projects / openwrt / staging / wigyori.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
config: introduce separate CONFIG_SIGNATURE_CHECK option
[openwrt/staging/wigyori.git] / config / Config-build.in
1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 menu "Global build settings"
9
10 config ALL_NONSHARED
11 bool "Select all target specific packages by default"
12 select ALL_KMODS
13 default BUILDBOT
14
15 config ALL_KMODS
16 bool "Select all kernel module packages by default"
17
18 config ALL
19 bool "Select all userspace packages by default"
20 select ALL_KMODS
21 select ALL_NONSHARED
22
23 config BUILDBOT
24 bool "Set build defaults for automatic builds (e.g. via buildbot)"
25 default n
26 help
27 This option changes several defaults to be more suitable for
28 automatic builds. This includes the following changes:
29 - Deleting build directories after compiling (to save space)
30 - Enabling per-device rootfs support
31 ...
32
33 config SIGNED_PACKAGES
34 bool "Cryptographically signed package lists"
35 default y
36
37 config SIGNATURE_CHECK
38 bool "Enable signature checking in opkg"
39 default SIGNED_PACKAGES
40
41 comment "General build options"
42
43 config TESTING_KERNEL
44 bool "Use the testing kernel version"
45 depends on HAS_TESTING_KERNEL
46 default n
47 help
48 If the target supports a newer kernel version than the default,
49 you can use this config option to enable it
50
51
52 config DISPLAY_SUPPORT
53 bool "Show packages that require graphics support (local or remote)"
54 default n
55
56 config BUILD_PATENTED
57 default n
58 bool "Compile with support for patented functionality"
59 help
60 When this option is disabled, software which provides patented functionality
61 will not be built. In case software provides optional support for patented
62 functionality, this optional support will get disabled for this package.
63
64 config BUILD_NLS
65 default n
66 bool "Compile with full language support"
67 help
68 When this option is enabled, packages are built with the full versions of
69 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
70 used, it is also built with locale support.
71
72 config SHADOW_PASSWORDS
73 bool
74 default y
75
76 config CLEAN_IPKG
77 bool
78 prompt "Remove ipkg/opkg status data files in final images"
79 default n
80 help
81 This removes all ipkg/opkg status data files from the target directory
82 before building the root filesystem.
83
84 config IPK_FILES_CHECKSUMS
85 bool
86 prompt "Record files checksums in package metadata"
87 default n
88 help
89 This makes file checksums part of package metadata. It increases size
90 but provides you with pkg_check command to check for flash coruptions.
91
92 config INCLUDE_CONFIG
93 bool "Include build configuration in firmware" if DEVEL
94 default n
95 help
96 If enabled, config.seed will be stored in /etc/build.config of firmware.
97
98 config COLLECT_KERNEL_DEBUG
99 bool
100 prompt "Collect kernel debug information"
101 select KERNEL_DEBUG_INFO
102 default BUILDBOT
103 help
104 This collects debugging symbols from the kernel and all compiled modules.
105 Useful for release builds, so that kernel issues can be debugged offline
106 later.
107
108 menu "Kernel build options"
109
110 source "config/Config-kernel.in"
111
112 endmenu
113
114 comment "Package build options"
115
116 config DEBUG
117 bool
118 prompt "Compile packages with debugging info"
119 default n
120 help
121 Adds -g3 to the CFLAGS.
122
123 config IPV6
124 bool
125 prompt "Enable IPv6 support in packages"
126 default y
127 help
128 Enables IPv6 support in kernel (builtin) and packages.
129
130 comment "Stripping options"
131
132 choice
133 prompt "Binary stripping method"
134 default USE_STRIP if EXTERNAL_TOOLCHAIN
135 default USE_STRIP if USE_GLIBC
136 default USE_SSTRIP
137 help
138 Select the binary stripping method you wish to use.
139
140 config NO_STRIP
141 bool "none"
142 help
143 This will install unstripped binaries (useful for native
144 compiling/debugging).
145
146 config USE_STRIP
147 bool "strip"
148 help
149 This will install binaries stripped using strip from binutils.
150
151
152 config USE_SSTRIP
153 bool "sstrip"
154 depends on !USE_GLIBC
155 help
156 This will install binaries stripped using sstrip.
157 endchoice
158
159 config STRIP_ARGS
160 string
161 prompt "Strip arguments"
162 depends on USE_STRIP
163 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
164 default "--strip-all"
165 help
166 Specifies arguments passed to the strip command when stripping binaries.
167
168 config STRIP_KERNEL_EXPORTS
169 bool "Strip unnecessary exports from the kernel image"
170 help
171 Reduces kernel size by stripping unused kernel exports from the kernel
172 image. Note that this might make the kernel incompatible with any kernel
173 modules that were not selected at the time the kernel image was created.
174
175 config USE_MKLIBS
176 bool "Strip unnecessary functions from libraries"
177 help
178 Reduces libraries to only those functions that are necessary for using all
179 selected packages (including those selected as <M>). Note that this will
180 make the system libraries incompatible with most of the packages that are
181 not selected during the build process.
182
183 choice
184 prompt "Preferred standard C++ library"
185 default USE_LIBSTDCXX if USE_GLIBC
186 default USE_UCLIBCXX
187 help
188 Select the preferred standard C++ library for all packages that support this.
189
190 config USE_UCLIBCXX
191 bool "uClibc++"
192
193 config USE_LIBSTDCXX
194 bool "libstdc++"
195 endchoice
196
197 comment "Hardening build options"
198
199 config PKG_CHECK_FORMAT_SECURITY
200 bool
201 prompt "Enable gcc format-security"
202 default y
203 help
204 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
205 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
206 Makefile.
207
208 config PKG_ASLR_PIE
209 bool
210 prompt "User space ASLR PIE compilation"
211 select BUSYBOX_DEFAULT_PIE
212 default n
213 help
214 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
215 This enables package build as Position Independent Executables (PIE)
216 to protect against "return-to-text" attacks. This belongs to the
217 feature of Address Space Layout Randomisation (ASLR), which is
218 implemented by the kernel and the ELF loader by randomising the
219 location of memory allocations. This makes memory addresses harder
220 to predict when an attacker is attempting a memory-corruption exploit.
221 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
222 Makefile.
223
224 choice
225 prompt "User space Stack-Smashing Protection"
226 depends on USE_MUSL
227 default PKG_CC_STACKPROTECTOR_REGULAR
228 help
229 Enable GCC Stack Smashing Protection (SSP) for userspace applications
230 config PKG_CC_STACKPROTECTOR_NONE
231 bool "None"
232 config PKG_CC_STACKPROTECTOR_REGULAR
233 bool "Regular"
234 select GCC_LIBSSP if !USE_MUSL
235 depends on KERNEL_CC_STACKPROTECTOR_REGULAR
236 config PKG_CC_STACKPROTECTOR_STRONG
237 bool "Strong"
238 select GCC_LIBSSP if !USE_MUSL
239 depends on !GCC_VERSION_4_8
240 depends on KERNEL_CC_STACKPROTECTOR_STRONG
241 endchoice
242
243 choice
244 prompt "Kernel space Stack-Smashing Protection"
245 default KERNEL_CC_STACKPROTECTOR_REGULAR
246 depends on USE_MUSL || !(x86_64 || i386)
247 help
248 Enable GCC Stack-Smashing Protection (SSP) for the kernel
249 config KERNEL_CC_STACKPROTECTOR_NONE
250 bool "None"
251 config KERNEL_CC_STACKPROTECTOR_REGULAR
252 bool "Regular"
253 config KERNEL_CC_STACKPROTECTOR_STRONG
254 depends on !GCC_VERSION_4_8
255 bool "Strong"
256 endchoice
257
258 config KERNEL_STACKPROTECTOR
259 bool
260 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
261
262 config KERNEL_STACKPROTECTOR_STRONG
263 bool
264 default KERNEL_CC_STACKPROTECTOR_STRONG
265
266 choice
267 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
268 default PKG_FORTIFY_SOURCE_1
269 help
270 Enable the _FORTIFY_SOURCE macro which introduces additional
271 checks to detect buffer-overflows in the following standard library
272 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
273 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
274 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
275 checks that shouldn't change the behavior of conforming programs,
276 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
277 added, but some conforming programs might fail.
278 config PKG_FORTIFY_SOURCE_NONE
279 bool "None"
280 config PKG_FORTIFY_SOURCE_1
281 bool "Conservative"
282 config PKG_FORTIFY_SOURCE_2
283 bool "Aggressive"
284 endchoice
285
286 choice
287 prompt "Enable RELRO protection"
288 default PKG_RELRO_FULL
289 help
290 Enable a link-time protection known as RELRO (Relocation Read Only)
291 which helps to protect from certain type of exploitation techniques
292 altering the content of some ELF sections. "Partial" RELRO makes the
293 .dynamic section not writeable after initialization, introducing
294 almost no performance penalty, while "full" RELRO also marks the GOT
295 as read-only at the cost of initializing all of it at startup.
296 config PKG_RELRO_NONE
297 bool "None"
298 config PKG_RELRO_PARTIAL
299 bool "Partial"
300 config PKG_RELRO_FULL
301 bool "Full"
302 endchoice
303
304 endmenu
Staging tree of Zoltan Herpai