projects / openwrt / staging / nbd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mt76: install mt7981_eeprom_mt7976_dbdc.bin to STAGING_DIR_IMAGE
[openwrt/staging/nbd.git] / config / Config-build.in
1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 # Copyright (C) 2006-2013 OpenWrt.org
4 # Copyright (C) 2016 LEDE Project
5
6 config EXPERIMENTAL
7 bool "Enable experimental features by default"
8 help
9 Set this option to build with latest bleeding edge features
10 which may or may not work as expected.
11 If you would like to help the development of OpenWrt, you are
12 encouraged to set this option and provide feedback (both
13 positive and negative). But do so only if you know how to
14 recover your device in case of flashing potentially non-working
15 firmware.
16
17 If you plan to use this build in production, say NO!
18
19 menu "Global build settings"
20
21 config JSON_OVERVIEW_IMAGE_INFO
22 bool "Create JSON info file overview per target"
23 default y
24 help
25 Create a JSON info file called profiles.json in the target
26 directory containing machine readable list of built profiles
27 and resulting images.
28
29 config JSON_CYCLONEDX_SBOM
30 bool "Create CycloneDX SBOM JSON"
31 default BUILDBOT
32 help
33 Create a JSON files *.bom.cdx.json in the build
34 directory containing Software Bill Of Materials in CycloneDX
35 format.
36
37 config ALL_NONSHARED
38 bool "Select all target specific packages by default"
39 select ALL_KMODS
40 default BUILDBOT
41
42 config ALL_KMODS
43 bool "Select all kernel module packages by default"
44
45 config ALL
46 bool "Select all userspace packages by default"
47 select ALL_KMODS
48 select ALL_NONSHARED
49
50 config BUILDBOT
51 bool "Set build defaults for automatic builds (e.g. via buildbot)"
52 help
53 This option changes several defaults to be more suitable for
54 automatic builds. This includes the following changes:
55 - Deleting build directories after compiling (to save space)
56 - Enabling per-device rootfs support
57 ...
58
59 config SIGNED_PACKAGES
60 bool "Cryptographically signed package lists"
61 default y
62
63 config SIGNATURE_CHECK
64 bool "Enable signature checking in opkg"
65 default SIGNED_PACKAGES
66
67 config DOWNLOAD_CHECK_CERTIFICATE
68 bool "Enable TLS certificate verification during package download"
69 default y
70
71 config USE_APK
72 bool "Use APK instead of OPKG to build distribution (EXPERIMENTAL)"
73
74 comment "General build options"
75
76 config TESTING_KERNEL
77 bool "Use the testing kernel version"
78 depends on HAS_TESTING_KERNEL
79 default EXPERIMENTAL
80 help
81 If the target supports a newer kernel version than the default,
82 you can use this config option to enable it
83
84
85 config DISPLAY_SUPPORT
86 bool "Show packages that require graphics support (local or remote)"
87
88 config BUILD_PATENTED
89 bool "Compile with support for patented functionality"
90 help
91 When this option is disabled, software which provides patented functionality
92 will not be built. In case software provides optional support for patented
93 functionality, this optional support will get disabled for this package.
94
95 config BUILD_NLS
96 bool "Compile with full language support"
97 help
98 When this option is enabled, packages are built with the full versions of
99 iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
100 used, it is also built with locale support.
101
102 config SHADOW_PASSWORDS
103 bool
104 default y
105
106 config CLEAN_IPKG
107 bool
108 prompt "Remove ipkg/opkg status data files in final images"
109 help
110 This removes all ipkg/opkg status data files from the target directory
111 before building the root filesystem.
112
113 config IPK_FILES_CHECKSUMS
114 bool
115 prompt "Record files checksums in package metadata"
116 help
117 This makes file checksums part of package metadata. It increases size
118 but provides you with pkg_check command to check for flash corruptions.
119
120 config INCLUDE_CONFIG
121 bool "Include build configuration in firmware" if DEVEL
122 help
123 If enabled, buildinfo files will be stored in /etc/build.* of firmware.
124
125 config REPRODUCIBLE_DEBUG_INFO
126 bool "Make debug information reproducible"
127 default BUILDBOT
128 help
129 This strips the local build path out of debug information. This has the
130 advantage of making it reproducible, but the disadvantage of making local
131 debugging using ./scripts/remote-gdb harder, since the debug data will
132 no longer point to the full path on the build host.
133
134 config COLLECT_KERNEL_DEBUG
135 bool
136 prompt "Collect kernel debug information"
137 select KERNEL_DEBUG_INFO
138 default BUILDBOT
139 help
140 This collects debugging symbols from the kernel and all compiled modules.
141 Useful for release builds, so that kernel issues can be debugged offline
142 later.
143
144 menu "Kernel build options"
145
146 source "config/Config-kernel.in"
147
148 endmenu
149
150 comment "Package build options"
151
152 config DEBUG
153 bool
154 prompt "Compile packages with debugging info"
155 help
156 Adds -g3 to the CFLAGS.
157
158 config USE_GC_SECTIONS
159 bool
160 prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
161 help
162 Places functions and data items into its own sections to use the linker's
163 garbage collection capabilites.
164 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections
165
166 config USE_LTO
167 bool
168 prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
169 help
170 Adds LTO flags to the CFLAGS and LDFLAGS.
171 Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
172
173 config MOLD
174 depends on (aarch64 || arm || i386 || i686 || m68k || powerpc || powerpc64 || sh4 || x86_64)
175 depends on !GCC_USE_VERSION_11
176 def_bool $(shell, ./config/check-hostcxx.sh 10 2 12)
177
178 config USE_MOLD
179 bool
180 prompt "Use the mold linker for all packages"
181 depends on MOLD
182 help
183 Link packages with mold, a modern linker
184 Packages can opt-out via setting PKG_BUILD_FLAGS:=no-mold
185
186 config IPV6
187 def_bool y
188
189 comment "Stripping options"
190
191 choice
192 prompt "Binary stripping method"
193 default USE_STRIP if USE_GLIBC
194 default USE_SSTRIP
195 help
196 Select the binary stripping method you wish to use.
197
198 config NO_STRIP
199 bool "none"
200 help
201 This will install unstripped binaries (useful for native
202 compiling/debugging).
203
204 config USE_STRIP
205 bool "strip"
206 help
207 This will install binaries stripped using strip from binutils.
208
209 config USE_SSTRIP
210 bool "sstrip"
211 depends on !USE_GLIBC
212 help
213 This will install binaries stripped using sstrip.
214 endchoice
215
216 config STRIP_ARGS
217 string
218 prompt "Strip arguments"
219 depends on USE_STRIP
220 default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
221 default "--strip-all"
222 help
223 Specifies arguments passed to the strip command when stripping binaries.
224
225 config SSTRIP_DISCARD_TRAILING_ZEROES
226 bool "Strip trailing zero bytes"
227 depends on USE_SSTRIP && !USE_MOLD
228 default y
229 help
230 Use sstrip's -z option to discard trailing zero bytes
231
232 config STRIP_KERNEL_EXPORTS
233 bool "Strip unnecessary exports from the kernel image"
234 depends on !LINUX_6_6
235 help
236 Reduces kernel size by stripping unused kernel exports from the kernel
237 image. Note that this might make the kernel incompatible with any kernel
238 modules that were not selected at the time the kernel image was created.
239
240 config USE_MKLIBS
241 bool "Strip unnecessary functions from libraries"
242 help
243 Reduces libraries to only those functions that are necessary for using all
244 selected packages (including those selected as <M>). Note that this will
245 make the system libraries incompatible with most of the packages that are
246 not selected during the build process.
247
248 comment "Hardening build options"
249
250 config PKG_CHECK_FORMAT_SECURITY
251 bool
252 prompt "Enable gcc format-security"
253 default y
254 help
255 Add -Wformat -Werror=format-security to the CFLAGS. You can disable
256 this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
257 Makefile.
258
259 choice
260 prompt "User space ASLR PIE compilation"
261 default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
262 default PKG_ASLR_PIE_REGULAR
263 help
264 Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
265 This enables package build as Position Independent Executables (PIE)
266 to protect against "return-to-text" attacks. This belongs to the
267 feature of Address Space Layout Randomisation (ASLR), which is
268 implemented by the kernel and the ELF loader by randomising the
269 location of memory allocations. This makes memory addresses harder
270 to predict when an attacker is attempting a memory-corruption exploit.
271 You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
272 Makefile.
273 Be ware that ASLR increases the binary size.
274 config PKG_ASLR_PIE_NONE
275 bool "None"
276 help
277 PIE is deactivated for all applications
278 config PKG_ASLR_PIE_REGULAR
279 bool "Regular"
280 help
281 PIE is activated for some binaries, mostly network exposed applications
282 config PKG_ASLR_PIE_ALL
283 bool "All"
284 select BUSYBOX_DEFAULT_PIE
285 help
286 PIE is activated for all applications
287 endchoice
288
289 choice
290 prompt "User space Stack-Smashing Protection"
291 default PKG_CC_STACKPROTECTOR_REGULAR
292 help
293 Enable GCC Stack Smashing Protection (SSP) for userspace applications
294 config PKG_CC_STACKPROTECTOR_NONE
295 bool "None"
296 config PKG_CC_STACKPROTECTOR_REGULAR
297 bool "Regular"
298 config PKG_CC_STACKPROTECTOR_STRONG
299 bool "Strong"
300 config PKG_CC_STACKPROTECTOR_ALL
301 bool "All"
302 endchoice
303
304 choice
305 prompt "Kernel space Stack-Smashing Protection"
306 default KERNEL_CC_STACKPROTECTOR_REGULAR
307 help
308 Enable GCC Stack-Smashing Protection (SSP) for the kernel
309 config KERNEL_CC_STACKPROTECTOR_NONE
310 bool "None"
311 config KERNEL_CC_STACKPROTECTOR_REGULAR
312 bool "Regular"
313 config KERNEL_CC_STACKPROTECTOR_STRONG
314 bool "Strong"
315 endchoice
316
317 config KERNEL_STACKPROTECTOR
318 bool
319 default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
320
321 config KERNEL_STACKPROTECTOR_STRONG
322 bool
323 default KERNEL_CC_STACKPROTECTOR_STRONG
324
325 choice
326 prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
327 default PKG_FORTIFY_SOURCE_1
328 help
329 Enable the _FORTIFY_SOURCE macro which introduces additional
330 checks to detect buffer-overflows in the following standard library
331 functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
332 strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
333 gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
334 checks that shouldn't change the behavior of conforming programs,
335 while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
336 added, but some conforming programs might fail.
337 config PKG_FORTIFY_SOURCE_NONE
338 bool "None"
339 config PKG_FORTIFY_SOURCE_1
340 bool "Conservative"
341 config PKG_FORTIFY_SOURCE_2
342 bool "Aggressive"
343 endchoice
344
345 choice
346 prompt "Enable RELRO protection"
347 default PKG_RELRO_FULL
348 help
349 Enable a link-time protection known as RELRO (Relocation Read Only)
350 which helps to protect from certain type of exploitation techniques
351 altering the content of some ELF sections. "Partial" RELRO makes the
352 .dynamic section not writeable after initialization, introducing
353 almost no performance penalty, while "full" RELRO also marks the GOT
354 as read-only at the cost of initializing all of it at startup.
355 config PKG_RELRO_NONE
356 bool "None"
357 config PKG_RELRO_PARTIAL
358 bool "Partial"
359 config PKG_RELRO_FULL
360 bool "Full"
361 endchoice
362
363 config TARGET_ROOTFS_SECURITY_LABELS
364 bool
365 select KERNEL_SQUASHFS_XATTR
366 select KERNEL_EXT4_FS_SECURITY
367 select KERNEL_F2FS_FS_SECURITY
368 select KERNEL_UBIFS_FS_SECURITY
369 select KERNEL_JFFS2_FS_SECURITY
370
371 config SELINUX
372 bool "Enable SELinux"
373 select KERNEL_SECURITY_SELINUX
374 select TARGET_ROOTFS_SECURITY_LABELS
375 select PACKAGE_procd-selinux
376 select PACKAGE_busybox-selinux
377 help
378 This option enables SELinux kernel features, applies security labels
379 in squashfs rootfs and selects the selinux-variants of busybox and procd.
380
381 Selecting this option results in about 0.5MiB of additional flash space
382 usage accounting for increased kernel and rootfs size.
383
384 choice
385 prompt "default SELinux type"
386 depends on TARGET_ROOTFS_SECURITY_LABELS
387 default SELINUXTYPE_dssp
388 help
389 Select SELinux policy to be installed and used for applying rootfs labels.
390
391 config SELINUXTYPE_targeted
392 bool "targeted"
393 select PACKAGE_refpolicy
394 help
395 SELinux Reference Policy (refpolicy)
396
397 config SELINUXTYPE_dssp
398 bool "dssp"
399 select PACKAGE_selinux-policy
400 help
401 Defensec SELinux Security Policy -- OpenWrt edition
402
403 endchoice
404
405 config SECCOMP
406 bool "Enable SECCOMP"
407 select KERNEL_SECCOMP
408 select PACKAGE_procd-seccomp
409 depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
410 depends on !TARGET_uml
411 default y
412 help
413 This option enables seccomp kernel features to safely
414 execute untrusted bytecode and selects the seccomp-variants
415 of procd
416
417 endmenu
Felix Fietkaus staging tree