# Copyright (C) 2006-2013 OpenWrt.org # Copyright (C) 2016 LEDE Project # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. # menu "Global build settings" config ALL_NONSHARED bool "Select all target specific packages by default" select ALL_KMODS default BUILDBOT config ALL_KMODS bool "Select all kernel module packages by default" config ALL bool "Select all userspace packages by default" select ALL_KMODS select ALL_NONSHARED config BUILDBOT bool "Set build defaults for automatic builds (e.g. via buildbot)" default n help This option changes several defaults to be more suitable for automatic builds. This includes the following changes: - Deleting build directories after compiling (to save space) - Enabling per-device rootfs support ... config SIGNED_PACKAGES bool "Cryptographically signed package lists" default y comment "General build options" config DISPLAY_SUPPORT bool "Show packages that require graphics support (local or remote)" default n config BUILD_PATENTED default n bool "Compile with support for patented functionality" help When this option is disabled, software which provides patented functionality will not be built. In case software provides optional support for patented functionality, this optional support will get disabled for this package. config BUILD_NLS default n bool "Compile with full language support" help When this option is enabled, packages are built with the full versions of iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is used, it is also built with locale support. config SHADOW_PASSWORDS bool default y config CLEAN_IPKG bool prompt "Remove ipkg/opkg status data files in final images" default n help This removes all ipkg/opkg status data files from the target directory before building the root filesystem. config IPK_FILES_CHECKSUMS bool prompt "Record files checksums in package metadata" default n help This makes file checksums part of package metadata. It increases size but provides you with pkg_check command to check for flash coruptions. config INCLUDE_CONFIG bool "Include build configuration in firmware" if DEVEL default n help If enabled, config.seed will be stored in /etc/build.config of firmware. config COLLECT_KERNEL_DEBUG bool prompt "Collect kernel debug information" select KERNEL_DEBUG_INFO default BUILDBOT help This collects debugging symbols from the kernel and all compiled modules. Useful for release builds, so that kernel issues can be debugged offline later. menu "Kernel build options" source "config/Config-kernel.in" endmenu comment "Package build options" config DEBUG bool prompt "Compile packages with debugging info" default n help Adds -g3 to the CFLAGS. config IPV6 bool prompt "Enable IPv6 support in packages" default y help Enables IPv6 support in kernel (builtin) and packages. comment "Stripping options" choice prompt "Binary stripping method" default USE_STRIP if EXTERNAL_TOOLCHAIN default USE_STRIP if USE_GLIBC default USE_SSTRIP help Select the binary stripping method you wish to use. config NO_STRIP bool "none" help This will install unstripped binaries (useful for native compiling/debugging). config USE_STRIP bool "strip" help This will install binaries stripped using strip from binutils. config USE_SSTRIP bool "sstrip" depends on !USE_GLIBC help This will install binaries stripped using sstrip. endchoice config STRIP_ARGS string prompt "Strip arguments" depends on USE_STRIP default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG default "--strip-all" help Specifies arguments passed to the strip command when stripping binaries. config STRIP_KERNEL_EXPORTS bool "Strip unnecessary exports from the kernel image" help Reduces kernel size by stripping unused kernel exports from the kernel image. Note that this might make the kernel incompatible with any kernel modules that were not selected at the time the kernel image was created. config USE_MKLIBS bool "Strip unnecessary functions from libraries" help Reduces libraries to only those functions that are necessary for using all selected packages (including those selected as ). Note that this will make the system libraries incompatible with most of the packages that are not selected during the build process. choice prompt "Preferred standard C++ library" default USE_LIBSTDCXX if USE_GLIBC default USE_UCLIBCXX help Select the preferred standard C++ library for all packages that support this. config USE_UCLIBCXX bool "uClibc++" config USE_LIBSTDCXX bool "libstdc++" endchoice comment "Hardening build options" config PKG_CHECK_FORMAT_SECURITY bool prompt "Enable gcc format-security" default y help Add -Wformat -Werror=format-security to the CFLAGS. You can disable this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package Makefile. config PKG_ASLR_PIE bool prompt "User space ASLR PIE compilation" select BUSYBOX_DEFAULT_PIE default n help Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS. This enables package build as Position Independent Executables (PIE) to protect against "return-to-text" attacks. This belongs to the feature of Address Space Layout Randomisation (ASLR), which is implemented by the kernel and the ELF loader by randomising the location of memory allocations. This makes memory addresses harder to predict when an attacker is attempting a memory-corruption exploit. You can disable this per package by adding PKG_ASLR_PIE:=0 in the package Makefile. choice prompt "User space Stack-Smashing Protection" depends on USE_MUSL default PKG_CC_STACKPROTECTOR_REGULAR help Enable GCC Stack Smashing Protection (SSP) for userspace applications config PKG_CC_STACKPROTECTOR_NONE bool "None" config PKG_CC_STACKPROTECTOR_REGULAR bool "Regular" select GCC_LIBSSP if !USE_MUSL depends on KERNEL_CC_STACKPROTECTOR_REGULAR config PKG_CC_STACKPROTECTOR_STRONG bool "Strong" select GCC_LIBSSP if !USE_MUSL depends on !GCC_VERSION_4_8 depends on KERNEL_CC_STACKPROTECTOR_STRONG endchoice choice prompt "Kernel space Stack-Smashing Protection" default KERNEL_CC_STACKPROTECTOR_REGULAR depends on USE_MUSL || !(x86_64 || i386) help Enable GCC Stack-Smashing Protection (SSP) for the kernel config KERNEL_CC_STACKPROTECTOR_NONE bool "None" config KERNEL_CC_STACKPROTECTOR_REGULAR bool "Regular" config KERNEL_CC_STACKPROTECTOR_STRONG depends on !GCC_VERSION_4_8 bool "Strong" endchoice config KERNEL_STACKPROTECTOR bool default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG config KERNEL_STACKPROTECTOR_STRONG bool default KERNEL_CC_STACKPROTECTOR_STRONG choice prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)" default PKG_FORTIFY_SOURCE_1 help Enable the _FORTIFY_SOURCE macro which introduces additional checks to detect buffer-overflows in the following standard library functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces checks that shouldn't change the behavior of conforming programs, while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is added, but some conforming programs might fail. config PKG_FORTIFY_SOURCE_NONE bool "None" config PKG_FORTIFY_SOURCE_1 bool "Conservative" config PKG_FORTIFY_SOURCE_2 bool "Aggressive" endchoice choice prompt "Enable RELRO protection" default PKG_RELRO_FULL help Enable a link-time protection known as RELRO (Relocation Read Only) which helps to protect from certain type of exploitation techniques altering the content of some ELF sections. "Partial" RELRO makes the .dynamic section not writeable after initialization, introducing almost no performance penalty, while "full" RELRO also marks the GOT as read-only at the cost of initializing all of it at startup. config PKG_RELRO_NONE bool "None" config PKG_RELRO_PARTIAL bool "Partial" config PKG_RELRO_FULL bool "Full" endchoice endmenu