X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fopenwrt.git;a=blobdiff_plain;f=config%2FConfig-build.in;h=23cf83bc4045f9163bda12210e65c72fe50e764e;hp=89cf964a8ee6f692b853ec57b134148adf49ca40;hb=941fc5e8c8fd48c31c97c9194d1bed786145f978;hpb=bdeda10f1cc45c7399c0033161c1f5382c5607f8 diff --git a/config/Config-build.in b/config/Config-build.in index 89cf964a8e..23cf83bc40 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -1,4 +1,5 @@ # Copyright (C) 2006-2013 OpenWrt.org +# Copyright (C) 2016 LEDE Project # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -6,10 +7,22 @@ menu "Global build settings" + config ALL_NONSHARED + bool "Select all target specific packages by default" + default ALL + + config ALL_KMODS + bool "Select all kernel module packages by default" + default ALL + config ALL - bool "Select all packages by default" + bool "Select all userspace packages by default" default n + config SIGNED_PACKAGES + bool "Cryptographically signed package lists" + default y + comment "General build options" config DISPLAY_SUPPORT @@ -32,14 +45,6 @@ menu "Global build settings" iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is used, it is also built with locale support. - config BUILD_STATIC_TOOLS - default n - bool "Attempt to link host utilities statically" - help - Linking host utilities like sed or firmware-utils statically increases the - portability of the generated ImageBuilder and SDK tarballs; however, it may - fail on some Linux distributions. - config SHADOW_PASSWORDS bool prompt "Enable shadow password support" @@ -83,7 +88,7 @@ menu "Global build settings" prompt "Enable IPv6 support in packages" default y help - Enable IPv6 support in packages (passes --enable-ipv6 to configure scripts). + Enables IPv6 support in kernel (builtin) and packages. config PKG_BUILD_PARALLEL bool @@ -97,15 +102,6 @@ menu "Global build settings" If you are unsure, select N. - config PKG_CHECK_FORMAT_SECURITY - bool - prompt "Enable gcc format-security" - default n - help - Add -Wformat -Werror=format-security to the CFLAGS. You can disable - this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package - Makefile. - config PKG_BUILD_USE_JOBSERVER bool prompt "Use top-level make jobserver for packages" @@ -152,7 +148,7 @@ menu "Global build settings" choice prompt "Binary stripping method" default USE_STRIP if EXTERNAL_TOOLCHAIN - default USE_STRIP if USE_GLIBC || USE_EGLIBC || USE_MUSL + default USE_STRIP if USE_GLIBC default USE_SSTRIP help Select the binary stripping method you wish to use. @@ -161,7 +157,7 @@ menu "Global build settings" bool "none" help This will install unstripped binaries (useful for native - compiling/debugging). + compiling/debugging). config USE_STRIP bool "strip" @@ -171,9 +167,7 @@ menu "Global build settings" config USE_SSTRIP bool "sstrip" - depends on !DEBUG depends on !USE_GLIBC - depends on !USE_EGLIBC help This will install binaries stripped using sstrip. endchoice @@ -204,7 +198,7 @@ menu "Global build settings" choice prompt "Preferred standard C++ library" - default USE_LIBSTDCXX if USE_EGLIBC + default USE_LIBSTDCXX if USE_GLIBC default USE_UCLIBCXX help Select the preferred standard C++ library for all packages that support this. @@ -216,4 +210,87 @@ menu "Global build settings" bool "libstdc++" endchoice + comment "Hardening build options" + + config PKG_CHECK_FORMAT_SECURITY + bool + prompt "Enable gcc format-security" + default y + help + Add -Wformat -Werror=format-security to the CFLAGS. You can disable + this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package + Makefile. + + choice + prompt "User space Stack-Smashing Protection" + depends on USE_MUSL + default PKG_CC_STACKPROTECTOR_REGULAR + help + Enable GCC Stack Smashing Protection (SSP) for userspace applications + config PKG_CC_STACKPROTECTOR_NONE + bool "None" + config PKG_CC_STACKPROTECTOR_REGULAR + bool "Regular" + select SSP_SUPPORT if !USE_MUSL + depends on KERNEL_CC_STACKPROTECTOR_REGULAR + config PKG_CC_STACKPROTECTOR_STRONG + bool "Strong" + select SSP_SUPPORT if !USE_MUSL + depends on GCC_VERSION_5 + depends on KERNEL_CC_STACKPROTECTOR_STRONG + endchoice + + choice + prompt "Kernel space Stack-Smashing Protection" + default KERNEL_CC_STACKPROTECTOR_REGULAR + depends on USE_MUSL || !(x86_64 || i386) + help + Enable GCC Stack-Smashing Protection (SSP) for the kernel + config KERNEL_CC_STACKPROTECTOR_NONE + bool "None" + config KERNEL_CC_STACKPROTECTOR_REGULAR + bool "Regular" + config KERNEL_CC_STACKPROTECTOR_STRONG + depends on GCC_VERSION_5 + bool "Strong" + endchoice + + choice + prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)" + default PKG_FORTIFY_SOURCE_1 + help + Enable the _FORTIFY_SOURCE macro which introduces additional + checks to detect buffer-overflows in the following standard library + functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, + strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, + gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces + checks that shouldn't change the behavior of conforming programs, + while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is + added, but some conforming programs might fail. + config PKG_FORTIFY_SOURCE_NONE + bool "None" + config PKG_FORTIFY_SOURCE_1 + bool "Conservative" + config PKG_FORTIFY_SOURCE_2 + bool "Aggressive" + endchoice + + choice + prompt "Enable RELRO protection" + default PKG_RELRO_FULL + help + Enable a link-time protection known as RELRO (Relocation Read Only) + which helps to protect from certain type of exploitation techniques + altering the content of some ELF sections. "Partial" RELRO makes the + .dynamic section not writeable after initialization, introducing + almost no performance penalty, while "full" RELRO also marks the GOT + as read-only at the cost of initializing all of it at startup. + config PKG_RELRO_NONE + bool "None" + config PKG_RELRO_PARTIAL + bool "Partial" + config PKG_RELRO_FULL + bool "Full" + endchoice + endmenu