Skip to content
Snippets Groups Projects
Config-build.in 11.9 KiB
Newer Older
  • Learn to ignore specific revisions
  • # SPDX-License-Identifier: GPL-2.0-only
    #
    
    # Copyright (C) 2006-2013 OpenWrt.org
    
    # Copyright (C) 2016 LEDE Project
    
    config EXPERIMENTAL
    	bool "Enable experimental features by default"
    	help
    	  Set this option to build with latest bleeding edge features
    	  which may or may not work as expected.
    	  If you would like to help the development of OpenWrt, you are
    	  encouraged to set this option and provide feedback (both
    	  positive and negative). But do so only if you know how to
    	  recover your device in case of flashing potentially non-working
    	  firmware.
    
    	  If you plan to use this build in production, say NO!
    
    
    menu "Global build settings"
    
    
    	config JSON_OVERVIEW_IMAGE_INFO
    		bool "Create JSON info file overview per target"
    
    		  Create a JSON info file called profiles.json in the target
    		  directory containing machine readable list of built profiles
    		  and resulting images.
    
    	config JSON_CYCLONEDX_SBOM
    		bool "Create CycloneDX SBOM JSON"
    		default BUILDBOT
    		help
    		  Create a JSON files *.bom.cdx.json in the build
    		  directory containing Software Bill Of Materials in CycloneDX
    		  format.
    
    
    	config ALL_NONSHARED
    		bool "Select all target specific packages by default"
    
    		select ALL_KMODS
    		default BUILDBOT
    
    	config ALL_KMODS
    		bool "Select all kernel module packages by default"
    
    
    		bool "Select all userspace packages by default"
    
    		select ALL_KMODS
    		select ALL_NONSHARED
    
    	config BUILDBOT
    		bool "Set build defaults for automatic builds (e.g. via buildbot)"
    		help
    		  This option changes several defaults to be more suitable for
    		  automatic builds. This includes the following changes:
    		  - Deleting build directories after compiling (to save space)
    		  - Enabling per-device rootfs support
    		  ...
    
    
    	config SIGNED_PACKAGES
    		bool "Cryptographically signed package lists"
    
    	config SIGNATURE_CHECK
    		bool "Enable signature checking in opkg"
    
    		default SIGNED_PACKAGES
    
    	config DOWNLOAD_CHECK_CERTIFICATE
    		bool "Enable TLS certificate verification during package download"
    		default y
    
    
    	comment "General build options"
    
    
    	config TESTING_KERNEL
    		bool "Use the testing kernel version"
    		depends on HAS_TESTING_KERNEL
    
    		default EXPERIMENTAL
    
    		help
    		  If the target supports a newer kernel version than the default,
    		  you can use this config option to enable it
    
    
    
    	config DISPLAY_SUPPORT
    		bool "Show packages that require graphics support (local or remote)"
    
    	config BUILD_PATENTED
    		bool "Compile with support for patented functionality"
    		help
    
    		  When this option is disabled, software which provides patented functionality
    		  will not be built.  In case software provides optional support for patented
    		  functionality, this optional support will get disabled for this package.
    
    
    	config BUILD_NLS
    		bool "Compile with full language support"
    		help
    
    		  When this option is enabled, packages are built with the full versions of
    		  iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
    		  used, it is also built with locale support.
    
    
    	config SHADOW_PASSWORDS
    		bool
    		default y
    
    	config CLEAN_IPKG
    		bool
    		prompt "Remove ipkg/opkg status data files in final images"
    		help
    
    		  This removes all ipkg/opkg status data files from the target directory
    		  before building the root filesystem.
    
    	config IPK_FILES_CHECKSUMS
    		bool
    		prompt "Record files checksums in package metadata"
    		help
    		  This makes file checksums part of package metadata. It increases size
    
    Josh Soref's avatar
    Josh Soref committed
    		  but provides you with pkg_check command to check for flash corruptions.
    
    	config INCLUDE_CONFIG
    		bool "Include build configuration in firmware" if DEVEL
    		help
    
    		  If enabled, buildinfo files will be stored in /etc/build.* of firmware.
    
    	config REPRODUCIBLE_DEBUG_INFO
    		bool "Make debug information reproducible"
    		default BUILDBOT
    		help
    		  This strips the local build path out of debug information. This has the
    		  advantage of making it reproducible, but the disadvantage of making local
    		  debugging using ./scripts/remote-gdb harder, since the debug data will
    		  no longer point to the full path on the build host.
    
    
    	config COLLECT_KERNEL_DEBUG
    		bool
    		prompt "Collect kernel debug information"
    		select KERNEL_DEBUG_INFO
    
    		help
    		  This collects debugging symbols from the kernel and all compiled modules.
    
    		  Useful for release builds, so that kernel issues can be debugged offline
    		  later.
    
    	menu "Kernel build options"
    
    
    	source "config/Config-kernel.in"
    
    
    	comment "Package build options"
    
    	config DEBUG
    		bool
    		prompt "Compile packages with debugging info"
    		help
    
    	config USE_GC_SECTIONS
    		bool
    		prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
    		help
    		  Places functions and data items into its own sections to use the linker's
    		  garbage collection capabilites.
    		  Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections
    
    
    	config USE_LTO
    		bool
    		prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
    		help
    		  Adds LTO flags to the CFLAGS and LDFLAGS.
    		  Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
    
    
    		def_bool y
    
    
    	comment "Stripping options"
    
    	choice
    		prompt "Binary stripping method"
    
    		default USE_STRIP   if USE_GLIBC
    
    		default USE_SSTRIP
    		help
    		  Select the binary stripping method you wish to use.
    
    		config NO_STRIP
    			bool "none"
    			help
    
    			  This will install unstripped binaries (useful for native
    
    
    		config USE_STRIP
    			bool "strip"
    			help
    
    			  This will install binaries stripped using strip from binutils.
    
    
    
    		config USE_SSTRIP
    			bool "sstrip"
    			depends on !USE_GLIBC
    			help
    
    			  This will install binaries stripped using sstrip.
    
    	endchoice
    
    	config STRIP_ARGS
    		string
    		prompt "Strip arguments"
    		depends on USE_STRIP
    		default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
    		default "--strip-all"
    		help
    
    		  Specifies arguments passed to the strip command when stripping binaries.
    
    	config SSTRIP_ARGS
    		string
    		prompt "Sstrip arguments"
    		depends on USE_SSTRIP
    		default "-z"
    		help
    		  Specifies arguments passed to the sstrip command when stripping binaries.
    
    
    	config STRIP_KERNEL_EXPORTS
    		bool "Strip unnecessary exports from the kernel image"
    		help
    
    		  Reduces kernel size by stripping unused kernel exports from the kernel
    		  image.  Note that this might make the kernel incompatible with any kernel
    		  modules that were not selected at the time the kernel image was created.
    
    
    	config USE_MKLIBS
    		bool "Strip unnecessary functions from libraries"
    		help
    		  Reduces libraries to only those functions that are necessary for using all
    
    		  selected packages (including those selected as <M>).  Note that this will
    		  make the system libraries incompatible with most of the packages that are
    		  not selected during the build process.
    
    	comment "Hardening build options"
    
    	config PKG_CHECK_FORMAT_SECURITY
    		bool
    		prompt "Enable gcc format-security"
    
    		help
    		  Add -Wformat -Werror=format-security to the CFLAGS.  You can disable
    		  this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
    		  Makefile.
    
    
    		prompt "User space ASLR PIE compilation"
    
    		default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
    		default PKG_ASLR_PIE_REGULAR
    
    		help
    		  Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
    		  This enables package build as Position Independent Executables (PIE)
    		  to protect against "return-to-text" attacks. This belongs to the
    		  feature of Address Space Layout Randomisation (ASLR), which is
    		  implemented by the kernel and the ELF loader by randomising the
    		  location of memory allocations. This makes memory addresses harder
    		  to predict when an attacker is attempting a memory-corruption exploit.
    		  You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
    		  Makefile.
    
    		  Be ware that ASLR increases the binary size.
    		config PKG_ASLR_PIE_NONE
    			bool "None"
    			help
    			  PIE is deactivated for all applications
    		config PKG_ASLR_PIE_REGULAR
    			bool "Regular"
    			help
    			  PIE is activated for some binaries, mostly network exposed applications
    		config PKG_ASLR_PIE_ALL
    			bool "All"
    			select BUSYBOX_DEFAULT_PIE
    			help
    			  PIE is activated for all applications
    	endchoice
    
    	choice
    		prompt "User space Stack-Smashing Protection"
    
    		default PKG_CC_STACKPROTECTOR_REGULAR
    
    		help
    		  Enable GCC Stack Smashing Protection (SSP) for userspace applications
    		config PKG_CC_STACKPROTECTOR_NONE
    			bool "None"
    		config PKG_CC_STACKPROTECTOR_REGULAR
    			bool "Regular"
    		config PKG_CC_STACKPROTECTOR_STRONG
    			bool "Strong"
    	endchoice
    
    	choice
    		prompt "Kernel space Stack-Smashing Protection"
    
    		default KERNEL_CC_STACKPROTECTOR_REGULAR
    
    		help
    		  Enable GCC Stack-Smashing Protection (SSP) for the kernel
    		config KERNEL_CC_STACKPROTECTOR_NONE
    			bool "None"
    		config KERNEL_CC_STACKPROTECTOR_REGULAR
    			bool "Regular"
    		config KERNEL_CC_STACKPROTECTOR_STRONG
    			bool "Strong"
    	endchoice
    
    
    	config KERNEL_STACKPROTECTOR
    
    		bool
    		default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
    
    
    	config KERNEL_STACKPROTECTOR_STRONG
    
    		bool
    		default KERNEL_CC_STACKPROTECTOR_STRONG
    
    
    		prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
    
    		help
    		  Enable the _FORTIFY_SOURCE macro which introduces additional
    		  checks to detect buffer-overflows in the following standard library
    		  functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
    		  strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
    		  gets.  "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
    
    		  checks that shouldn't change the behavior of conforming programs,
    
    		  while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
    		  added, but some conforming programs might fail.
    		config PKG_FORTIFY_SOURCE_NONE
    			bool "None"
    		config PKG_FORTIFY_SOURCE_1
    			bool "Conservative"
    		config PKG_FORTIFY_SOURCE_2
    			bool "Aggressive"
    	endchoice
    
    	choice
    		prompt "Enable RELRO protection"
    
    		default PKG_RELRO_FULL
    
    		  Enable a link-time protection known as RELRO (Relocation Read Only)
    
    		  which helps to protect from certain type of exploitation techniques
    		  altering the content of some ELF sections. "Partial" RELRO makes the
    		  .dynamic section not writeable after initialization, introducing
    		  almost no performance penalty, while "full" RELRO also marks the GOT
    		  as read-only at the cost of initializing all of it at startup.
    		config PKG_RELRO_NONE
    			bool "None"
    		config PKG_RELRO_PARTIAL
    			bool "Partial"
    		config PKG_RELRO_FULL
    			bool "Full"
    	endchoice
    
    
    	config TARGET_ROOTFS_SECURITY_LABELS
    
    		select KERNEL_SQUASHFS_XATTR
    		select KERNEL_EXT4_FS_SECURITY
    		select KERNEL_F2FS_FS_SECURITY
    		select KERNEL_UBIFS_FS_SECURITY
    		select KERNEL_JFFS2_FS_SECURITY
    
    
    	config SELINUX
    		bool "Enable SELinux"
    		select KERNEL_SECURITY_SELINUX
    		select TARGET_ROOTFS_SECURITY_LABELS
    		select PACKAGE_procd-selinux
    		select PACKAGE_busybox-selinux
    
    		  This option enables SELinux kernel features, applies security labels
    		  in squashfs rootfs and selects the selinux-variants of busybox and procd.
    
    		  Selecting this option results in about 0.5MiB of additional flash space
    		  usage accounting for increased kernel and rootfs size.
    
    
    	choice
    		prompt "default SELinux type"
    		depends on TARGET_ROOTFS_SECURITY_LABELS
    
    		default SELINUXTYPE_dssp
    
    		  Select SELinux policy to be installed and used for applying rootfs labels.
    
    
    		config SELINUXTYPE_targeted
    			bool "targeted"
    			select PACKAGE_refpolicy
    
    			help
    			  SELinux Reference Policy (refpolicy)
    
    
    		config SELINUXTYPE_dssp
    			bool "dssp"
    			select PACKAGE_selinux-policy
    
    			help
    			  Defensec SELinux Security Policy -- OpenWrt edition
    
    
    	config SECCOMP
    		bool "Enable SECCOMP"
    		select KERNEL_SECCOMP
    		select PACKAGE_procd-seccomp
    
    		depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
    
    		depends on !TARGET_uml
    		default y
    		help
    		  This option enables seccomp kernel features to safely
    		  execute untrusted bytecode and selects the seccomp-variants
    		  of procd