projects / openwrt / staging / jow.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
treewide: cleanup kernel symbol references
[openwrt/staging/jow.git] / config / Config-build.in
1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
5
6 config EXPERIMENTAL
7 bool "Enable experimental features by default"
8 help
9 Set this option to build with latest bleeding edge features
10 which may or may not work as expected.
11 If you would like to help the development of OpenWrt, you are
12 encouraged to set this option and provide feedback (both
13 positive and negative). But do so only if you know how to
14 recover your device in case of flashing potentially non-working
15 firmware.
16
17 If you plan to use this build in production, say NO!
18
19 menu "Global build settings"
20
21 config JSON_OVERVIEW_IMAGE_INFO
22 bool "Create JSON info file overview per target"
23 default y
24 help
25 Create a JSON info file called profiles.json in the target
26 directory containing machine readable list of built profiles
27 and resulting images.
28
29 config ALL_NONSHARED
30 bool "Select all target specific packages by default"
31 select ALL_KMODS
32 default BUILDBOT
33
34 config ALL_KMODS
35 bool "Select all kernel module packages by default"
36
37 config ALL
38 bool "Select all userspace packages by default"
39 select ALL_KMODS
40 select ALL_NONSHARED
41
42 config BUILDBOT
43 bool "Set build defaults for automatic builds (e.g. via buildbot)"
44 help
45 This option changes several defaults to be more suitable for
46 automatic builds. This includes the following changes:
47 - Deleting build directories after compiling (to save space)
48 - Enabling per-device rootfs support
49 ...
50
51 config SIGNED_PACKAGES
52 bool "Cryptographically signed package lists"
53 default y
54
55 config SIGNATURE_CHECK
56 bool "Enable signature checking in opkg"
57 default SIGNED_PACKAGES
58
59 config DOWNLOAD_CHECK_CERTIFICATE
60 bool "Enable TLS certificate verification during package download"
61 default y
62
63 comment "General build options"
64
65 config TESTING_KERNEL
66 bool "Use the testing kernel version"
67 depends on HAS_TESTING_KERNEL
68 default EXPERIMENTAL
69 help
70 If the target supports a newer kernel version than the default,
71 you can use this config option to enable it
72
73
74 config DISPLAY_SUPPORT
75 bool "Show packages that require graphics support (local or remote)"
76
77 config BUILD_PATENTED
78 bool "Compile with support for patented functionality"
79 help
80 When this option is disabled, software which provides patented functionality
81 will not be built. In case software provides optional support for patented
82 functionality, this optional support will get disabled for this package.
83
84 config BUILD_NLS
85 bool "Compile with full language support"
86 help
87 When this option is enabled, packages are built with the full versions of
88 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
89 used, it is also built with locale support.
90
91 config SHADOW_PASSWORDS
92 bool
93 default y
94
95 config CLEAN_IPKG
96 bool
97 prompt "Remove ipkg/opkg status data files in final images"
98 help
99 This removes all ipkg/opkg status data files from the target directory
100 before building the root filesystem.
101
102 config IPK_FILES_CHECKSUMS
103 bool
104 prompt "Record files checksums in package metadata"
105 help
106 This makes file checksums part of package metadata. It increases size
107 but provides you with pkg_check command to check for flash corruptions.
108
109 config INCLUDE_CONFIG
110 bool "Include build configuration in firmware" if DEVEL
111 help
112 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
113
114 config REPRODUCIBLE_DEBUG_INFO
115 bool "Make debug information reproducible"
116 default BUILDBOT
117 help
118 This strips the local build path out of debug information. This has the
119 advantage of making it reproducible, but the disadvantage of making local
120 debugging using ./scripts/remote-gdb harder, since the debug data will
121 no longer point to the full path on the build host.
122
123 config COLLECT_KERNEL_DEBUG
124 bool
125 prompt "Collect kernel debug information"
126 select KERNEL_DEBUG_INFO
127 default BUILDBOT
128 help
129 This collects debugging symbols from the kernel and all compiled modules.
130 Useful for release builds, so that kernel issues can be debugged offline
131 later.
132
133 menu "Kernel build options"
134
135 source "config/Config-kernel.in"
136
137 endmenu
138
139 comment "Package build options"
140
141 config DEBUG
142 bool
143 prompt "Compile packages with debugging info"
144 help
145 Adds -g3 to the CFLAGS.
146
147 config USE_GC_SECTIONS
148 bool
149 prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
150 help
151 Places functions and data items into its own sections to use the linker's
152 garbage collection capabilites.
153 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections
154
155 config USE_LTO
156 bool
157 prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
158 help
159 Adds LTO flags to the CFLAGS and LDFLAGS.
160 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
161
162 config IPV6
163 def_bool y
164
165 comment "Stripping options"
166
167 choice
168 prompt "Binary stripping method"
169 default USE_STRIP if USE_GLIBC
170 default USE_SSTRIP
171 help
172 Select the binary stripping method you wish to use.
173
174 config NO_STRIP
175 bool "none"
176 help
177 This will install unstripped binaries (useful for native
178 compiling/debugging).
179
180 config USE_STRIP
181 bool "strip"
182 help
183 This will install binaries stripped using strip from binutils.
184
185
186 config USE_SSTRIP
187 bool "sstrip"
188 depends on !USE_GLIBC
189 help
190 This will install binaries stripped using sstrip.
191 endchoice
192
193 config STRIP_ARGS
194 string
195 prompt "Strip arguments"
196 depends on USE_STRIP
197 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
198 default "--strip-all"
199 help
200 Specifies arguments passed to the strip command when stripping binaries.
201
202 config SSTRIP_ARGS
203 string
204 prompt "Sstrip arguments"
205 depends on USE_SSTRIP
206 default "-z"
207 help
208 Specifies arguments passed to the sstrip command when stripping binaries.
209
210 config STRIP_KERNEL_EXPORTS
211 bool "Strip unnecessary exports from the kernel image"
212 help
213 Reduces kernel size by stripping unused kernel exports from the kernel
214 image. Note that this might make the kernel incompatible with any kernel
215 modules that were not selected at the time the kernel image was created.
216
217 config USE_MKLIBS
218 bool "Strip unnecessary functions from libraries"
219 help
220 Reduces libraries to only those functions that are necessary for using all
221 selected packages (including those selected as <M>). Note that this will
222 make the system libraries incompatible with most of the packages that are
223 not selected during the build process.
224
225 comment "Hardening build options"
226
227 config PKG_CHECK_FORMAT_SECURITY
228 bool
229 prompt "Enable gcc format-security"
230 default y
231 help
232 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
233 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
234 Makefile.
235
236 choice
237 prompt "User space ASLR PIE compilation"
238 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
239 default PKG_ASLR_PIE_REGULAR
240 help
241 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
242 This enables package build as Position Independent Executables (PIE)
243 to protect against "return-to-text" attacks. This belongs to the
244 feature of Address Space Layout Randomisation (ASLR), which is
245 implemented by the kernel and the ELF loader by randomising the
246 location of memory allocations. This makes memory addresses harder
247 to predict when an attacker is attempting a memory-corruption exploit.
248 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
249 Makefile.
250 Be ware that ASLR increases the binary size.
251 config PKG_ASLR_PIE_NONE
252 bool "None"
253 help
254 PIE is deactivated for all applications
255 config PKG_ASLR_PIE_REGULAR
256 bool "Regular"
257 help
258 PIE is activated for some binaries, mostly network exposed applications
259 config PKG_ASLR_PIE_ALL
260 bool "All"
261 select BUSYBOX_DEFAULT_PIE
262 help
263 PIE is activated for all applications
264 endchoice
265
266 choice
267 prompt "User space Stack-Smashing Protection"
268 default PKG_CC_STACKPROTECTOR_REGULAR
269 help
270 Enable GCC Stack Smashing Protection (SSP) for userspace applications
271 config PKG_CC_STACKPROTECTOR_NONE
272 bool "None"
273 config PKG_CC_STACKPROTECTOR_REGULAR
274 bool "Regular"
275 config PKG_CC_STACKPROTECTOR_STRONG
276 bool "Strong"
277 endchoice
278
279 choice
280 prompt "Kernel space Stack-Smashing Protection"
281 default KERNEL_CC_STACKPROTECTOR_REGULAR
282 help
283 Enable GCC Stack-Smashing Protection (SSP) for the kernel
284 config KERNEL_CC_STACKPROTECTOR_NONE
285 bool "None"
286 config KERNEL_CC_STACKPROTECTOR_REGULAR
287 bool "Regular"
288 config KERNEL_CC_STACKPROTECTOR_STRONG
289 bool "Strong"
290 endchoice
291
292 config KERNEL_STACKPROTECTOR
293 bool
294 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
295
296 config KERNEL_STACKPROTECTOR_STRONG
297 bool
298 default KERNEL_CC_STACKPROTECTOR_STRONG
299
300 choice
301 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
302 default PKG_FORTIFY_SOURCE_1
303 help
304 Enable the _FORTIFY_SOURCE macro which introduces additional
305 checks to detect buffer-overflows in the following standard library
306 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
307 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
308 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
309 checks that shouldn't change the behavior of conforming programs,
310 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
311 added, but some conforming programs might fail.
312 config PKG_FORTIFY_SOURCE_NONE
313 bool "None"
314 config PKG_FORTIFY_SOURCE_1
315 bool "Conservative"
316 config PKG_FORTIFY_SOURCE_2
317 bool "Aggressive"
318 endchoice
319
320 choice
321 prompt "Enable RELRO protection"
322 default PKG_RELRO_FULL
323 help
324 Enable a link-time protection known as RELRO (Relocation Read Only)
325 which helps to protect from certain type of exploitation techniques
326 altering the content of some ELF sections. "Partial" RELRO makes the
327 .dynamic section not writeable after initialization, introducing
328 almost no performance penalty, while "full" RELRO also marks the GOT
329 as read-only at the cost of initializing all of it at startup.
330 config PKG_RELRO_NONE
331 bool "None"
332 config PKG_RELRO_PARTIAL
333 bool "Partial"
334 config PKG_RELRO_FULL
335 bool "Full"
336 endchoice
337
338 config TARGET_ROOTFS_SECURITY_LABELS
339 bool
340 select KERNEL_SQUASHFS_XATTR
341 select KERNEL_EXT4_FS_SECURITY
342 select KERNEL_F2FS_FS_SECURITY
343 select KERNEL_UBIFS_FS_SECURITY
344 select KERNEL_JFFS2_FS_SECURITY
345
346 config SELINUX
347 bool "Enable SELinux"
348 select KERNEL_SECURITY_SELINUX
349 select TARGET_ROOTFS_SECURITY_LABELS
350 select PACKAGE_procd-selinux
351 select PACKAGE_busybox-selinux
352 help
353 This option enables SELinux kernel features, applies security labels
354 in squashfs rootfs and selects the selinux-variants of busybox and procd.
355
356 Selecting this option results in about 0.5MiB of additional flash space
357 usage accounting for increased kernel and rootfs size.
358
359 choice
360 prompt "default SELinux type"
361 depends on TARGET_ROOTFS_SECURITY_LABELS
362 default SELINUXTYPE_dssp
363 help
364 Select SELinux policy to be installed and used for applying rootfs labels.
365
366 config SELINUXTYPE_targeted
367 bool "targeted"
368 select PACKAGE_refpolicy
369 help
370 SELinux Reference Policy (refpolicy)
371
372 config SELINUXTYPE_dssp
373 bool "dssp"
374 select PACKAGE_selinux-policy
375 help
376 Defensec SELinux Security Policy -- OpenWrt edition
377
378 endchoice
379
380 config SECCOMP
381 bool "Enable SECCOMP"
382 select KERNEL_SECCOMP
383 select PACKAGE_procd-seccomp
384 depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
385 depends on !TARGET_uml
386 default y
387 help
388 This option enables seccomp kernel features to safely
389 execute untrusted bytecode and selects the seccomp-variants
390 of procd
391
392 endmenu
Staging tree of Jo-Philipp Wich