openwrt/config/Config-build.in

439 lines
13 KiB
Plaintext
Raw Normal View History

# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2006-2013 OpenWrt.org
# Copyright (C) 2016 LEDE Project
config EXPERIMENTAL
bool "Enable experimental features by default"
help
Set this option to build with latest bleeding edge features
which may or may not work as expected.
If you would like to help the development of OpenWrt, you are
encouraged to set this option and provide feedback (both
positive and negative). But do so only if you know how to
recover your device in case of flashing potentially non-working
firmware.
If you plan to use this build in production, say NO!
menu "Global build settings"
config JSON_OVERVIEW_IMAGE_INFO
bool "Create JSON info file overview per target"
default y
help
Create a JSON info file called profiles.json in the target
directory containing machine readable list of built profiles
and resulting images.
config JSON_CYCLONEDX_SBOM
bool "Create CycloneDX SBOM JSON"
default BUILDBOT
help
Create a JSON files *.bom.cdx.json in the build
directory containing Software Bill Of Materials in CycloneDX
format.
config ALL_NONSHARED
bool "Select all target specific packages by default"
select ALL_KMODS
default BUILDBOT
config ALL_KMODS
bool "Select all kernel module packages by default"
config ALL
bool "Select all userspace packages by default"
select ALL_KMODS
select ALL_NONSHARED
config BUILDBOT
bool "Set build defaults for automatic builds (e.g. via buildbot)"
help
This option changes several defaults to be more suitable for
automatic builds. This includes the following changes:
- Deleting build directories after compiling (to save space)
- Enabling per-device rootfs support
...
config SIGNED_PACKAGES
bool "Cryptographically signed package lists"
default y
config SIGNATURE_CHECK
bool "Enable signature checking in opkg"
default SIGNED_PACKAGES
config DOWNLOAD_CHECK_CERTIFICATE
bool "Enable TLS certificate verification during package download"
default y
config USE_APK
imply PACKAGE_apk-mbedtls
bool "Use APK instead of OPKG to build distribution (EXPERIMENTAL)"
default y
comment "General build options"
config TESTING_KERNEL
bool "Use the testing kernel version"
depends on HAS_TESTING_KERNEL
default EXPERIMENTAL
help
If the target supports a newer kernel version than the default,
you can use this config option to enable it
config DISPLAY_SUPPORT
bool "Show packages that require graphics support (local or remote)"
config BUILD_PATENTED
bool "Compile with support for patented functionality"
help
When this option is disabled, software which provides patented functionality
will not be built. In case software provides optional support for patented
functionality, this optional support will get disabled for this package.
config BUILD_NLS
bool "Compile with full language support"
help
When this option is enabled, packages are built with the full versions of
iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
used, it is also built with locale support.
config SHADOW_PASSWORDS
bool
default y
config CLEAN_IPKG
bool
prompt "Remove ipkg/opkg status data files in final images"
help
This removes all ipkg/opkg status data files from the target directory
before building the root filesystem.
config IPK_FILES_CHECKSUMS
bool
prompt "Record files checksums in package metadata"
depends on !USE_APK
help
This makes file checksums part of package metadata. It increases size
but provides you with pkg_check command to check for flash corruptions.
config INCLUDE_CONFIG
bool "Include build configuration in firmware" if DEVEL
help
If enabled, buildinfo files will be stored in /etc/build.* of firmware.
config REPRODUCIBLE_DEBUG_INFO
bool "Make debug information reproducible"
default BUILDBOT
help
This strips the local build path out of debug information. This has the
advantage of making it reproducible, but the disadvantage of making local
debugging using ./scripts/remote-gdb harder, since the debug data will
no longer point to the full path on the build host.
config COLLECT_KERNEL_DEBUG
bool
prompt "Collect kernel debug information"
select KERNEL_DEBUG_INFO
default BUILDBOT
help
This collects debugging symbols from the kernel and all compiled modules.
Useful for release builds, so that kernel issues can be debugged offline
later.
menu "Kernel build options"
source "config/Config-kernel.in"
endmenu
comment "Package build options"
config DEBUG
bool
prompt "Compile packages with debugging info"
help
Adds -g3 to the CFLAGS.
config USE_GC_SECTIONS
bool
prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
help
Places functions and data items into its own sections to use the linker's
garbage collection capabilites.
Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections
config USE_LTO
bool
prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
help
Adds LTO flags to the CFLAGS and LDFLAGS.
Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
config MOLD
depends on (aarch64 || arm || i386 || i686 || m68k || powerpc || powerpc64 || sh4 || x86_64)
depends on !GCC_USE_VERSION_11
def_bool $(shell, ./config/check-hostcxx.sh 10 2 12)
config USE_MOLD
bool
prompt "Use the mold linker for all packages"
depends on MOLD
help
Link packages with mold, a modern linker
Packages can opt-out via setting PKG_BUILD_FLAGS:=no-mold
config IPV6
def_bool y
comment "Stripping options"
choice
prompt "Binary stripping method"
default USE_STRIP if USE_GLIBC
default USE_SSTRIP
help
Select the binary stripping method you wish to use.
config NO_STRIP
bool "none"
help
This will install unstripped binaries (useful for native
compiling/debugging).
config USE_STRIP
bool "strip"
help
This will install binaries stripped using strip from binutils.
config USE_SSTRIP
bool "sstrip"
depends on !USE_GLIBC
help
This will install binaries stripped using sstrip.
endchoice
config STRIP_ARGS
string
prompt "Strip arguments"
depends on USE_STRIP
default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
default "--strip-all"
help
Specifies arguments passed to the strip command when stripping binaries.
config SSTRIP_DISCARD_TRAILING_ZEROES
bool "Strip trailing zero bytes"
depends on USE_SSTRIP && !USE_MOLD
default y
help
Use sstrip's -z option to discard trailing zero bytes
config STRIP_KERNEL_EXPORTS
bool "Strip unnecessary exports from the kernel image"
depends on BROKEN
help
Reduces kernel size by stripping unused kernel exports from the kernel
image. Note that this might make the kernel incompatible with any kernel
modules that were not selected at the time the kernel image was created.
config USE_MKLIBS
bool "Strip unnecessary functions from libraries"
help
Reduces libraries to only those functions that are necessary for using all
selected packages (including those selected as <M>). Note that this will
make the system libraries incompatible with most of the packages that are
not selected during the build process.
comment "Hardening build options"
config PKG_CHECK_FORMAT_SECURITY
bool
prompt "Enable gcc format-security"
default y
help
Add -Wformat -Werror=format-security to the CFLAGS. You can disable
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
Makefile.
choice
prompt "User space ASLR PIE compilation"
default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
default PKG_ASLR_PIE_REGULAR
help
Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
This enables package build as Position Independent Executables (PIE)
to protect against "return-to-text" attacks. This belongs to the
feature of Address Space Layout Randomisation (ASLR), which is
implemented by the kernel and the ELF loader by randomising the
location of memory allocations. This makes memory addresses harder
to predict when an attacker is attempting a memory-corruption exploit.
You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
Makefile.
Be ware that ASLR increases the binary size.
config PKG_ASLR_PIE_NONE
bool "None"
help
PIE is deactivated for all applications
config PKG_ASLR_PIE_REGULAR
bool "Regular"
help
PIE is activated for some binaries, mostly network exposed applications
config PKG_ASLR_PIE_ALL
bool "All"
select BUSYBOX_DEFAULT_PIE
help
PIE is activated for all applications
endchoice
choice
prompt "User space Stack-Smashing Protection"
default PKG_CC_STACKPROTECTOR_REGULAR
help
Enable GCC Stack Smashing Protection (SSP) for userspace applications
config PKG_CC_STACKPROTECTOR_NONE
bool "None"
help
No stack smashing protection.
config PKG_CC_STACKPROTECTOR_REGULAR
bool "Regular"
help
Protects functions with vulnerable objects.
This includes functions with buffers larger than 8 bytes or calls to alloca.
config PKG_CC_STACKPROTECTOR_STRONG
bool "Strong"
help
Like Regular, but also protects functions with
local arrays or references to local frame addresses.
config PKG_CC_STACKPROTECTOR_ALL
bool "All"
help
Protects all functions.
endchoice
choice
prompt "Kernel space Stack-Smashing Protection"
default KERNEL_CC_STACKPROTECTOR_REGULAR
help
Enable GCC Stack-Smashing Protection (SSP) for the kernel
config KERNEL_CC_STACKPROTECTOR_NONE
bool "None"
help
No stack smashing protection.
config KERNEL_CC_STACKPROTECTOR_REGULAR
bool "Regular"
help
Protects functions with vulnerable objects.
This includes functions with buffers larger than 8 bytes or calls to alloca.
config KERNEL_CC_STACKPROTECTOR_STRONG
bool "Strong"
help
Like Regular, but also protects functions with
local arrays or references to local frame addresses.
endchoice
config KERNEL_STACKPROTECTOR
bool
default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
config KERNEL_STACKPROTECTOR_STRONG
bool
default KERNEL_CC_STACKPROTECTOR_STRONG
choice
prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
default PKG_FORTIFY_SOURCE_1
help
Enable the _FORTIFY_SOURCE macro which introduces additional
checks to detect buffer-overflows in the following standard library
functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
checks that shouldn't change the behavior of conforming programs,
while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
added, but some conforming programs might fail.
config PKG_FORTIFY_SOURCE_NONE
bool "None"
config PKG_FORTIFY_SOURCE_1
bool "Conservative"
config PKG_FORTIFY_SOURCE_2
bool "Aggressive"
endchoice
choice
prompt "Enable RELRO protection"
default PKG_RELRO_FULL
help
Enable a link-time protection known as RELRO (Relocation Read Only)
which helps to protect from certain type of exploitation techniques
altering the content of some ELF sections. "Partial" RELRO makes the
.dynamic section not writeable after initialization, introducing
almost no performance penalty, while "full" RELRO also marks the GOT
as read-only at the cost of initializing all of it at startup.
config PKG_RELRO_NONE
bool "None"
config PKG_RELRO_PARTIAL
bool "Partial"
config PKG_RELRO_FULL
bool "Full"
endchoice
config TARGET_ROOTFS_SECURITY_LABELS
bool
select KERNEL_SQUASHFS_XATTR
select KERNEL_EXT4_FS_SECURITY
select KERNEL_F2FS_FS_SECURITY
select KERNEL_UBIFS_FS_SECURITY
select KERNEL_JFFS2_FS_SECURITY
config SELINUX
bool "Enable SELinux"
select KERNEL_SECURITY_SELINUX
select TARGET_ROOTFS_SECURITY_LABELS
select PACKAGE_procd-selinux
select PACKAGE_busybox-selinux
help
This option enables SELinux kernel features, applies security labels
in squashfs rootfs and selects the selinux-variants of busybox and procd.
Selecting this option results in about 0.5MiB of additional flash space
usage accounting for increased kernel and rootfs size.
choice
prompt "default SELinux type"
depends on TARGET_ROOTFS_SECURITY_LABELS
default SELINUXTYPE_dssp
help
Select SELinux policy to be installed and used for applying rootfs labels.
config SELINUXTYPE_targeted
bool "targeted"
select PACKAGE_refpolicy
help
SELinux Reference Policy (refpolicy)
config SELINUXTYPE_dssp
bool "dssp"
select PACKAGE_selinux-policy
help
Defensec SELinux Security Policy -- OpenWrt edition
endchoice
config SECCOMP
bool "Enable SECCOMP"
select KERNEL_SECCOMP
select PACKAGE_procd-seccomp
depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
depends on !TARGET_uml
default y
help
This option enables seccomp kernel features to safely
execute untrusted bytecode and selects the seccomp-variants
of procd
endmenu