342859b7c0cdba020e73fb2eadea0e40d74204d0
[openwrt/openwrt.git] / config / Config-build.in
1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
5
6 config EXPERIMENTAL
7 bool "Enable experimental features by default"
8 default n
9 help
10 Set this option to build with latest bleeding edge features
11 which may or may not work as expected.
12 If you would like to help the development of OpenWrt, you are
13 encouraged to set this option and provide feedback (both
14 positive and negative). But do so only if you know how to
15 recover your device in case of flashing potentially non-working
16 firmware.
17
18 If you plan to use this build in production, say NO!
19
20 menu "Global build settings"
21
22 config JSON_OVERVIEW_IMAGE_INFO
23 bool "Create JSON info file overview per target"
24 default BUILDBOT
25 help
26 Create a JSON info file called profiles.json in the target
27 directory containing machine readable list of built profiles
28 and resulting images.
29
30 config ALL_NONSHARED
31 bool "Select all target specific packages by default"
32 select ALL_KMODS
33 default BUILDBOT
34
35 config ALL_KMODS
36 bool "Select all kernel module packages by default"
37
38 config ALL
39 bool "Select all userspace packages by default"
40 select ALL_KMODS
41 select ALL_NONSHARED
42
43 config BUILDBOT
44 bool "Set build defaults for automatic builds (e.g. via buildbot)"
45 default n
46 help
47 This option changes several defaults to be more suitable for
48 automatic builds. This includes the following changes:
49 - Deleting build directories after compiling (to save space)
50 - Enabling per-device rootfs support
51 ...
52
53 config SIGNED_PACKAGES
54 bool "Cryptographically signed package lists"
55 default y
56
57 config SIGNATURE_CHECK
58 bool "Enable signature checking in opkg"
59 default SIGNED_PACKAGES
60
61 comment "General build options"
62
63 config TESTING_KERNEL
64 bool "Use the testing kernel version"
65 depends on HAS_TESTING_KERNEL
66 default EXPERIMENTAL
67 help
68 If the target supports a newer kernel version than the default,
69 you can use this config option to enable it
70
71
72 config DISPLAY_SUPPORT
73 bool "Show packages that require graphics support (local or remote)"
74 default n
75
76 config BUILD_PATENTED
77 default n
78 bool "Compile with support for patented functionality"
79 help
80 When this option is disabled, software which provides patented functionality
81 will not be built. In case software provides optional support for patented
82 functionality, this optional support will get disabled for this package.
83
84 config BUILD_NLS
85 default n
86 bool "Compile with full language support"
87 help
88 When this option is enabled, packages are built with the full versions of
89 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
90 used, it is also built with locale support.
91
92 config SHADOW_PASSWORDS
93 bool
94 default y
95
96 config CLEAN_IPKG
97 bool
98 prompt "Remove ipkg/opkg status data files in final images"
99 default n
100 help
101 This removes all ipkg/opkg status data files from the target directory
102 before building the root filesystem.
103
104 config IPK_FILES_CHECKSUMS
105 bool
106 prompt "Record files checksums in package metadata"
107 default n
108 help
109 This makes file checksums part of package metadata. It increases size
110 but provides you with pkg_check command to check for flash coruptions.
111
112 config INCLUDE_CONFIG
113 bool "Include build configuration in firmware" if DEVEL
114 default n
115 help
116 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
117
118 config REPRODUCIBLE_DEBUG_INFO
119 bool "Make debug information reproducible"
120 default BUILDBOT
121 help
122 This strips the local build path out of debug information. This has the
123 advantage of making it reproducible, but the disadvantage of making local
124 debugging using ./scripts/remote-gdb harder, since the debug data will
125 no longer point to the full path on the build host.
126
127 config COLLECT_KERNEL_DEBUG
128 bool
129 prompt "Collect kernel debug information"
130 select KERNEL_DEBUG_INFO
131 default BUILDBOT
132 help
133 This collects debugging symbols from the kernel and all compiled modules.
134 Useful for release builds, so that kernel issues can be debugged offline
135 later.
136
137 menu "Kernel build options"
138
139 source "config/Config-kernel.in"
140
141 endmenu
142
143 comment "Package build options"
144
145 config DEBUG
146 bool
147 prompt "Compile packages with debugging info"
148 default n
149 help
150 Adds -g3 to the CFLAGS.
151
152 config IPV6
153 bool
154 prompt "Enable IPv6 support in packages"
155 default y
156 help
157 Enables IPv6 support in kernel (builtin) and packages.
158
159 comment "Stripping options"
160
161 choice
162 prompt "Binary stripping method"
163 default USE_STRIP if EXTERNAL_TOOLCHAIN
164 default USE_STRIP if USE_GLIBC
165 default USE_SSTRIP
166 help
167 Select the binary stripping method you wish to use.
168
169 config NO_STRIP
170 bool "none"
171 help
172 This will install unstripped binaries (useful for native
173 compiling/debugging).
174
175 config USE_STRIP
176 bool "strip"
177 help
178 This will install binaries stripped using strip from binutils.
179
180
181 config USE_SSTRIP
182 bool "sstrip"
183 depends on !USE_GLIBC
184 help
185 This will install binaries stripped using sstrip.
186 endchoice
187
188 config STRIP_ARGS
189 string
190 prompt "Strip arguments"
191 depends on USE_STRIP
192 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
193 default "--strip-all"
194 help
195 Specifies arguments passed to the strip command when stripping binaries.
196
197 config SSTRIP_ARGS
198 string
199 prompt "Sstrip arguments"
200 depends on USE_SSTRIP
201 default "-z"
202 help
203 Specifies arguments passed to the sstrip command when stripping binaries.
204
205 config STRIP_KERNEL_EXPORTS
206 bool "Strip unnecessary exports from the kernel image"
207 help
208 Reduces kernel size by stripping unused kernel exports from the kernel
209 image. Note that this might make the kernel incompatible with any kernel
210 modules that were not selected at the time the kernel image was created.
211
212 config USE_MKLIBS
213 bool "Strip unnecessary functions from libraries"
214 help
215 Reduces libraries to only those functions that are necessary for using all
216 selected packages (including those selected as <M>). Note that this will
217 make the system libraries incompatible with most of the packages that are
218 not selected during the build process.
219
220 choice
221 prompt "Preferred standard C++ library"
222 default USE_LIBSTDCXX if USE_GLIBC
223 default USE_UCLIBCXX
224 help
225 Select the preferred standard C++ library for all packages that support this.
226
227 config USE_UCLIBCXX
228 bool "uClibc++"
229
230 config USE_LIBSTDCXX
231 bool "libstdc++"
232 endchoice
233
234 comment "Hardening build options"
235
236 config PKG_CHECK_FORMAT_SECURITY
237 bool
238 prompt "Enable gcc format-security"
239 default y
240 help
241 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
242 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
243 Makefile.
244
245 choice
246 prompt "User space ASLR PIE compilation"
247 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
248 default PKG_ASLR_PIE_REGULAR
249 help
250 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
251 This enables package build as Position Independent Executables (PIE)
252 to protect against "return-to-text" attacks. This belongs to the
253 feature of Address Space Layout Randomisation (ASLR), which is
254 implemented by the kernel and the ELF loader by randomising the
255 location of memory allocations. This makes memory addresses harder
256 to predict when an attacker is attempting a memory-corruption exploit.
257 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
258 Makefile.
259 Be ware that ASLR increases the binary size.
260 config PKG_ASLR_PIE_NONE
261 bool "None"
262 help
263 PIE is deactivated for all applications
264 config PKG_ASLR_PIE_REGULAR
265 bool "Regular"
266 help
267 PIE is activated for some binaries, mostly network exposed applications
268 config PKG_ASLR_PIE_ALL
269 bool "All"
270 select BUSYBOX_DEFAULT_PIE
271 help
272 PIE is activated for all applications
273 endchoice
274
275 choice
276 prompt "User space Stack-Smashing Protection"
277 default PKG_CC_STACKPROTECTOR_REGULAR
278 help
279 Enable GCC Stack Smashing Protection (SSP) for userspace applications
280 config PKG_CC_STACKPROTECTOR_NONE
281 bool "None"
282 config PKG_CC_STACKPROTECTOR_REGULAR
283 bool "Regular"
284 config PKG_CC_STACKPROTECTOR_STRONG
285 bool "Strong"
286 endchoice
287
288 choice
289 prompt "Kernel space Stack-Smashing Protection"
290 default KERNEL_CC_STACKPROTECTOR_REGULAR
291 help
292 Enable GCC Stack-Smashing Protection (SSP) for the kernel
293 config KERNEL_CC_STACKPROTECTOR_NONE
294 bool "None"
295 config KERNEL_CC_STACKPROTECTOR_REGULAR
296 bool "Regular"
297 config KERNEL_CC_STACKPROTECTOR_STRONG
298 bool "Strong"
299 endchoice
300
301 config KERNEL_STACKPROTECTOR
302 bool
303 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
304
305 config KERNEL_STACKPROTECTOR_STRONG
306 bool
307 default KERNEL_CC_STACKPROTECTOR_STRONG
308
309 choice
310 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
311 default PKG_FORTIFY_SOURCE_1
312 help
313 Enable the _FORTIFY_SOURCE macro which introduces additional
314 checks to detect buffer-overflows in the following standard library
315 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
316 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
317 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
318 checks that shouldn't change the behavior of conforming programs,
319 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
320 added, but some conforming programs might fail.
321 config PKG_FORTIFY_SOURCE_NONE
322 bool "None"
323 config PKG_FORTIFY_SOURCE_1
324 bool "Conservative"
325 config PKG_FORTIFY_SOURCE_2
326 bool "Aggressive"
327 endchoice
328
329 choice
330 prompt "Enable RELRO protection"
331 default PKG_RELRO_FULL
332 help
333 Enable a link-time protection known as RELRO (Relocation Read Only)
334 which helps to protect from certain type of exploitation techniques
335 altering the content of some ELF sections. "Partial" RELRO makes the
336 .dynamic section not writeable after initialization, introducing
337 almost no performance penalty, while "full" RELRO also marks the GOT
338 as read-only at the cost of initializing all of it at startup.
339 config PKG_RELRO_NONE
340 bool "None"
341 config PKG_RELRO_PARTIAL
342 bool "Partial"
343 config PKG_RELRO_FULL
344 bool "Full"
345 endchoice
346
347 config TARGET_ROOTFS_SECURITY_LABELS
348 bool
349 select KERNEL_SQUASHFS_XATTR
350 select KERNEL_EXT4_FS_SECURITY
351 select KERNEL_F2FS_FS_SECURITY
352 select KERNEL_UBIFS_FS_SECURITY
353 select KERNEL_JFFS2_FS_SECURITY
354
355 config SELINUX
356 bool "Enable SELinux"
357 select KERNEL_SECURITY_SELINUX
358 select TARGET_ROOTFS_SECURITY_LABELS
359 select PACKAGE_procd-selinux
360 select PACKAGE_busybox-selinux
361 help
362 This option enables SELinux kernel features, applies security labels
363 in squashfs rootfs and selects the selinux-variants of busybox and procd.
364
365 Selecting this option results in about 0.5MiB of additional flash space
366 usage accounting for increased kernel and rootfs size.
367
368 choice
369 prompt "default SELinux type"
370 depends on TARGET_ROOTFS_SECURITY_LABELS
371 default SELINUXTYPE_dssp
372 help
373 Select SELinux policy to be installed and used for applying rootfs labels.
374
375 config SELINUXTYPE_targeted
376 bool "targeted"
377 select PACKAGE_refpolicy
378 help
379 SELinux Reference Policy (refpolicy)
380
381 config SELINUXTYPE_dssp
382 bool "dssp"
383 select PACKAGE_selinux-policy
384 help
385 Defensec SELinux Security Policy -- OpenWrt edition
386
387 endchoice
388
389 endmenu