projects / openwrt / staging / nbd.git / blob
? search:


cfefa4eed378b7542f8ee3ca5ff9999634446167
[openwrt/staging/nbd.git] / config / Config-build.in
1 # Copyright (C) 2006-2013 OpenWrt.org
2 # Copyright (C) 2016 LEDE Project
3 #
4 # This is free software, licensed under the GNU General Public License v2.
5 # See /LICENSE for more information.
6 #
7
8 menu "Global build settings"
9
10 config JSON_OVERVIEW_IMAGE_INFO
11 bool "Create JSON info file overview per target"
12 default BUILDBOT
13 help
14 Create a JSON info file called profiles.json in the target
15 directory containing machine readable list of built profiles
16 and resulting images.
17
18 config ALL_NONSHARED
19 bool "Select all target specific packages by default"
20 select ALL_KMODS
21 default BUILDBOT
22
23 config ALL_KMODS
24 bool "Select all kernel module packages by default"
25
26 config ALL
27 bool "Select all userspace packages by default"
28 select ALL_KMODS
29 select ALL_NONSHARED
30
31 config BUILDBOT
32 bool "Set build defaults for automatic builds (e.g. via buildbot)"
33 default n
34 help
35 This option changes several defaults to be more suitable for
36 automatic builds. This includes the following changes:
37 - Deleting build directories after compiling (to save space)
38 - Enabling per-device rootfs support
39 ...
40
41 config SIGNED_PACKAGES
42 bool "Cryptographically signed package lists"
43 default y
44
45 config SIGNATURE_CHECK
46 bool "Enable signature checking in opkg"
47 default SIGNED_PACKAGES
48
49 comment "General build options"
50
51 config TESTING_KERNEL
52 bool "Use the testing kernel version"
53 depends on HAS_TESTING_KERNEL
54 default n
55 help
56 If the target supports a newer kernel version than the default,
57 you can use this config option to enable it
58
59
60 config DISPLAY_SUPPORT
61 bool "Show packages that require graphics support (local or remote)"
62 default n
63
64 config BUILD_PATENTED
65 default n
66 bool "Compile with support for patented functionality"
67 help
68 When this option is disabled, software which provides patented functionality
69 will not be built. In case software provides optional support for patented
70 functionality, this optional support will get disabled for this package.
71
72 config BUILD_NLS
73 default n
74 bool "Compile with full language support"
75 help
76 When this option is enabled, packages are built with the full versions of
77 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
78 used, it is also built with locale support.
79
80 config SHADOW_PASSWORDS
81 bool
82 default y
83
84 config CLEAN_IPKG
85 bool
86 prompt "Remove ipkg/opkg status data files in final images"
87 default n
88 help
89 This removes all ipkg/opkg status data files from the target directory
90 before building the root filesystem.
91
92 config IPK_FILES_CHECKSUMS
93 bool
94 prompt "Record files checksums in package metadata"
95 default n
96 help
97 This makes file checksums part of package metadata. It increases size
98 but provides you with pkg_check command to check for flash coruptions.
99
100 config INCLUDE_CONFIG
101 bool "Include build configuration in firmware" if DEVEL
102 default n
103 help
104 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
105
106 config REPRODUCIBLE_DEBUG_INFO
107 bool "Make debug information reproducible"
108 default BUILDBOT
109 help
110 This strips the local build path out of debug information. This has the
111 advantage of making it reproducible, but the disadvantage of making local
112 debugging using ./scripts/remote-gdb harder, since the debug data will
113 no longer point to the full path on the build host.
114
115 config COLLECT_KERNEL_DEBUG
116 bool
117 prompt "Collect kernel debug information"
118 select KERNEL_DEBUG_INFO
119 default BUILDBOT
120 help
121 This collects debugging symbols from the kernel and all compiled modules.
122 Useful for release builds, so that kernel issues can be debugged offline
123 later.
124
125 menu "Kernel build options"
126
127 source "config/Config-kernel.in"
128
129 endmenu
130
131 comment "Package build options"
132
133 config DEBUG
134 bool
135 prompt "Compile packages with debugging info"
136 default n
137 help
138 Adds -g3 to the CFLAGS.
139
140 config IPV6
141 bool
142 prompt "Enable IPv6 support in packages"
143 default y
144 help
145 Enables IPv6 support in kernel (builtin) and packages.
146
147 comment "Stripping options"
148
149 choice
150 prompt "Binary stripping method"
151 default USE_STRIP if EXTERNAL_TOOLCHAIN
152 default USE_STRIP if USE_GLIBC
153 default USE_SSTRIP
154 help
155 Select the binary stripping method you wish to use.
156
157 config NO_STRIP
158 bool "none"
159 help
160 This will install unstripped binaries (useful for native
161 compiling/debugging).
162
163 config USE_STRIP
164 bool "strip"
165 help
166 This will install binaries stripped using strip from binutils.
167
168
169 config USE_SSTRIP
170 bool "sstrip"
171 depends on !USE_GLIBC
172 help
173 This will install binaries stripped using sstrip.
174 endchoice
175
176 config STRIP_ARGS
177 string
178 prompt "Strip arguments"
179 depends on USE_STRIP
180 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
181 default "--strip-all"
182 help
183 Specifies arguments passed to the strip command when stripping binaries.
184
185 config SSTRIP_ARGS
186 string
187 prompt "Sstrip arguments"
188 depends on USE_SSTRIP
189 default "-z"
190 help
191 Specifies arguments passed to the sstrip command when stripping binaries.
192
193 config STRIP_KERNEL_EXPORTS
194 bool "Strip unnecessary exports from the kernel image"
195 help
196 Reduces kernel size by stripping unused kernel exports from the kernel
197 image. Note that this might make the kernel incompatible with any kernel
198 modules that were not selected at the time the kernel image was created.
199
200 config USE_MKLIBS
201 bool "Strip unnecessary functions from libraries"
202 help
203 Reduces libraries to only those functions that are necessary for using all
204 selected packages (including those selected as <M>). Note that this will
205 make the system libraries incompatible with most of the packages that are
206 not selected during the build process.
207
208 choice
209 prompt "Preferred standard C++ library"
210 default USE_LIBSTDCXX if USE_GLIBC
211 default USE_UCLIBCXX
212 help
213 Select the preferred standard C++ library for all packages that support this.
214
215 config USE_UCLIBCXX
216 bool "uClibc++"
217
218 config USE_LIBSTDCXX
219 bool "libstdc++"
220 endchoice
221
222 comment "Hardening build options"
223
224 config PKG_CHECK_FORMAT_SECURITY
225 bool
226 prompt "Enable gcc format-security"
227 default y
228 help
229 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
230 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
231 Makefile.
232
233 choice
234 prompt "User space ASLR PIE compilation"
235 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
236 default PKG_ASLR_PIE_REGULAR
237 help
238 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
239 This enables package build as Position Independent Executables (PIE)
240 to protect against "return-to-text" attacks. This belongs to the
241 feature of Address Space Layout Randomisation (ASLR), which is
242 implemented by the kernel and the ELF loader by randomising the
243 location of memory allocations. This makes memory addresses harder
244 to predict when an attacker is attempting a memory-corruption exploit.
245 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
246 Makefile.
247 Be ware that ASLR increases the binary size.
248 config PKG_ASLR_PIE_NONE
249 bool "None"
250 help
251 PIE is deactivated for all applications
252 config PKG_ASLR_PIE_REGULAR
253 bool "Regular"
254 help
255 PIE is activated for some binaries, mostly network exposed applications
256 config PKG_ASLR_PIE_ALL
257 bool "All"
258 select BUSYBOX_DEFAULT_PIE
259 help
260 PIE is activated for all applications
261 endchoice
262
263 choice
264 prompt "User space Stack-Smashing Protection"
265 default PKG_CC_STACKPROTECTOR_REGULAR
266 help
267 Enable GCC Stack Smashing Protection (SSP) for userspace applications
268 config PKG_CC_STACKPROTECTOR_NONE
269 bool "None"
270 config PKG_CC_STACKPROTECTOR_REGULAR
271 bool "Regular"
272 config PKG_CC_STACKPROTECTOR_STRONG
273 bool "Strong"
274 endchoice
275
276 choice
277 prompt "Kernel space Stack-Smashing Protection"
278 default KERNEL_CC_STACKPROTECTOR_REGULAR
279 help
280 Enable GCC Stack-Smashing Protection (SSP) for the kernel
281 config KERNEL_CC_STACKPROTECTOR_NONE
282 bool "None"
283 config KERNEL_CC_STACKPROTECTOR_REGULAR
284 bool "Regular"
285 config KERNEL_CC_STACKPROTECTOR_STRONG
286 bool "Strong"
287 endchoice
288
289 config KERNEL_STACKPROTECTOR
290 bool
291 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
292
293 config KERNEL_STACKPROTECTOR_STRONG
294 bool
295 default KERNEL_CC_STACKPROTECTOR_STRONG
296
297 choice
298 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
299 default PKG_FORTIFY_SOURCE_1
300 help
301 Enable the _FORTIFY_SOURCE macro which introduces additional
302 checks to detect buffer-overflows in the following standard library
303 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
304 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
305 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
306 checks that shouldn't change the behavior of conforming programs,
307 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
308 added, but some conforming programs might fail.
309 config PKG_FORTIFY_SOURCE_NONE
310 bool "None"
311 config PKG_FORTIFY_SOURCE_1
312 bool "Conservative"
313 config PKG_FORTIFY_SOURCE_2
314 bool "Aggressive"
315 endchoice
316
317 choice
318 prompt "Enable RELRO protection"
319 default PKG_RELRO_FULL
320 help
321 Enable a link-time protection known as RELRO (Relocation Read Only)
322 which helps to protect from certain type of exploitation techniques
323 altering the content of some ELF sections. "Partial" RELRO makes the
324 .dynamic section not writeable after initialization, introducing
325 almost no performance penalty, while "full" RELRO also marks the GOT
326 as read-only at the cost of initializing all of it at startup.
327 config PKG_RELRO_NONE
328 bool "None"
329 config PKG_RELRO_PARTIAL
330 bool "Partial"
331 config PKG_RELRO_FULL
332 bool "Full"
333 endchoice
334
335 config TARGET_ROOTFS_SECURITY_LABELS
336 bool
337 select KERNEL_SQUASHFS_XATTR
338 select KERNEL_EXT4_FS_SECURITY
339 select KERNEL_F2FS_FS_SECURITY
340 select KERNEL_UBIFS_FS_SECURITY
341 select KERNEL_JFFS2_FS_SECURITY
342
343 config SELINUX
344 bool "Enable SELinux"
345 select KERNEL_SECURITY_SELINUX
346 select TARGET_ROOTFS_SECURITY_LABELS
347 select PACKAGE_procd-selinux
348 select PACKAGE_busybox-selinux
349 help
350 This option enables SELinux kernel features, applies security labels
351 in squashfs rootfs and selects the selinux-variants of busybox and procd.
352
353 Selecting this option results in about 0.5MiB of additional flash space
354 usage accounting for increased kernel and rootfs size.
355
356 choice
357 prompt "default SELinux type"
358 depends on TARGET_ROOTFS_SECURITY_LABELS
359 default SELINUXTYPE_dssp
360 help
361 Select SELinux policy to be installed and used for applying rootfs labels.
362
363 config SELINUXTYPE_targeted
364 bool "targeted"
365 select PACKAGE_refpolicy
366 help
367 SELinux Reference Policy (refpolicy)
368
369 config SELINUXTYPE_dssp
370 bool "dssp"
371 select PACKAGE_selinux-policy
372 help
373 Defensec SELinux Security Policy -- OpenWrt edition
374
375 endchoice
376
377 endmenu
Felix Fietkaus staging tree