X-Git-Url: http://git.openwrt.org/?a=blobdiff_plain;f=config%2FConfig-build.in;h=a54df115661e6a94867534b7837b82eb0d57eb0f;hb=3f567d8452644dc5349addabbb8f0bff9d0bc2c0;hp=f2d292e453a8653fdc0c657f2e6bbb4b9f6cec6c;hpb=bf82deff7069599c9f130f5bb0222acd171fd19d;p=openwrt%2Fopenwrt.git

diff --git a/config/Config-build.in b/config/Config-build.in
index f2d292e453..a54df11566 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -1,4 +1,5 @@
 # Copyright (C) 2006-2013 OpenWrt.org
+# Copyright (C) 2016 LEDE Project
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -6,26 +7,62 @@
 
 menu "Global build settings"
 
+	config JSON_OVERVIEW_IMAGE_INFO
+		bool "Create JSON info file overview per target"
+		default BUILDBOT
+		help
+		  Create a JSON info file called profiles.json in the target
+		  directory containing machine readable list of built profiles
+		  and resulting images.
+
+	config ALL_NONSHARED
+		bool "Select all target specific packages by default"
+		select ALL_KMODS
+		default BUILDBOT
+
 	config ALL_KMODS
 		bool "Select all kernel module packages by default"
-		default ALL
 
 	config ALL
 		bool "Select all userspace packages by default"
+		select ALL_KMODS
+		select ALL_NONSHARED
+
+	config BUILDBOT
+		bool "Set build defaults for automatic builds (e.g. via buildbot)"
 		default n
+		help
+		  This option changes several defaults to be more suitable for
+		  automatic builds. This includes the following changes:
+		  - Deleting build directories after compiling (to save space)
+		  - Enabling per-device rootfs support
+		  ...
 
 	config SIGNED_PACKAGES
 		bool "Cryptographically signed package lists"
 		default y
 
+	config SIGNATURE_CHECK
+		bool "Enable signature checking in opkg"
+		default SIGNED_PACKAGES
+
 	comment "General build options"
 
+	config TESTING_KERNEL
+		bool "Use the testing kernel version"
+		depends on HAS_TESTING_KERNEL
+		default n
+		help
+		  If the target supports a newer kernel version than the default,
+		  you can use this config option to enable it
+
+
 	config DISPLAY_SUPPORT
 		bool "Show packages that require graphics support (local or remote)"
 		default n
 
 	config BUILD_PATENTED
-		default y
+		default n
 		bool "Compile with support for patented functionality"
 		help
 		  When this option is disabled, software which provides patented functionality
@@ -42,10 +79,7 @@ menu "Global build settings"
 
 	config SHADOW_PASSWORDS
 		bool
-		prompt "Enable shadow password support"
 		default y
-		help
-		  Enable shadow password support.
 
 	config CLEAN_IPKG
 		bool
@@ -55,20 +89,45 @@ menu "Global build settings"
 		  This removes all ipkg/opkg status data files from the target directory
 		  before building the root filesystem.
 
+	config IPK_FILES_CHECKSUMS
+		bool
+		prompt "Record files checksums in package metadata"
+		default n
+		help
+		  This makes file checksums part of package metadata. It increases size
+		  but provides you with pkg_check command to check for flash coruptions.
+
+	config INCLUDE_CONFIG
+		bool "Include build configuration in firmware" if DEVEL
+		default n
+		help
+		  If enabled, buildinfo files will be stored in /etc/build.* of firmware.
+
+	config REPRODUCIBLE_DEBUG_INFO
+		bool "Make debug information reproducible"
+		default BUILDBOT
+		help
+		  This strips the local build path out of debug information. This has the
+		  advantage of making it reproducible, but the disadvantage of making local
+		  debugging using ./scripts/remote-gdb harder, since the debug data will
+		  no longer point to the full path on the build host.
+
 	config COLLECT_KERNEL_DEBUG
 		bool
 		prompt "Collect kernel debug information"
 		select KERNEL_DEBUG_INFO
-		default n
+		default BUILDBOT
 		help
 		  This collects debugging symbols from the kernel and all compiled modules.
 		  Useful for release builds, so that kernel issues can be debugged offline
 		  later.
 
-	comment "Kernel build options"
+	menu "Kernel build options"
 
 	source "config/Config-kernel.in"
 
+	endmenu
+
 	comment "Package build options"
 
 	config DEBUG
@@ -83,67 +142,14 @@ menu "Global build settings"
 		prompt "Enable IPv6 support in packages"
 		default y
 		help
-		  Enable IPv6 support in packages (passes --enable-ipv6 to configure scripts).
-
-	config PKG_BUILD_PARALLEL
-		bool
-		prompt "Compile certain packages parallelized"
-		default y
-		help
-		  This adds a -jX option to certain packages that are known to behave well
-		  for parallel build. By default, the package make processes use the main
-		  jobserver, in which case this option only takes effect when you add -jX
-		  to the make command.
-
-		  If you are unsure, select N.
-
-	config PKG_BUILD_USE_JOBSERVER
-		bool
-		prompt "Use top-level make jobserver for packages"
-		depends on PKG_BUILD_PARALLEL
-		default y
-		help
-		  This passes the main make process jobserver fds to package builds,
-		  enabling full parallelization across different packages.
-
-		  Note that disabling this may overcommit CPU resources depending on the
-		  -j level of the main make process, the number of package submake jobs
-		  selected below and the number of actual CPUs present.
-		  Example: If the main make is passed a -j4 and the submake -j
-		  is also set to 4, we may end up with 16 parallel make processes
-		  in the worst case.
-
-	config PKG_BUILD_JOBS
-		int
-		prompt "Number of package submake jobs (2-512)"
-		range 2 512
-		default 2
-		depends on PKG_BUILD_PARALLEL && !PKG_BUILD_USE_JOBSERVER
-		help
-		  The number of jobs (-jX) to pass to packages submake.
-
-	config PKG_DEFAULT_PARALLEL
-		bool
-		prompt "Parallelize the default package build rule (May break build)"
-		depends on PKG_BUILD_PARALLEL
-		depends on BROKEN
-		default n
-		help
-		  Always set the default package build rules to parallel build.
-
-		  WARNING: This may break build or kill your cat, as it builds packages
-		  with multiple jobs that are probably not tested in a parallel build
-		  environment.
-
-		  Only say Y if you don't mind fixing broken packages.  Before reporting
-		  build bugs, set this to N and re-run the build.
+		  Enables IPv6 support in kernel (builtin) and packages.
 
 	comment "Stripping options"
 
 	choice
 		prompt "Binary stripping method"
 		default USE_STRIP   if EXTERNAL_TOOLCHAIN
-		default USE_STRIP   if USE_GLIBC || USE_MUSL
+		default USE_STRIP   if USE_GLIBC
 		default USE_SSTRIP
 		help
 		  Select the binary stripping method you wish to use.
@@ -152,7 +158,7 @@ menu "Global build settings"
 			bool "none"
 			help
 			  This will install unstripped binaries (useful for native
-		 	  compiling/debugging).
+			  compiling/debugging).
 
 		config USE_STRIP
 			bool "strip"
@@ -162,7 +168,6 @@ menu "Global build settings"
 
 		config USE_SSTRIP
 			bool "sstrip"
-			depends on !DEBUG
 			depends on !USE_GLIBC
 			help
 			  This will install binaries stripped using sstrip.
@@ -177,6 +182,14 @@ menu "Global build settings"
 		help
 		  Specifies arguments passed to the strip command when stripping binaries.
 
+	config SSTRIP_ARGS
+		string
+		prompt "Sstrip arguments"
+		depends on USE_SSTRIP
+		default "-z"
+		help
+		  Specifies arguments passed to the sstrip command when stripping binaries.
+
 	config STRIP_KERNEL_EXPORTS
 		bool "Strip unnecessary exports from the kernel image"
 		help
@@ -202,6 +215,10 @@ menu "Global build settings"
 		config USE_UCLIBCXX
 			bool "uClibc++"
 
+		config USE_LIBCXX
+			bool "libc++"
+			depends on !USE_UCLIBC
+
 		config USE_LIBSTDCXX
 			bool "libstdc++"
 	endchoice
@@ -217,9 +234,38 @@ menu "Global build settings"
 		  this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
 		  Makefile.
 
+	choice
+		prompt "User space ASLR PIE compilation"
+		default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
+		default PKG_ASLR_PIE_REGULAR
+		help
+		  Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
+		  This enables package build as Position Independent Executables (PIE)
+		  to protect against "return-to-text" attacks. This belongs to the
+		  feature of Address Space Layout Randomisation (ASLR), which is
+		  implemented by the kernel and the ELF loader by randomising the
+		  location of memory allocations. This makes memory addresses harder
+		  to predict when an attacker is attempting a memory-corruption exploit.
+		  You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
+		  Makefile.
+		  Be ware that ASLR increases the binary size.
+		config PKG_ASLR_PIE_NONE
+			bool "None"
+			help
+			  PIE is deactivated for all applications
+		config PKG_ASLR_PIE_REGULAR
+			bool "Regular"
+			help
+			  PIE is activated for some binaries, mostly network exposed applications
+		config PKG_ASLR_PIE_ALL
+			bool "All"
+			select BUSYBOX_DEFAULT_PIE
+			help
+			  PIE is activated for all applications
+	endchoice
+
 	choice
 		prompt "User space Stack-Smashing Protection"
-		depends on USE_MUSL
 		default PKG_CC_STACKPROTECTOR_REGULAR
 		help
 		  Enable GCC Stack Smashing Protection (SSP) for userspace applications
@@ -227,19 +273,13 @@ menu "Global build settings"
 			bool "None"
 		config PKG_CC_STACKPROTECTOR_REGULAR
 			bool "Regular"
-			select SSP_SUPPORT if !USE_MUSL
-			depends on KERNEL_CC_STACKPROTECTOR_REGULAR
 		config PKG_CC_STACKPROTECTOR_STRONG
 			bool "Strong"
-			select SSP_SUPPORT if !USE_MUSL
-			depends on GCC_VERSION_4_9_LINARO
-			depends on KERNEL_CC_STACKPROTECTOR_STRONG
 	endchoice
 
 	choice
 		prompt "Kernel space Stack-Smashing Protection"
 		default KERNEL_CC_STACKPROTECTOR_REGULAR
-		depends on USE_MUSL || !(x86_64 || i386)
 		help
 		  Enable GCC Stack-Smashing Protection (SSP) for the kernel
 		config KERNEL_CC_STACKPROTECTOR_NONE
@@ -247,10 +287,17 @@ menu "Global build settings"
 		config KERNEL_CC_STACKPROTECTOR_REGULAR
 			bool "Regular"
 		config KERNEL_CC_STACKPROTECTOR_STRONG
-			depends on GCC_VERSION_4_9_LINARO
 			bool "Strong"
 	endchoice
 
+	config KERNEL_STACKPROTECTOR
+		bool
+		default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
+
+	config KERNEL_STACKPROTECTOR_STRONG
+		bool
+		default KERNEL_CC_STACKPROTECTOR_STRONG
+
 	choice
 		prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
 		default PKG_FORTIFY_SOURCE_1
@@ -289,4 +336,46 @@ menu "Global build settings"
 			bool "Full"
 	endchoice
 
+	config TARGET_ROOTFS_SECURITY_LABELS
+		bool
+		select KERNEL_SQUASHFS_XATTR
+		select KERNEL_EXT4_FS_SECURITY
+		select KERNEL_F2FS_FS_SECURITY
+		select KERNEL_UBIFS_FS_SECURITY
+		select KERNEL_JFFS2_FS_SECURITY
+
+	config SELINUX
+		bool "Enable SELinux"
+		select KERNEL_SECURITY_SELINUX
+		select TARGET_ROOTFS_SECURITY_LABELS
+		select PACKAGE_procd-selinux
+		select PACKAGE_busybox-selinux
+		help
+		  This option enables SELinux kernel features, applies security labels
+		  in squashfs rootfs and selects the selinux-variants of busybox and procd.
+
+		  Selecting this option results in about 0.5MiB of additional flash space
+		  usage accounting for increased kernel and rootfs size.
+
+	choice
+		prompt "default SELinux type"
+		depends on TARGET_ROOTFS_SECURITY_LABELS
+		default SELINUXTYPE_dssp
+		help
+		  Select SELinux policy to be installed and used for applying rootfs labels.
+
+		config SELINUXTYPE_targeted
+			bool "targeted"
+			select PACKAGE_refpolicy
+			help
+			  SELinux Reference Policy (refpolicy)
+
+		config SELINUXTYPE_dssp
+			bool "dssp"
+			select PACKAGE_selinux-policy
+			help
+			  Defensec SELinux Security Policy -- OpenWrt edition
+
+	endchoice
+
 endmenu