X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fstaging%2Fchunkeey.git;a=blobdiff_plain;f=config%2FConfig-build.in;h=ca6f513450a2f6c329bfcff17769c047cd9bf043;hp=69fb7089721af63780ef876a0970baef15c2e8a2;hb=HEAD;hpb=ec73574027f56ce42c2764010710ad49b7d462a3

diff --git a/config/Config-build.in b/config/Config-build.in
index 69fb708972..ef1a10c28d 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -1,31 +1,80 @@
-# Copyright (C) 2006-2013 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
+# SPDX-License-Identifier: GPL-2.0-only
 #
+# Copyright (C) 2006-2013 OpenWrt.org
+# Copyright (C) 2016 LEDE Project
+
+config EXPERIMENTAL
+	bool "Enable experimental features by default"
+	default n
+	help
+	  Set this option to build with latest bleeding edge features
+	  which may or may not work as expected.
+	  If you would like to help the development of OpenWrt, you are
+	  encouraged to set this option and provide feedback (both
+	  positive and negative). But do so only if you know how to
+	  recover your device in case of flashing potentially non-working
+	  firmware.
+
+	  If you plan to use this build in production, say NO!
 
 menu "Global build settings"
 
+	config JSON_OVERVIEW_IMAGE_INFO
+		bool "Create JSON info file overview per target"
+		default y
+		help
+		  Create a JSON info file called profiles.json in the target
+		  directory containing machine readable list of built profiles
+		  and resulting images.
+
+	config ALL_NONSHARED
+		bool "Select all target specific packages by default"
+		select ALL_KMODS
+		default BUILDBOT
+
 	config ALL_KMODS
 		bool "Select all kernel module packages by default"
-		default ALL
 
 	config ALL
 		bool "Select all userspace packages by default"
+		select ALL_KMODS
+		select ALL_NONSHARED
+
+	config BUILDBOT
+		bool "Set build defaults for automatic builds (e.g. via buildbot)"
 		default n
+		help
+		  This option changes several defaults to be more suitable for
+		  automatic builds. This includes the following changes:
+		  - Deleting build directories after compiling (to save space)
+		  - Enabling per-device rootfs support
+		  ...
 
 	config SIGNED_PACKAGES
 		bool "Cryptographically signed package lists"
 		default y
 
+	config SIGNATURE_CHECK
+		bool "Enable signature checking in opkg"
+		default SIGNED_PACKAGES
+
 	comment "General build options"
 
+	config TESTING_KERNEL
+		bool "Use the testing kernel version"
+		depends on HAS_TESTING_KERNEL
+		default EXPERIMENTAL
+		help
+		  If the target supports a newer kernel version than the default,
+		  you can use this config option to enable it
+
+
 	config DISPLAY_SUPPORT
 		bool "Show packages that require graphics support (local or remote)"
 		default n
 
 	config BUILD_PATENTED
-		default y
+		default n
 		bool "Compile with support for patented functionality"
 		help
 		  When this option is disabled, software which provides patented functionality
@@ -42,10 +91,7 @@ menu "Global build settings"
 
 	config SHADOW_PASSWORDS
 		bool
-		prompt "Enable shadow password support"
 		default y
-		help
-		  Enable shadow password support.
 
 	config CLEAN_IPKG
 		bool
@@ -55,20 +101,45 @@ menu "Global build settings"
 		  This removes all ipkg/opkg status data files from the target directory
 		  before building the root filesystem.
 
+	config IPK_FILES_CHECKSUMS
+		bool
+		prompt "Record files checksums in package metadata"
+		default n
+		help
+		  This makes file checksums part of package metadata. It increases size
+		  but provides you with pkg_check command to check for flash corruptions.
+
+	config INCLUDE_CONFIG
+		bool "Include build configuration in firmware" if DEVEL
+		default n
+		help
+		  If enabled, buildinfo files will be stored in /etc/build.* of firmware.
+
+	config REPRODUCIBLE_DEBUG_INFO
+		bool "Make debug information reproducible"
+		default BUILDBOT
+		help
+		  This strips the local build path out of debug information. This has the
+		  advantage of making it reproducible, but the disadvantage of making local
+		  debugging using ./scripts/remote-gdb harder, since the debug data will
+		  no longer point to the full path on the build host.
+
 	config COLLECT_KERNEL_DEBUG
 		bool
 		prompt "Collect kernel debug information"
 		select KERNEL_DEBUG_INFO
-		default n
+		default BUILDBOT
 		help
 		  This collects debugging symbols from the kernel and all compiled modules.
 		  Useful for release builds, so that kernel issues can be debugged offline
 		  later.
 
-	comment "Kernel build options"
+	menu "Kernel build options"
 
 	source "config/Config-kernel.in"
 
+	endmenu
+
 	comment "Package build options"
 
 	config DEBUG
@@ -83,67 +154,14 @@ menu "Global build settings"
 		prompt "Enable IPv6 support in packages"
 		default y
 		help
-		  Enable IPv6 support in packages (passes --enable-ipv6 to configure scripts).
-
-	config PKG_BUILD_PARALLEL
-		bool
-		prompt "Compile certain packages parallelized"
-		default y
-		help
-		  This adds a -jX option to certain packages that are known to behave well
-		  for parallel build. By default, the package make processes use the main
-		  jobserver, in which case this option only takes effect when you add -jX
-		  to the make command.
-
-		  If you are unsure, select N.
-
-	config PKG_BUILD_USE_JOBSERVER
-		bool
-		prompt "Use top-level make jobserver for packages"
-		depends on PKG_BUILD_PARALLEL
-		default y
-		help
-		  This passes the main make process jobserver fds to package builds,
-		  enabling full parallelization across different packages.
-
-		  Note that disabling this may overcommit CPU resources depending on the
-		  -j level of the main make process, the number of package submake jobs
-		  selected below and the number of actual CPUs present.
-		  Example: If the main make is passed a -j4 and the submake -j
-		  is also set to 4, we may end up with 16 parallel make processes
-		  in the worst case.
-
-	config PKG_BUILD_JOBS
-		int
-		prompt "Number of package submake jobs (2-512)"
-		range 2 512
-		default 2
-		depends on PKG_BUILD_PARALLEL && !PKG_BUILD_USE_JOBSERVER
-		help
-		  The number of jobs (-jX) to pass to packages submake.
-
-	config PKG_DEFAULT_PARALLEL
-		bool
-		prompt "Parallelize the default package build rule (May break build)"
-		depends on PKG_BUILD_PARALLEL
-		depends on BROKEN
-		default n
-		help
-		  Always set the default package build rules to parallel build.
-
-		  WARNING: This may break build or kill your cat, as it builds packages
-		  with multiple jobs that are probably not tested in a parallel build
-		  environment.
-
-		  Only say Y if you don't mind fixing broken packages.  Before reporting
-		  build bugs, set this to N and re-run the build.
+		  Enables IPv6 support in kernel (builtin) and packages.
 
 	comment "Stripping options"
 
 	choice
 		prompt "Binary stripping method"
 		default USE_STRIP   if EXTERNAL_TOOLCHAIN
-		default USE_STRIP   if USE_GLIBC || USE_MUSL
+		default USE_STRIP   if USE_GLIBC
 		default USE_SSTRIP
 		help
 		  Select the binary stripping method you wish to use.
@@ -152,7 +170,7 @@ menu "Global build settings"
 			bool "none"
 			help
 			  This will install unstripped binaries (useful for native
-		 	  compiling/debugging).
+			  compiling/debugging).
 
 		config USE_STRIP
 			bool "strip"
@@ -162,7 +180,6 @@ menu "Global build settings"
 
 		config USE_SSTRIP
 			bool "sstrip"
-			depends on !DEBUG
 			depends on !USE_GLIBC
 			help
 			  This will install binaries stripped using sstrip.
@@ -177,6 +194,14 @@ menu "Global build settings"
 		help
 		  Specifies arguments passed to the strip command when stripping binaries.
 
+	config SSTRIP_ARGS
+		string
+		prompt "Sstrip arguments"
+		depends on USE_SSTRIP
+		default "-z"
+		help
+		  Specifies arguments passed to the sstrip command when stripping binaries.
+
 	config STRIP_KERNEL_EXPORTS
 		bool "Strip unnecessary exports from the kernel image"
 		help
@@ -192,52 +217,63 @@ menu "Global build settings"
 		  make the system libraries incompatible with most of the packages that are
 		  not selected during the build process.
 
-	choice
-		prompt "Preferred standard C++ library"
-		default USE_LIBSTDCXX if USE_GLIBC
-		default USE_UCLIBCXX
-		help
-		  Select the preferred standard C++ library for all packages that support this.
-
-		config USE_UCLIBCXX
-			bool "uClibc++"
-
-		config USE_LIBSTDCXX
-			bool "libstdc++"
-	endchoice
-
 	comment "Hardening build options"
 
 	config PKG_CHECK_FORMAT_SECURITY
 		bool
 		prompt "Enable gcc format-security"
-		default n
+		default y
 		help
 		  Add -Wformat -Werror=format-security to the CFLAGS.  You can disable
 		  this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
 		  Makefile.
 
+	choice
+		prompt "User space ASLR PIE compilation"
+		default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
+		default PKG_ASLR_PIE_REGULAR
+		help
+		  Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
+		  This enables package build as Position Independent Executables (PIE)
+		  to protect against "return-to-text" attacks. This belongs to the
+		  feature of Address Space Layout Randomisation (ASLR), which is
+		  implemented by the kernel and the ELF loader by randomising the
+		  location of memory allocations. This makes memory addresses harder
+		  to predict when an attacker is attempting a memory-corruption exploit.
+		  You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
+		  Makefile.
+		  Be ware that ASLR increases the binary size.
+		config PKG_ASLR_PIE_NONE
+			bool "None"
+			help
+			  PIE is deactivated for all applications
+		config PKG_ASLR_PIE_REGULAR
+			bool "Regular"
+			help
+			  PIE is activated for some binaries, mostly network exposed applications
+		config PKG_ASLR_PIE_ALL
+			bool "All"
+			select BUSYBOX_DEFAULT_PIE
+			help
+			  PIE is activated for all applications
+	endchoice
+
 	choice
 		prompt "User space Stack-Smashing Protection"
-		default PKG_CC_STACKPROTECTOR_NONE
+		default PKG_CC_STACKPROTECTOR_REGULAR
 		help
 		  Enable GCC Stack Smashing Protection (SSP) for userspace applications
 		config PKG_CC_STACKPROTECTOR_NONE
 			bool "None"
 		config PKG_CC_STACKPROTECTOR_REGULAR
 			bool "Regular"
-			select SSP_SUPPORT
-			depends on KERNEL_CC_STACKPROTECTOR_REGULAR
 		config PKG_CC_STACKPROTECTOR_STRONG
 			bool "Strong"
-			select SSP_SUPPORT
-			depends on GCC_VERSION_4_9_LINARO
-			depends on KERNEL_CC_STACKPROTECTOR_STRONG
 	endchoice
 
 	choice
 		prompt "Kernel space Stack-Smashing Protection"
-		default KERNEL_CC_STACKPROTECTOR_NONE
+		default KERNEL_CC_STACKPROTECTOR_REGULAR
 		help
 		  Enable GCC Stack-Smashing Protection (SSP) for the kernel
 		config KERNEL_CC_STACKPROTECTOR_NONE
@@ -245,12 +281,20 @@ menu "Global build settings"
 		config KERNEL_CC_STACKPROTECTOR_REGULAR
 			bool "Regular"
 		config KERNEL_CC_STACKPROTECTOR_STRONG
-			depends on GCC_VERSION_4_9_LINARO
 			bool "Strong"
 	endchoice
 
+	config KERNEL_STACKPROTECTOR
+		bool
+		default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
+
+	config KERNEL_STACKPROTECTOR_STRONG
+		bool
+		default KERNEL_CC_STACKPROTECTOR_STRONG
+
 	choice
 		prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
+		default PKG_FORTIFY_SOURCE_1
 		help
 		  Enable the _FORTIFY_SOURCE macro which introduces additional
 		  checks to detect buffer-overflows in the following standard library
@@ -270,6 +314,7 @@ menu "Global build settings"
 
 	choice
 		prompt "Enable RELRO protection"
+		default PKG_RELRO_FULL
 		help
 		  Enable a link-time protection known as RELRO (Relocation Read Only)
 		  which helps to protect from certain type of exploitation techniques
@@ -285,4 +330,58 @@ menu "Global build settings"
 			bool "Full"
 	endchoice
 
+	config TARGET_ROOTFS_SECURITY_LABELS
+		bool
+		select KERNEL_SQUASHFS_XATTR
+		select KERNEL_EXT4_FS_SECURITY
+		select KERNEL_F2FS_FS_SECURITY
+		select KERNEL_UBIFS_FS_SECURITY
+		select KERNEL_JFFS2_FS_SECURITY
+
+	config SELINUX
+		bool "Enable SELinux"
+		select KERNEL_SECURITY_SELINUX
+		select TARGET_ROOTFS_SECURITY_LABELS
+		select PACKAGE_procd-selinux
+		select PACKAGE_busybox-selinux
+		help
+		  This option enables SELinux kernel features, applies security labels
+		  in squashfs rootfs and selects the selinux-variants of busybox and procd.
+
+		  Selecting this option results in about 0.5MiB of additional flash space
+		  usage accounting for increased kernel and rootfs size.
+
+	choice
+		prompt "default SELinux type"
+		depends on TARGET_ROOTFS_SECURITY_LABELS
+		default SELINUXTYPE_dssp
+		help
+		  Select SELinux policy to be installed and used for applying rootfs labels.
+
+		config SELINUXTYPE_targeted
+			bool "targeted"
+			select PACKAGE_refpolicy
+			help
+			  SELinux Reference Policy (refpolicy)
+
+		config SELINUXTYPE_dssp
+			bool "dssp"
+			select PACKAGE_selinux-policy
+			help
+			  Defensec SELinux Security Policy -- OpenWrt edition
+
+	endchoice
+
+	config SECCOMP
+		bool "Enable SECCOMP"
+		select KERNEL_SECCOMP
+		select PACKAGE_procd-seccomp
+		depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
+		depends on !TARGET_uml
+		default y
+		help
+		  This option enables seccomp kernel features to safely
+		  execute untrusted bytecode and selects the seccomp-variants
+		  of procd
+
 endmenu