACKAGE_procd-selinux
+ select PACKAGE_busybox-selinux
+ help
+ This option enables SELinux kernel features, applies security labels
+ in squashfs rootfs and selects the selinux-variants of busybox and procd.
+
+ Selecting this option results in about 0.5MiB of additional flash space
+ usage accounting for increased kernel and rootfs size.
+
+ choice
+ prompt "default SELinux type"
+ depends on TARGET_ROOTFS_SECURITY_LABELS
+ default SELINUXTYPE_dssp
+ help
+ Select SELinux policy to be installed and used for applying rootfs labels.
+
+ config SELINUXTYPE_targeted
+ bool "targeted"
+ select PACKAGE_refpolicy
+ help
+ SELinux Reference Policy (refpolicy)
+
+ config SELINUXTYPE_dssp
+ bool "dssp"
+ select PACKAGE_selinux-policy
+ help
+ Defensec SELinux Security Policy -- OpenWrt edition
+
+ endchoice
+
+ config SECCOMP
+ bool "Enable SECCOMP"
+ select KERNEL_SECCOMP
+ select PACKAGE_procd-seccomp
+ depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
+ depends on !TARGET_uml
+ default y
+ help
+ This option enables seccomp kernel features to safely
+ execute untrusted bytecode and selects the seccomp-variants
+ of procd
+
endmenu