X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fstaging%2Fwigyori.git;a=blobdiff_plain;f=config%2FConfig-build.in;h=59dfaea8bb9bd7a90ed17e5d6316376bda3ad6a7;hp=371ae7632adf053023e1a5e55b7a543b8a441c86;hb=19cbac7d264dfca1f75849de64beb98830fbb1e4;hpb=9fa3c68938c0340bc67dbe3199586190aa540a16 diff --git a/config/Config-build.in b/config/Config-build.in index 371ae7632a..59dfaea8bb 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -1,4 +1,5 @@ # Copyright (C) 2006-2013 OpenWrt.org +# Copyright (C) 2016 LEDE Project # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -6,65 +7,117 @@ menu "Global build settings" + config JSON_ADD_IMAGE_INFO + bool "Create JSON info files per build image" + default BUILDBOT + help + The JSON info files contain information about the device and + build images, stored next to the firmware images. + + config ALL_NONSHARED + bool "Select all target specific packages by default" + select ALL_KMODS + default BUILDBOT + + config ALL_KMODS + bool "Select all kernel module packages by default" + config ALL - bool "Select all packages by default" + bool "Select all userspace packages by default" + select ALL_KMODS + select ALL_NONSHARED + + config BUILDBOT + bool "Set build defaults for automatic builds (e.g. via buildbot)" default n + help + This option changes several defaults to be more suitable for + automatic builds. This includes the following changes: + - Deleting build directories after compiling (to save space) + - Enabling per-device rootfs support + ... + + config SIGNED_PACKAGES + bool "Cryptographically signed package lists" + default y + + config SIGNATURE_CHECK + bool "Enable signature checking in opkg" + default SIGNED_PACKAGES comment "General build options" + config TESTING_KERNEL + bool "Use the testing kernel version" + depends on HAS_TESTING_KERNEL + default n + help + If the target supports a newer kernel version than the default, + you can use this config option to enable it + + config DISPLAY_SUPPORT bool "Show packages that require graphics support (local or remote)" default n config BUILD_PATENTED - default y + default n bool "Compile with support for patented functionality" help - When this option is disabled, software which provides patented functionality will not be built. - In case software provides optional support for patented functionality, - this optional support will get disabled for this package. + When this option is disabled, software which provides patented functionality + will not be built. In case software provides optional support for patented + functionality, this optional support will get disabled for this package. config BUILD_NLS default n bool "Compile with full language support" help - When this option is enabled, packages are built with the full versions of iconv and GNU gettext - instead of the default OpenWrt stubs. If uClibc is used, it is also built with locale support. - - config BUILD_STATIC_TOOLS - default n - bool "Attempt to link host utilities statically" - help - Linking host utilities like sed or firmware-utils statically increases the portability of the - generated ImageBuilder and SDK tarballs, however it may fail on some Linux distributions. + When this option is enabled, packages are built with the full versions of + iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is + used, it is also built with locale support. config SHADOW_PASSWORDS bool - prompt "Enable shadow password support" default y - help - Enable shadow password support. config CLEAN_IPKG bool prompt "Remove ipkg/opkg status data files in final images" default n help - This removes all ipkg/opkg status data files from the target directory before building the root fs + This removes all ipkg/opkg status data files from the target directory + before building the root filesystem. + + config IPK_FILES_CHECKSUMS + bool + prompt "Record files checksums in package metadata" + default n + help + This makes file checksums part of package metadata. It increases size + but provides you with pkg_check command to check for flash coruptions. + + config INCLUDE_CONFIG + bool "Include build configuration in firmware" if DEVEL + default n + help + If enabled, config.buildinfo will be stored in /etc/build.config of firmware. config COLLECT_KERNEL_DEBUG bool prompt "Collect kernel debug information" select KERNEL_DEBUG_INFO - default n + default BUILDBOT help This collects debugging symbols from the kernel and all compiled modules. - Useful for release builds, so that kernel issues can be debugged offline later. + Useful for release builds, so that kernel issues can be debugged offline + later. - comment "Kernel build options" + menu "Kernel build options" source "config/Config-kernel.in" + endmenu + comment "Package build options" config DEBUG @@ -72,75 +125,21 @@ menu "Global build settings" prompt "Compile packages with debugging info" default n help - Adds -g3 to the CFLAGS + Adds -g3 to the CFLAGS. config IPV6 bool prompt "Enable IPv6 support in packages" default y help - Enable IPV6 support in packages (passes --enable-ipv6 to configure scripts). - - config PKG_BUILD_PARALLEL - bool - prompt "Compile certain packages parallelized" - default y - help - This adds a -jX option to certain packages that are known to - behave well for parallel build. By default the package make processes - use the main jobserver, in which case this option only takes effect - when you add -jX to the make command. - - If you are unsure, select N. - - config PKG_BUILD_USE_JOBSERVER - bool - prompt "Use top-level make jobserver for packages" - depends on PKG_BUILD_PARALLEL - default y - help - This passes the main make process jobserver fds to package builds, - enabling full parallelization across different packages - - Note that disabling this may overcommit CPU resources depending on the - -j level of the main make process, the number of package - submake jobs selected below and the number of actual CPUs present. - Example: If the main make is passed a -j4 and the submake -j - is also set to 4, we may end up with 16 parallel make processes - in the worst case. - - - config PKG_BUILD_JOBS - int - prompt "Number of package submake jobs (2-512)" - range 2 512 - default 2 - depends on PKG_BUILD_PARALLEL && !PKG_BUILD_USE_JOBSERVER - help - The number of jobs (-jX) to pass to packages submake. - - config PKG_DEFAULT_PARALLEL - bool - prompt "Parallelize the default package build rule (May break build)" - depends on PKG_BUILD_PARALLEL - depends on BROKEN - default n - help - Always set the default package build rules to parallel build. - - WARNING: This may break build or kill your cat, as it builds - packages with multiple jobs that are probably not tested in - a parallel build environment. - - Only say Y, if you don't mind fixing broken packages. - Before reporting build bugs, set this to N and re-run the build. + Enables IPv6 support in kernel (builtin) and packages. comment "Stripping options" choice prompt "Binary stripping method" default USE_STRIP if EXTERNAL_TOOLCHAIN - default USE_STRIP if USE_GLIBC || USE_EGLIBC || USE_MUSL + default USE_STRIP if USE_GLIBC default USE_SSTRIP help Select the binary stripping method you wish to use. @@ -148,21 +147,20 @@ menu "Global build settings" config NO_STRIP bool "none" help - This will install unstripped binaries (useful for native compiling/debugging) + This will install unstripped binaries (useful for native + compiling/debugging). config USE_STRIP bool "strip" help - This will install binaries stripped using strip from binutils + This will install binaries stripped using strip from binutils. config USE_SSTRIP bool "sstrip" - depends on !DEBUG depends on !USE_GLIBC - depends on !USE_EGLIBC help - This will install binaries stripped using sstrip + This will install binaries stripped using sstrip. endchoice config STRIP_ARGS @@ -172,26 +170,26 @@ menu "Global build settings" default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG default "--strip-all" help - Specifies arguments passed to the strip command when stripping binaries + Specifies arguments passed to the strip command when stripping binaries. config STRIP_KERNEL_EXPORTS bool "Strip unnecessary exports from the kernel image" help - Reduces kernel size by stripping unused kernel exports from the kernel image - Note that this might make the kernel incompatible with any kernel modules that - were not selected at the time the kernel image was created + Reduces kernel size by stripping unused kernel exports from the kernel + image. Note that this might make the kernel incompatible with any kernel + modules that were not selected at the time the kernel image was created. config USE_MKLIBS bool "Strip unnecessary functions from libraries" help Reduces libraries to only those functions that are necessary for using all - selected packages (including those selected as ) - Note that this will make the system libraries incompatible with most of the packages - that are not selected during the build process + selected packages (including those selected as ). Note that this will + make the system libraries incompatible with most of the packages that are + not selected during the build process. choice prompt "Preferred standard C++ library" - default USE_LIBSTDCXX if USE_EGLIBC + default USE_LIBSTDCXX if USE_GLIBC default USE_UCLIBCXX help Select the preferred standard C++ library for all packages that support this. @@ -199,8 +197,131 @@ menu "Global build settings" config USE_UCLIBCXX bool "uClibc++" + config USE_LIBCXX + bool "libc++" + depends on !USE_UCLIBC + config USE_LIBSTDCXX bool "libstdc++" endchoice + comment "Hardening build options" + + config PKG_CHECK_FORMAT_SECURITY + bool + prompt "Enable gcc format-security" + default y + help + Add -Wformat -Werror=format-security to the CFLAGS. You can disable + this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package + Makefile. + + choice + prompt "User space ASLR PIE compilation" + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK) + default PKG_ASLR_PIE_REGULAR + help + Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS. + This enables package build as Position Independent Executables (PIE) + to protect against "return-to-text" attacks. This belongs to the + feature of Address Space Layout Randomisation (ASLR), which is + implemented by the kernel and the ELF loader by randomising the + location of memory allocations. This makes memory addresses harder + to predict when an attacker is attempting a memory-corruption exploit. + You can disable this per package by adding PKG_ASLR_PIE:=0 in the package + Makefile. + Be ware that ASLR increases the binary size. + config PKG_ASLR_PIE_NONE + bool "None" + help + PIE is deactivated for all applications + config PKG_ASLR_PIE_REGULAR + bool "Regular" + help + PIE is activated for some binaries, mostly network exposed applications + config PKG_ASLR_PIE_ALL + bool "All" + select BUSYBOX_DEFAULT_PIE + help + PIE is activated for all applications + endchoice + + choice + prompt "User space Stack-Smashing Protection" + depends on USE_MUSL + default PKG_CC_STACKPROTECTOR_REGULAR + help + Enable GCC Stack Smashing Protection (SSP) for userspace applications + config PKG_CC_STACKPROTECTOR_NONE + bool "None" + config PKG_CC_STACKPROTECTOR_REGULAR + bool "Regular" + select GCC_LIBSSP if !USE_MUSL + depends on KERNEL_CC_STACKPROTECTOR_REGULAR + config PKG_CC_STACKPROTECTOR_STRONG + bool "Strong" + select GCC_LIBSSP if !USE_MUSL + depends on KERNEL_CC_STACKPROTECTOR_STRONG + endchoice + + choice + prompt "Kernel space Stack-Smashing Protection" + default KERNEL_CC_STACKPROTECTOR_REGULAR + depends on USE_MUSL || !(x86_64 || i386) + help + Enable GCC Stack-Smashing Protection (SSP) for the kernel + config KERNEL_CC_STACKPROTECTOR_NONE + bool "None" + config KERNEL_CC_STACKPROTECTOR_REGULAR + bool "Regular" + config KERNEL_CC_STACKPROTECTOR_STRONG + bool "Strong" + endchoice + + config KERNEL_STACKPROTECTOR + bool + default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG + + config KERNEL_STACKPROTECTOR_STRONG + bool + default KERNEL_CC_STACKPROTECTOR_STRONG + + choice + prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)" + default PKG_FORTIFY_SOURCE_1 + help + Enable the _FORTIFY_SOURCE macro which introduces additional + checks to detect buffer-overflows in the following standard library + functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, + strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, + gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces + checks that shouldn't change the behavior of conforming programs, + while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is + added, but some conforming programs might fail. + config PKG_FORTIFY_SOURCE_NONE + bool "None" + config PKG_FORTIFY_SOURCE_1 + bool "Conservative" + config PKG_FORTIFY_SOURCE_2 + bool "Aggressive" + endchoice + + choice + prompt "Enable RELRO protection" + default PKG_RELRO_FULL + help + Enable a link-time protection known as RELRO (Relocation Read Only) + which helps to protect from certain type of exploitation techniques + altering the content of some ELF sections. "Partial" RELRO makes the + .dynamic section not writeable after initialization, introducing + almost no performance penalty, while "full" RELRO also marks the GOT + as read-only at the cost of initializing all of it at startup. + config PKG_RELRO_NONE + bool "None" + config PKG_RELRO_PARTIAL + bool "Partial" + config PKG_RELRO_FULL + bool "Full" + endchoice + endmenu