summaryrefslogtreecommitdiff
path: root/config/Config-build.in
blob: a082a5e0e2ed9ad3e9749440c3f244aee8668072 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
# Copyright (C) 2006-2013 OpenWrt.org
# Copyright (C) 2016 LEDE Project
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#

menu "Global build settings"

	config ALL_NONSHARED
		bool "Select all target specific packages by default"
		select ALL_KMODS
		default BUILDBOT

	config ALL_KMODS
		bool "Select all kernel module packages by default"

	config ALL
		bool "Select all userspace packages by default"
		select ALL_KMODS
		select ALL_NONSHARED

	config BUILDBOT
		bool "Set build defaults for automatic builds (e.g. via buildbot)"
		default n
		help
		  This option changes several defaults to be more suitable for
		  automatic builds. This includes the following changes:
		  - Deleting build directories after compiling (to save space)
		  - Enabling per-device rootfs support
		  ...

	config SIGNED_PACKAGES
		bool "Cryptographically signed package lists"
		default y

	comment "General build options"

	config DISPLAY_SUPPORT
		bool "Show packages that require graphics support (local or remote)"
		default n

	config BUILD_PATENTED
		default n
		bool "Compile with support for patented functionality"
		help
		  When this option is disabled, software which provides patented functionality
		  will not be built.  In case software provides optional support for patented
		  functionality, this optional support will get disabled for this package.

	config BUILD_NLS
		default n
		bool "Compile with full language support"
		help
		  When this option is enabled, packages are built with the full versions of
		  iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
		  used, it is also built with locale support.

	config SHADOW_PASSWORDS
		bool
		default y

	config CLEAN_IPKG
		bool
		prompt "Remove ipkg/opkg status data files in final images"
		default n
		help
		  This removes all ipkg/opkg status data files from the target directory
		  before building the root filesystem.

	config INCLUDE_CONFIG
		bool "Include build configuration in firmware" if DEVEL
		default n
		help
		  If enabled, config.seed will be stored in /etc/build.config of firmware.

	config COLLECT_KERNEL_DEBUG
		bool
		prompt "Collect kernel debug information"
		select KERNEL_DEBUG_INFO
		default BUILDBOT
		help
		  This collects debugging symbols from the kernel and all compiled modules.
		  Useful for release builds, so that kernel issues can be debugged offline
		  later.

	menu "Kernel build options"

	source "config/Config-kernel.in"

	endmenu

	comment "Package build options"

	config DEBUG
		bool
		prompt "Compile packages with debugging info"
		default n
		help
		  Adds -g3 to the CFLAGS.

	config IPV6
		bool
		prompt "Enable IPv6 support in packages"
		default y
		help
		  Enables IPv6 support in kernel (builtin) and packages.

	comment "Stripping options"

	choice
		prompt "Binary stripping method"
		default USE_STRIP   if EXTERNAL_TOOLCHAIN
		default USE_STRIP   if USE_GLIBC
		default USE_SSTRIP
		help
		  Select the binary stripping method you wish to use.

		config NO_STRIP
			bool "none"
			help
			  This will install unstripped binaries (useful for native
			  compiling/debugging).

		config USE_STRIP
			bool "strip"
			help
			  This will install binaries stripped using strip from binutils.


		config USE_SSTRIP
			bool "sstrip"
			depends on !USE_GLIBC
			help
			  This will install binaries stripped using sstrip.
	endchoice

	config STRIP_ARGS
		string
		prompt "Strip arguments"
		depends on USE_STRIP
		default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
		default "--strip-all"
		help
		  Specifies arguments passed to the strip command when stripping binaries.

	config STRIP_KERNEL_EXPORTS
		bool "Strip unnecessary exports from the kernel image"
		help
		  Reduces kernel size by stripping unused kernel exports from the kernel
		  image.  Note that this might make the kernel incompatible with any kernel
		  modules that were not selected at the time the kernel image was created.

	config USE_MKLIBS
		bool "Strip unnecessary functions from libraries"
		help
		  Reduces libraries to only those functions that are necessary for using all
		  selected packages (including those selected as <M>).  Note that this will
		  make the system libraries incompatible with most of the packages that are
		  not selected during the build process.

	choice
		prompt "Preferred standard C++ library"
		default USE_LIBSTDCXX if USE_GLIBC
		default USE_UCLIBCXX
		help
		  Select the preferred standard C++ library for all packages that support this.

		config USE_UCLIBCXX
			bool "uClibc++"

		config USE_LIBSTDCXX
			bool "libstdc++"
	endchoice

	comment "Hardening build options"

	config PKG_CHECK_FORMAT_SECURITY
		bool
		prompt "Enable gcc format-security"
		default y
		help
		  Add -Wformat -Werror=format-security to the CFLAGS.  You can disable
		  this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
		  Makefile.

	config PKG_ASLR_PIE
		bool
		prompt "User space ASLR PIE compilation"
		select BUSYBOX_DEFAULT_PIE
		default n
		help
		  Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
		  This enables package build as Position Independent Executables (PIE)
		  to protect against "return-to-text" attacks. This belongs to the
		  feature of Address Space Layout Randomisation (ASLR), which is
		  implemented by the kernel and the ELF loader by randomising the
		  location of memory allocations. This makes memory addresses harder
		  to predict when an attacker is attempting a memory-corruption exploit.
		  You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
		  Makefile.

	choice
		prompt "User space Stack-Smashing Protection"
		depends on USE_MUSL
		default PKG_CC_STACKPROTECTOR_REGULAR
		help
		  Enable GCC Stack Smashing Protection (SSP) for userspace applications
		config PKG_CC_STACKPROTECTOR_NONE
			bool "None"
		config PKG_CC_STACKPROTECTOR_REGULAR
			bool "Regular"
			select GCC_LIBSSP if !USE_MUSL
			depends on KERNEL_CC_STACKPROTECTOR_REGULAR
		config PKG_CC_STACKPROTECTOR_STRONG
			bool "Strong"
			select GCC_LIBSSP if !USE_MUSL
			depends on !GCC_VERSION_4_8
			depends on KERNEL_CC_STACKPROTECTOR_STRONG
	endchoice

	choice
		prompt "Kernel space Stack-Smashing Protection"
		default KERNEL_CC_STACKPROTECTOR_REGULAR
		depends on USE_MUSL || !(x86_64 || i386)
		help
		  Enable GCC Stack-Smashing Protection (SSP) for the kernel
		config KERNEL_CC_STACKPROTECTOR_NONE
			bool "None"
		config KERNEL_CC_STACKPROTECTOR_REGULAR
			bool "Regular"
		config KERNEL_CC_STACKPROTECTOR_STRONG
			depends on !GCC_VERSION_4_8
			bool "Strong"
	endchoice

	choice
		prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
		default PKG_FORTIFY_SOURCE_1
		help
		  Enable the _FORTIFY_SOURCE macro which introduces additional
		  checks to detect buffer-overflows in the following standard library
		  functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
		  strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
		  gets.  "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
		  checks that shouldn't change the behavior of conforming programs,
		  while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
		  added, but some conforming programs might fail.
		config PKG_FORTIFY_SOURCE_NONE
			bool "None"
		config PKG_FORTIFY_SOURCE_1
			bool "Conservative"
		config PKG_FORTIFY_SOURCE_2
			bool "Aggressive"
	endchoice

	choice
		prompt "Enable RELRO protection"
		default PKG_RELRO_FULL
		help
		  Enable a link-time protection known as RELRO (Relocation Read Only)
		  which helps to protect from certain type of exploitation techniques
		  altering the content of some ELF sections. "Partial" RELRO makes the
		  .dynamic section not writeable after initialization, introducing
		  almost no performance penalty, while "full" RELRO also marks the GOT
		  as read-only at the cost of initializing all of it at startup.
		config PKG_RELRO_NONE
			bool "None"
		config PKG_RELRO_PARTIAL
			bool "Partial"
		config PKG_RELRO_FULL
			bool "Full"
	endchoice

endmenu