OpenWrt – Blame information for rev 3
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | # Copyright (C) 2006-2013 OpenWrt.org |
2 | # Copyright (C) 2016 LEDE Project |
||
3 | # |
||
4 | # This is free software, licensed under the GNU General Public License v2. |
||
5 | # See /LICENSE for more information. |
||
6 | # |
||
7 | |||
8 | menu "Global build settings" |
||
9 | |||
10 | config ALL_NONSHARED |
||
11 | bool "Select all target specific packages by default" |
||
12 | select ALL_KMODS |
||
13 | default BUILDBOT |
||
14 | |||
15 | config ALL_KMODS |
||
16 | bool "Select all kernel module packages by default" |
||
17 | |||
18 | config ALL |
||
19 | bool "Select all userspace packages by default" |
||
20 | select ALL_KMODS |
||
21 | select ALL_NONSHARED |
||
22 | |||
23 | config BUILDBOT |
||
24 | bool "Set build defaults for automatic builds (e.g. via buildbot)" |
||
25 | default n |
||
26 | help |
||
27 | This option changes several defaults to be more suitable for |
||
28 | automatic builds. This includes the following changes: |
||
29 | - Deleting build directories after compiling (to save space) |
||
30 | - Enabling per-device rootfs support |
||
31 | ... |
||
32 | |||
33 | config SIGNED_PACKAGES |
||
34 | bool "Cryptographically signed package lists" |
||
35 | default y |
||
36 | |||
37 | comment "General build options" |
||
38 | |||
39 | config DISPLAY_SUPPORT |
||
40 | bool "Show packages that require graphics support (local or remote)" |
||
41 | default n |
||
42 | |||
43 | config BUILD_PATENTED |
||
44 | default n |
||
45 | bool "Compile with support for patented functionality" |
||
46 | help |
||
47 | When this option is disabled, software which provides patented functionality |
||
48 | will not be built. In case software provides optional support for patented |
||
49 | functionality, this optional support will get disabled for this package. |
||
50 | |||
51 | config BUILD_NLS |
||
52 | default n |
||
53 | bool "Compile with full language support" |
||
54 | help |
||
55 | When this option is enabled, packages are built with the full versions of |
||
56 | iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is |
||
57 | used, it is also built with locale support. |
||
58 | |||
59 | config SHADOW_PASSWORDS |
||
60 | bool |
||
61 | default y |
||
62 | |||
63 | config CLEAN_IPKG |
||
64 | bool |
||
65 | prompt "Remove ipkg/opkg status data files in final images" |
||
66 | default n |
||
67 | help |
||
68 | This removes all ipkg/opkg status data files from the target directory |
||
69 | before building the root filesystem. |
||
70 | |||
71 | config INCLUDE_CONFIG |
||
72 | bool "Include build configuration in firmware" if DEVEL |
||
73 | default n |
||
74 | help |
||
75 | If enabled, config.seed will be stored in /etc/build.config of firmware. |
||
76 | |||
77 | config COLLECT_KERNEL_DEBUG |
||
78 | bool |
||
79 | prompt "Collect kernel debug information" |
||
80 | select KERNEL_DEBUG_INFO |
||
81 | default BUILDBOT |
||
82 | help |
||
83 | This collects debugging symbols from the kernel and all compiled modules. |
||
84 | Useful for release builds, so that kernel issues can be debugged offline |
||
85 | later. |
||
86 | |||
87 | menu "Kernel build options" |
||
88 | |||
89 | source "config/Config-kernel.in" |
||
90 | |||
91 | endmenu |
||
92 | |||
93 | comment "Package build options" |
||
94 | |||
95 | config DEBUG |
||
96 | bool |
||
97 | prompt "Compile packages with debugging info" |
||
98 | default n |
||
99 | help |
||
100 | Adds -g3 to the CFLAGS. |
||
101 | |||
102 | config IPV6 |
||
103 | bool |
||
104 | prompt "Enable IPv6 support in packages" |
||
105 | default y |
||
106 | help |
||
107 | Enables IPv6 support in kernel (builtin) and packages. |
||
108 | |||
109 | comment "Stripping options" |
||
110 | |||
111 | choice |
||
112 | prompt "Binary stripping method" |
||
113 | default USE_STRIP if EXTERNAL_TOOLCHAIN |
||
114 | default USE_STRIP if USE_GLIBC |
||
115 | default USE_SSTRIP |
||
116 | help |
||
117 | Select the binary stripping method you wish to use. |
||
118 | |||
119 | config NO_STRIP |
||
120 | bool "none" |
||
121 | help |
||
122 | This will install unstripped binaries (useful for native |
||
123 | compiling/debugging). |
||
124 | |||
125 | config USE_STRIP |
||
126 | bool "strip" |
||
127 | help |
||
128 | This will install binaries stripped using strip from binutils. |
||
129 | |||
130 | |||
131 | config USE_SSTRIP |
||
132 | bool "sstrip" |
||
133 | depends on !USE_GLIBC |
||
134 | help |
||
135 | This will install binaries stripped using sstrip. |
||
136 | endchoice |
||
137 | |||
138 | config STRIP_ARGS |
||
139 | string |
||
140 | prompt "Strip arguments" |
||
141 | depends on USE_STRIP |
||
142 | default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG |
||
143 | default "--strip-all" |
||
144 | help |
||
145 | Specifies arguments passed to the strip command when stripping binaries. |
||
146 | |||
147 | config STRIP_KERNEL_EXPORTS |
||
148 | bool "Strip unnecessary exports from the kernel image" |
||
149 | help |
||
150 | Reduces kernel size by stripping unused kernel exports from the kernel |
||
151 | image. Note that this might make the kernel incompatible with any kernel |
||
152 | modules that were not selected at the time the kernel image was created. |
||
153 | |||
154 | config USE_MKLIBS |
||
155 | bool "Strip unnecessary functions from libraries" |
||
156 | help |
||
157 | Reduces libraries to only those functions that are necessary for using all |
||
158 | selected packages (including those selected as <M>). Note that this will |
||
159 | make the system libraries incompatible with most of the packages that are |
||
160 | not selected during the build process. |
||
161 | |||
162 | choice |
||
163 | prompt "Preferred standard C++ library" |
||
164 | default USE_LIBSTDCXX if USE_GLIBC |
||
165 | default USE_UCLIBCXX |
||
166 | help |
||
167 | Select the preferred standard C++ library for all packages that support this. |
||
168 | |||
169 | config USE_UCLIBCXX |
||
170 | bool "uClibc++" |
||
171 | |||
172 | config USE_LIBSTDCXX |
||
173 | bool "libstdc++" |
||
174 | endchoice |
||
175 | |||
176 | comment "Hardening build options" |
||
177 | |||
178 | config PKG_CHECK_FORMAT_SECURITY |
||
179 | bool |
||
180 | prompt "Enable gcc format-security" |
||
181 | default y |
||
182 | help |
||
183 | Add -Wformat -Werror=format-security to the CFLAGS. You can disable |
||
184 | this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package |
||
185 | Makefile. |
||
186 | |||
187 | config PKG_ASLR_PIE |
||
188 | bool |
||
189 | prompt "User space ASLR PIE compilation" |
||
190 | select BUSYBOX_DEFAULT_PIE |
||
191 | default n |
||
192 | help |
||
193 | Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS. |
||
194 | This enables package build as Position Independent Executables (PIE) |
||
195 | to protect against "return-to-text" attacks. This belongs to the |
||
196 | feature of Address Space Layout Randomisation (ASLR), which is |
||
197 | implemented by the kernel and the ELF loader by randomising the |
||
198 | location of memory allocations. This makes memory addresses harder |
||
199 | to predict when an attacker is attempting a memory-corruption exploit. |
||
200 | You can disable this per package by adding PKG_ASLR_PIE:=0 in the package |
||
201 | Makefile. |
||
202 | |||
203 | choice |
||
204 | prompt "User space Stack-Smashing Protection" |
||
205 | depends on USE_MUSL |
||
206 | default PKG_CC_STACKPROTECTOR_REGULAR |
||
207 | help |
||
208 | Enable GCC Stack Smashing Protection (SSP) for userspace applications |
||
209 | config PKG_CC_STACKPROTECTOR_NONE |
||
210 | bool "None" |
||
211 | config PKG_CC_STACKPROTECTOR_REGULAR |
||
212 | bool "Regular" |
||
213 | select GCC_LIBSSP if !USE_MUSL |
||
214 | depends on KERNEL_CC_STACKPROTECTOR_REGULAR |
||
215 | config PKG_CC_STACKPROTECTOR_STRONG |
||
216 | bool "Strong" |
||
217 | select GCC_LIBSSP if !USE_MUSL |
||
218 | depends on !GCC_VERSION_4_8 |
||
219 | depends on KERNEL_CC_STACKPROTECTOR_STRONG |
||
220 | endchoice |
||
221 | |||
222 | choice |
||
223 | prompt "Kernel space Stack-Smashing Protection" |
||
224 | default KERNEL_CC_STACKPROTECTOR_REGULAR |
||
225 | depends on USE_MUSL || !(x86_64 || i386) |
||
226 | help |
||
227 | Enable GCC Stack-Smashing Protection (SSP) for the kernel |
||
228 | config KERNEL_CC_STACKPROTECTOR_NONE |
||
229 | bool "None" |
||
230 | config KERNEL_CC_STACKPROTECTOR_REGULAR |
||
231 | bool "Regular" |
||
232 | config KERNEL_CC_STACKPROTECTOR_STRONG |
||
233 | depends on !GCC_VERSION_4_8 |
||
234 | bool "Strong" |
||
235 | endchoice |
||
236 | |||
237 | choice |
||
238 | prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)" |
||
239 | default PKG_FORTIFY_SOURCE_1 |
||
240 | help |
||
241 | Enable the _FORTIFY_SOURCE macro which introduces additional |
||
242 | checks to detect buffer-overflows in the following standard library |
||
243 | functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, |
||
244 | strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, |
||
245 | gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces |
||
246 | checks that shouldn't change the behavior of conforming programs, |
||
247 | while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is |
||
248 | added, but some conforming programs might fail. |
||
249 | config PKG_FORTIFY_SOURCE_NONE |
||
250 | bool "None" |
||
251 | config PKG_FORTIFY_SOURCE_1 |
||
252 | bool "Conservative" |
||
253 | config PKG_FORTIFY_SOURCE_2 |
||
254 | bool "Aggressive" |
||
255 | endchoice |
||
256 | |||
257 | choice |
||
258 | prompt "Enable RELRO protection" |
||
259 | default PKG_RELRO_FULL |
||
260 | help |
||
261 | Enable a link-time protection known as RELRO (Relocation Read Only) |
||
262 | which helps to protect from certain type of exploitation techniques |
||
263 | altering the content of some ELF sections. "Partial" RELRO makes the |
||
264 | .dynamic section not writeable after initialization, introducing |
||
265 | almost no performance penalty, while "full" RELRO also marks the GOT |
||
266 | as read-only at the cost of initializing all of it at startup. |
||
267 | config PKG_RELRO_NONE |
||
268 | bool "None" |
||
269 | config PKG_RELRO_PARTIAL |
||
270 | bool "Partial" |
||
271 | config PKG_RELRO_FULL |
||
272 | bool "Full" |
||
273 | endchoice |
||
274 | |||
275 | endmenu |