X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fopenwrt.git;a=blobdiff_plain;f=config%2FConfig-build.in;h=6d749476db78daf25e7b85d47c139053b80a8e43;hp=d5e183926d4d6e734b5b64f6a271fe2b575e85bb;hb=3d945f5706713ad3064aa08b48e6d2fce83a83bb;hpb=01337ba472d0661af1e3b397be3c40573e46ea69 diff --git a/config/Config-build.in b/config/Config-build.in index d5e183926d..6d749476db 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -9,15 +9,16 @@ menu "Global build settings" config ALL_NONSHARED bool "Select all target specific packages by default" - default ALL || BUILDBOT + select ALL_KMODS + default BUILDBOT config ALL_KMODS bool "Select all kernel module packages by default" - default ALL config ALL bool "Select all userspace packages by default" - default n + select ALL_KMODS + select ALL_NONSHARED config BUILDBOT bool "Set build defaults for automatic builds (e.g. via buildbot)" @@ -40,7 +41,7 @@ menu "Global build settings" default n config BUILD_PATENTED - default y + default n bool "Compile with support for patented functionality" help When this option is disabled, software which provides patented functionality @@ -67,6 +68,14 @@ menu "Global build settings" This removes all ipkg/opkg status data files from the target directory before building the root filesystem. + config IPK_FILES_CHECKSUMS + bool + prompt "Record files checksums in package metadata" + default n + help + This makes file checksums part of package metadata. It increases size + but provides you with pkg_check command to check for flash coruptions. + config INCLUDE_CONFIG bool "Include build configuration in firmware" if DEVEL default n @@ -83,10 +92,12 @@ menu "Global build settings" Useful for release builds, so that kernel issues can be debugged offline later. - comment "Kernel build options" + menu "Kernel build options" source "config/Config-kernel.in" + endmenu + comment "Package build options" config DEBUG @@ -181,6 +192,22 @@ menu "Global build settings" this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package Makefile. + config PKG_ASLR_PIE + bool + prompt "User space ASLR PIE compilation" + select BUSYBOX_DEFAULT_PIE + default n + help + Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS. + This enables package build as Position Independent Executables (PIE) + to protect against "return-to-text" attacks. This belongs to the + feature of Address Space Layout Randomisation (ASLR), which is + implemented by the kernel and the ELF loader by randomising the + location of memory allocations. This makes memory addresses harder + to predict when an attacker is attempting a memory-corruption exploit. + You can disable this per package by adding PKG_ASLR_PIE:=0 in the package + Makefile. + choice prompt "User space Stack-Smashing Protection" depends on USE_MUSL @@ -191,11 +218,11 @@ menu "Global build settings" bool "None" config PKG_CC_STACKPROTECTOR_REGULAR bool "Regular" - select SSP_SUPPORT if !USE_MUSL + select GCC_LIBSSP if !USE_MUSL depends on KERNEL_CC_STACKPROTECTOR_REGULAR config PKG_CC_STACKPROTECTOR_STRONG bool "Strong" - select SSP_SUPPORT if !USE_MUSL + select GCC_LIBSSP if !USE_MUSL depends on !GCC_VERSION_4_8 depends on KERNEL_CC_STACKPROTECTOR_STRONG endchoice @@ -215,6 +242,14 @@ menu "Global build settings" bool "Strong" endchoice + config KERNEL_STACKPROTECTOR + bool + default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG + + config KERNEL_STACKPROTECTOR_STRONG + bool + default KERNEL_CC_STACKPROTECTOR_STRONG + choice prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)" default PKG_FORTIFY_SOURCE_1