OpenWrt – Blame information for rev 1
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | # Copyright (C) 2006-2013 OpenWrt.org |
2 | # Copyright (C) 2016 LEDE Project |
||
3 | # |
||
4 | # This is free software, licensed under the GNU General Public License v2. |
||
5 | # See /LICENSE for more information. |
||
6 | # |
||
7 | |||
8 | menu "Global build settings" |
||
9 | |||
10 | config ALL_NONSHARED |
||
11 | bool "Select all target specific packages by default" |
||
12 | select ALL_KMODS |
||
13 | default BUILDBOT |
||
14 | |||
15 | config ALL_KMODS |
||
16 | bool "Select all kernel module packages by default" |
||
17 | |||
18 | config ALL |
||
19 | bool "Select all userspace packages by default" |
||
20 | select ALL_KMODS |
||
21 | select ALL_NONSHARED |
||
22 | |||
23 | config BUILDBOT |
||
24 | bool "Set build defaults for automatic builds (e.g. via buildbot)" |
||
25 | default n |
||
26 | help |
||
27 | This option changes several defaults to be more suitable for |
||
28 | automatic builds. This includes the following changes: |
||
29 | - Deleting build directories after compiling (to save space) |
||
30 | - Enabling per-device rootfs support |
||
31 | ... |
||
32 | |||
33 | config SIGNED_PACKAGES |
||
34 | bool "Cryptographically signed package lists" |
||
35 | default y |
||
36 | |||
37 | comment "General build options" |
||
38 | |||
39 | config DISPLAY_SUPPORT |
||
40 | bool "Show packages that require graphics support (local or remote)" |
||
41 | default n |
||
42 | |||
43 | config BUILD_PATENTED |
||
44 | default n |
||
45 | bool "Compile with support for patented functionality" |
||
46 | help |
||
47 | When this option is disabled, software which provides patented functionality |
||
48 | will not be built. In case software provides optional support for patented |
||
49 | functionality, this optional support will get disabled for this package. |
||
50 | |||
51 | config BUILD_NLS |
||
52 | default n |
||
53 | bool "Compile with full language support" |
||
54 | help |
||
55 | When this option is enabled, packages are built with the full versions of |
||
56 | iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is |
||
57 | used, it is also built with locale support. |
||
58 | |||
59 | config SHADOW_PASSWORDS |
||
60 | bool |
||
61 | default y |
||
62 | |||
63 | config CLEAN_IPKG |
||
64 | bool |
||
65 | prompt "Remove ipkg/opkg status data files in final images" |
||
66 | default n |
||
67 | help |
||
68 | This removes all ipkg/opkg status data files from the target directory |
||
69 | before building the root filesystem. |
||
70 | |||
71 | config IPK_FILES_CHECKSUMS |
||
72 | bool |
||
73 | prompt "Record files checksums in package metadata" |
||
74 | default n |
||
75 | help |
||
76 | This makes file checksums part of package metadata. It increases size |
||
77 | but provides you with pkg_check command to check for flash coruptions. |
||
78 | |||
79 | config INCLUDE_CONFIG |
||
80 | bool "Include build configuration in firmware" if DEVEL |
||
81 | default n |
||
82 | help |
||
83 | If enabled, config.seed will be stored in /etc/build.config of firmware. |
||
84 | |||
85 | config COLLECT_KERNEL_DEBUG |
||
86 | bool |
||
87 | prompt "Collect kernel debug information" |
||
88 | select KERNEL_DEBUG_INFO |
||
89 | default BUILDBOT |
||
90 | help |
||
91 | This collects debugging symbols from the kernel and all compiled modules. |
||
92 | Useful for release builds, so that kernel issues can be debugged offline |
||
93 | later. |
||
94 | |||
95 | menu "Kernel build options" |
||
96 | |||
97 | source "config/Config-kernel.in" |
||
98 | |||
99 | endmenu |
||
100 | |||
101 | comment "Package build options" |
||
102 | |||
103 | config DEBUG |
||
104 | bool |
||
105 | prompt "Compile packages with debugging info" |
||
106 | default n |
||
107 | help |
||
108 | Adds -g3 to the CFLAGS. |
||
109 | |||
110 | config IPV6 |
||
111 | bool |
||
112 | prompt "Enable IPv6 support in packages" |
||
113 | default y |
||
114 | help |
||
115 | Enables IPv6 support in kernel (builtin) and packages. |
||
116 | |||
117 | comment "Stripping options" |
||
118 | |||
119 | choice |
||
120 | prompt "Binary stripping method" |
||
121 | default USE_STRIP if EXTERNAL_TOOLCHAIN |
||
122 | default USE_STRIP if USE_GLIBC |
||
123 | default USE_SSTRIP |
||
124 | help |
||
125 | Select the binary stripping method you wish to use. |
||
126 | |||
127 | config NO_STRIP |
||
128 | bool "none" |
||
129 | help |
||
130 | This will install unstripped binaries (useful for native |
||
131 | compiling/debugging). |
||
132 | |||
133 | config USE_STRIP |
||
134 | bool "strip" |
||
135 | help |
||
136 | This will install binaries stripped using strip from binutils. |
||
137 | |||
138 | |||
139 | config USE_SSTRIP |
||
140 | bool "sstrip" |
||
141 | depends on !USE_GLIBC |
||
142 | help |
||
143 | This will install binaries stripped using sstrip. |
||
144 | endchoice |
||
145 | |||
146 | config STRIP_ARGS |
||
147 | string |
||
148 | prompt "Strip arguments" |
||
149 | depends on USE_STRIP |
||
150 | default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG |
||
151 | default "--strip-all" |
||
152 | help |
||
153 | Specifies arguments passed to the strip command when stripping binaries. |
||
154 | |||
155 | config STRIP_KERNEL_EXPORTS |
||
156 | bool "Strip unnecessary exports from the kernel image" |
||
157 | help |
||
158 | Reduces kernel size by stripping unused kernel exports from the kernel |
||
159 | image. Note that this might make the kernel incompatible with any kernel |
||
160 | modules that were not selected at the time the kernel image was created. |
||
161 | |||
162 | config USE_MKLIBS |
||
163 | bool "Strip unnecessary functions from libraries" |
||
164 | help |
||
165 | Reduces libraries to only those functions that are necessary for using all |
||
166 | selected packages (including those selected as <M>). Note that this will |
||
167 | make the system libraries incompatible with most of the packages that are |
||
168 | not selected during the build process. |
||
169 | |||
170 | choice |
||
171 | prompt "Preferred standard C++ library" |
||
172 | default USE_LIBSTDCXX if USE_GLIBC |
||
173 | default USE_UCLIBCXX |
||
174 | help |
||
175 | Select the preferred standard C++ library for all packages that support this. |
||
176 | |||
177 | config USE_UCLIBCXX |
||
178 | bool "uClibc++" |
||
179 | |||
180 | config USE_LIBSTDCXX |
||
181 | bool "libstdc++" |
||
182 | endchoice |
||
183 | |||
184 | comment "Hardening build options" |
||
185 | |||
186 | config PKG_CHECK_FORMAT_SECURITY |
||
187 | bool |
||
188 | prompt "Enable gcc format-security" |
||
189 | default y |
||
190 | help |
||
191 | Add -Wformat -Werror=format-security to the CFLAGS. You can disable |
||
192 | this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package |
||
193 | Makefile. |
||
194 | |||
195 | config PKG_ASLR_PIE |
||
196 | bool |
||
197 | prompt "User space ASLR PIE compilation" |
||
198 | select BUSYBOX_DEFAULT_PIE |
||
199 | default n |
||
200 | help |
||
201 | Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS. |
||
202 | This enables package build as Position Independent Executables (PIE) |
||
203 | to protect against "return-to-text" attacks. This belongs to the |
||
204 | feature of Address Space Layout Randomisation (ASLR), which is |
||
205 | implemented by the kernel and the ELF loader by randomising the |
||
206 | location of memory allocations. This makes memory addresses harder |
||
207 | to predict when an attacker is attempting a memory-corruption exploit. |
||
208 | You can disable this per package by adding PKG_ASLR_PIE:=0 in the package |
||
209 | Makefile. |
||
210 | |||
211 | choice |
||
212 | prompt "User space Stack-Smashing Protection" |
||
213 | depends on USE_MUSL |
||
214 | default PKG_CC_STACKPROTECTOR_REGULAR |
||
215 | help |
||
216 | Enable GCC Stack Smashing Protection (SSP) for userspace applications |
||
217 | config PKG_CC_STACKPROTECTOR_NONE |
||
218 | bool "None" |
||
219 | config PKG_CC_STACKPROTECTOR_REGULAR |
||
220 | bool "Regular" |
||
221 | select GCC_LIBSSP if !USE_MUSL |
||
222 | depends on KERNEL_CC_STACKPROTECTOR_REGULAR |
||
223 | config PKG_CC_STACKPROTECTOR_STRONG |
||
224 | bool "Strong" |
||
225 | select GCC_LIBSSP if !USE_MUSL |
||
226 | depends on !GCC_VERSION_4_8 |
||
227 | depends on KERNEL_CC_STACKPROTECTOR_STRONG |
||
228 | endchoice |
||
229 | |||
230 | choice |
||
231 | prompt "Kernel space Stack-Smashing Protection" |
||
232 | default KERNEL_CC_STACKPROTECTOR_REGULAR |
||
233 | depends on USE_MUSL || !(x86_64 || i386) |
||
234 | help |
||
235 | Enable GCC Stack-Smashing Protection (SSP) for the kernel |
||
236 | config KERNEL_CC_STACKPROTECTOR_NONE |
||
237 | bool "None" |
||
238 | config KERNEL_CC_STACKPROTECTOR_REGULAR |
||
239 | bool "Regular" |
||
240 | config KERNEL_CC_STACKPROTECTOR_STRONG |
||
241 | depends on !GCC_VERSION_4_8 |
||
242 | bool "Strong" |
||
243 | endchoice |
||
244 | |||
245 | config KERNEL_STACKPROTECTOR |
||
246 | bool |
||
247 | default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG |
||
248 | |||
249 | config KERNEL_STACKPROTECTOR_STRONG |
||
250 | bool |
||
251 | default KERNEL_CC_STACKPROTECTOR_STRONG |
||
252 | |||
253 | choice |
||
254 | prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)" |
||
255 | default PKG_FORTIFY_SOURCE_1 |
||
256 | help |
||
257 | Enable the _FORTIFY_SOURCE macro which introduces additional |
||
258 | checks to detect buffer-overflows in the following standard library |
||
259 | functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, |
||
260 | strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, |
||
261 | gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces |
||
262 | checks that shouldn't change the behavior of conforming programs, |
||
263 | while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is |
||
264 | added, but some conforming programs might fail. |
||
265 | config PKG_FORTIFY_SOURCE_NONE |
||
266 | bool "None" |
||
267 | config PKG_FORTIFY_SOURCE_1 |
||
268 | bool "Conservative" |
||
269 | config PKG_FORTIFY_SOURCE_2 |
||
270 | bool "Aggressive" |
||
271 | endchoice |
||
272 | |||
273 | choice |
||
274 | prompt "Enable RELRO protection" |
||
275 | default PKG_RELRO_FULL |
||
276 | help |
||
277 | Enable a link-time protection known as RELRO (Relocation Read Only) |
||
278 | which helps to protect from certain type of exploitation techniques |
||
279 | altering the content of some ELF sections. "Partial" RELRO makes the |
||
280 | .dynamic section not writeable after initialization, introducing |
||
281 | almost no performance penalty, while "full" RELRO also marks the GOT |
||
282 | as read-only at the cost of initializing all of it at startup. |
||
283 | config PKG_RELRO_NONE |
||
284 | bool "None" |
||
285 | config PKG_RELRO_PARTIAL |
||
286 | bool "Partial" |
||
287 | config PKG_RELRO_FULL |
||
288 | bool "Full" |
||
289 | endchoice |
||
290 | |||
291 | endmenu |