X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fstaging%2Fchunkeey.git;a=blobdiff_plain;f=config%2FConfig-build.in;h=0584820cddfd8bd6285c1a52fcb0088e9cd5d16e;hp=371ae7632adf053023e1a5e55b7a543b8a441c86;hb=f8140c9caf4d037e4347e828a96d9008a7e16f02;hpb=9fa3c68938c0340bc67dbe3199586190aa540a16 diff --git a/config/Config-build.in b/config/Config-build.in index 371ae7632a..0584820cdd 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -6,10 +6,18 @@ menu "Global build settings" + config ALL_KMODS + bool "Select all kernel module packages by default" + default ALL + config ALL - bool "Select all packages by default" + bool "Select all userspace packages by default" default n + config SIGNED_PACKAGES + bool "Cryptographically signed package lists" + default y + comment "General build options" config DISPLAY_SUPPORT @@ -20,23 +28,17 @@ menu "Global build settings" default y bool "Compile with support for patented functionality" help - When this option is disabled, software which provides patented functionality will not be built. - In case software provides optional support for patented functionality, - this optional support will get disabled for this package. + When this option is disabled, software which provides patented functionality + will not be built. In case software provides optional support for patented + functionality, this optional support will get disabled for this package. config BUILD_NLS default n bool "Compile with full language support" help - When this option is enabled, packages are built with the full versions of iconv and GNU gettext - instead of the default OpenWrt stubs. If uClibc is used, it is also built with locale support. - - config BUILD_STATIC_TOOLS - default n - bool "Attempt to link host utilities statically" - help - Linking host utilities like sed or firmware-utils statically increases the portability of the - generated ImageBuilder and SDK tarballs, however it may fail on some Linux distributions. + When this option is enabled, packages are built with the full versions of + iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is + used, it is also built with locale support. config SHADOW_PASSWORDS bool @@ -50,7 +52,8 @@ menu "Global build settings" prompt "Remove ipkg/opkg status data files in final images" default n help - This removes all ipkg/opkg status data files from the target directory before building the root fs + This removes all ipkg/opkg status data files from the target directory + before building the root filesystem. config COLLECT_KERNEL_DEBUG bool @@ -59,7 +62,8 @@ menu "Global build settings" default n help This collects debugging symbols from the kernel and all compiled modules. - Useful for release builds, so that kernel issues can be debugged offline later. + Useful for release builds, so that kernel issues can be debugged offline + later. comment "Kernel build options" @@ -72,24 +76,24 @@ menu "Global build settings" prompt "Compile packages with debugging info" default n help - Adds -g3 to the CFLAGS + Adds -g3 to the CFLAGS. config IPV6 bool prompt "Enable IPv6 support in packages" default y help - Enable IPV6 support in packages (passes --enable-ipv6 to configure scripts). + Enable IPv6 support in packages (passes --enable-ipv6 to configure scripts). config PKG_BUILD_PARALLEL bool prompt "Compile certain packages parallelized" default y help - This adds a -jX option to certain packages that are known to - behave well for parallel build. By default the package make processes - use the main jobserver, in which case this option only takes effect - when you add -jX to the make command. + This adds a -jX option to certain packages that are known to behave well + for parallel build. By default, the package make processes use the main + jobserver, in which case this option only takes effect when you add -jX + to the make command. If you are unsure, select N. @@ -100,16 +104,15 @@ menu "Global build settings" default y help This passes the main make process jobserver fds to package builds, - enabling full parallelization across different packages + enabling full parallelization across different packages. Note that disabling this may overcommit CPU resources depending on the - -j level of the main make process, the number of package - submake jobs selected below and the number of actual CPUs present. + -j level of the main make process, the number of package submake jobs + selected below and the number of actual CPUs present. Example: If the main make is passed a -j4 and the submake -j is also set to 4, we may end up with 16 parallel make processes in the worst case. - config PKG_BUILD_JOBS int prompt "Number of package submake jobs (2-512)" @@ -128,19 +131,19 @@ menu "Global build settings" help Always set the default package build rules to parallel build. - WARNING: This may break build or kill your cat, as it builds - packages with multiple jobs that are probably not tested in - a parallel build environment. + WARNING: This may break build or kill your cat, as it builds packages + with multiple jobs that are probably not tested in a parallel build + environment. - Only say Y, if you don't mind fixing broken packages. - Before reporting build bugs, set this to N and re-run the build. + Only say Y if you don't mind fixing broken packages. Before reporting + build bugs, set this to N and re-run the build. comment "Stripping options" choice prompt "Binary stripping method" default USE_STRIP if EXTERNAL_TOOLCHAIN - default USE_STRIP if USE_GLIBC || USE_EGLIBC || USE_MUSL + default USE_STRIP if USE_GLIBC || USE_MUSL default USE_SSTRIP help Select the binary stripping method you wish to use. @@ -148,21 +151,21 @@ menu "Global build settings" config NO_STRIP bool "none" help - This will install unstripped binaries (useful for native compiling/debugging) + This will install unstripped binaries (useful for native + compiling/debugging). config USE_STRIP bool "strip" help - This will install binaries stripped using strip from binutils + This will install binaries stripped using strip from binutils. config USE_SSTRIP bool "sstrip" depends on !DEBUG depends on !USE_GLIBC - depends on !USE_EGLIBC help - This will install binaries stripped using sstrip + This will install binaries stripped using sstrip. endchoice config STRIP_ARGS @@ -172,26 +175,26 @@ menu "Global build settings" default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG default "--strip-all" help - Specifies arguments passed to the strip command when stripping binaries + Specifies arguments passed to the strip command when stripping binaries. config STRIP_KERNEL_EXPORTS bool "Strip unnecessary exports from the kernel image" help - Reduces kernel size by stripping unused kernel exports from the kernel image - Note that this might make the kernel incompatible with any kernel modules that - were not selected at the time the kernel image was created + Reduces kernel size by stripping unused kernel exports from the kernel + image. Note that this might make the kernel incompatible with any kernel + modules that were not selected at the time the kernel image was created. config USE_MKLIBS bool "Strip unnecessary functions from libraries" help Reduces libraries to only those functions that are necessary for using all - selected packages (including those selected as ) - Note that this will make the system libraries incompatible with most of the packages - that are not selected during the build process + selected packages (including those selected as ). Note that this will + make the system libraries incompatible with most of the packages that are + not selected during the build process. choice prompt "Preferred standard C++ library" - default USE_LIBSTDCXX if USE_EGLIBC + default USE_LIBSTDCXX if USE_GLIBC default USE_UCLIBCXX help Select the preferred standard C++ library for all packages that support this. @@ -203,4 +206,84 @@ menu "Global build settings" bool "libstdc++" endchoice + comment "Hardening build options" + + config PKG_CHECK_FORMAT_SECURITY + bool + prompt "Enable gcc format-security" + default y + help + Add -Wformat -Werror=format-security to the CFLAGS. You can disable + this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package + Makefile. + + choice + prompt "User space Stack-Smashing Protection" + default PKG_CC_STACKPROTECTOR_NONE + help + Enable GCC Stack Smashing Protection (SSP) for userspace applications + config PKG_CC_STACKPROTECTOR_NONE + bool "None" + config PKG_CC_STACKPROTECTOR_REGULAR + bool "Regular" + select SSP_SUPPORT + depends on KERNEL_CC_STACKPROTECTOR_REGULAR + config PKG_CC_STACKPROTECTOR_STRONG + bool "Strong" + select SSP_SUPPORT + depends on GCC_VERSION_4_9_LINARO + depends on KERNEL_CC_STACKPROTECTOR_STRONG + endchoice + + choice + prompt "Kernel space Stack-Smashing Protection" + default KERNEL_CC_STACKPROTECTOR_NONE + help + Enable GCC Stack-Smashing Protection (SSP) for the kernel + config KERNEL_CC_STACKPROTECTOR_NONE + bool "None" + config KERNEL_CC_STACKPROTECTOR_REGULAR + bool "Regular" + config KERNEL_CC_STACKPROTECTOR_STRONG + depends on GCC_VERSION_4_9_LINARO + bool "Strong" + endchoice + + choice + prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)" + help + Enable the _FORTIFY_SOURCE macro which introduces additional + checks to detect buffer-overflows in the following standard library + functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, + strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, + gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces + checks that shouldn't change the behavior of conforming programs, + while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is + added, but some conforming programs might fail. + config PKG_FORTIFY_SOURCE_NONE + bool "None" + config PKG_FORTIFY_SOURCE_1 + bool "Conservative" + config PKG_FORTIFY_SOURCE_2 + bool "Aggressive" + endchoice + + choice + prompt "Enable RELRO protection" + default PKG_RELRO_FULL + help + Enable a link-time protection known as RELRO (Relocation Read Only) + which helps to protect from certain type of exploitation techniques + altering the content of some ELF sections. "Partial" RELRO makes the + .dynamic section not writeable after initialization, introducing + almost no performance penalty, while "full" RELRO also marks the GOT + as read-only at the cost of initializing all of it at startup. + config PKG_RELRO_NONE + bool "None" + config PKG_RELRO_PARTIAL + bool "Partial" + config PKG_RELRO_FULL + bool "Full" + endchoice + endmenu