mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-21 14:37:57 +00:00
869f8b21e7
The GCC option -fstack-protector-all is a security feature used to protect against stack-smashing attacks. This option enhances the stack-smashing protection provided by -fstack-protector-strong. -fstack-protector-all option applies stack protection to all functions, regardless of their characteristics. While this offers the most comprehensive protection against stack-smashing attacks, it can significantly impact the performance of the program because every function call includes additional checks for stack integrity. This option can incur a performance penalty because of the extra checks added to every function call, but it significantly enhances security, making it harder for attackers to exploit buffer overflows to execute arbitrary code. It's particularly useful in scenarios where security is paramount and performance trade-offs are acceptable. Signed-off-by: Cedric DOURLENT <cedric.dourlent@softathome.com>
414 lines
12 KiB
Plaintext
414 lines
12 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
#
|
|
# Copyright (C) 2006-2013 OpenWrt.org
|
|
# Copyright (C) 2016 LEDE Project
|
|
|
|
config EXPERIMENTAL
|
|
bool "Enable experimental features by default"
|
|
help
|
|
Set this option to build with latest bleeding edge features
|
|
which may or may not work as expected.
|
|
If you would like to help the development of OpenWrt, you are
|
|
encouraged to set this option and provide feedback (both
|
|
positive and negative). But do so only if you know how to
|
|
recover your device in case of flashing potentially non-working
|
|
firmware.
|
|
|
|
If you plan to use this build in production, say NO!
|
|
|
|
menu "Global build settings"
|
|
|
|
config JSON_OVERVIEW_IMAGE_INFO
|
|
bool "Create JSON info file overview per target"
|
|
default y
|
|
help
|
|
Create a JSON info file called profiles.json in the target
|
|
directory containing machine readable list of built profiles
|
|
and resulting images.
|
|
|
|
config JSON_CYCLONEDX_SBOM
|
|
bool "Create CycloneDX SBOM JSON"
|
|
default BUILDBOT
|
|
help
|
|
Create a JSON files *.bom.cdx.json in the build
|
|
directory containing Software Bill Of Materials in CycloneDX
|
|
format.
|
|
|
|
config ALL_NONSHARED
|
|
bool "Select all target specific packages by default"
|
|
select ALL_KMODS
|
|
default BUILDBOT
|
|
|
|
config ALL_KMODS
|
|
bool "Select all kernel module packages by default"
|
|
|
|
config ALL
|
|
bool "Select all userspace packages by default"
|
|
select ALL_KMODS
|
|
select ALL_NONSHARED
|
|
|
|
config BUILDBOT
|
|
bool "Set build defaults for automatic builds (e.g. via buildbot)"
|
|
help
|
|
This option changes several defaults to be more suitable for
|
|
automatic builds. This includes the following changes:
|
|
- Deleting build directories after compiling (to save space)
|
|
- Enabling per-device rootfs support
|
|
...
|
|
|
|
config SIGNED_PACKAGES
|
|
bool "Cryptographically signed package lists"
|
|
default y
|
|
|
|
config SIGNATURE_CHECK
|
|
bool "Enable signature checking in opkg"
|
|
default SIGNED_PACKAGES
|
|
|
|
config DOWNLOAD_CHECK_CERTIFICATE
|
|
bool "Enable TLS certificate verification during package download"
|
|
default y
|
|
|
|
comment "General build options"
|
|
|
|
config TESTING_KERNEL
|
|
bool "Use the testing kernel version"
|
|
depends on HAS_TESTING_KERNEL
|
|
default EXPERIMENTAL
|
|
help
|
|
If the target supports a newer kernel version than the default,
|
|
you can use this config option to enable it
|
|
|
|
|
|
config DISPLAY_SUPPORT
|
|
bool "Show packages that require graphics support (local or remote)"
|
|
|
|
config BUILD_PATENTED
|
|
bool "Compile with support for patented functionality"
|
|
help
|
|
When this option is disabled, software which provides patented functionality
|
|
will not be built. In case software provides optional support for patented
|
|
functionality, this optional support will get disabled for this package.
|
|
|
|
config BUILD_NLS
|
|
bool "Compile with full language support"
|
|
help
|
|
When this option is enabled, packages are built with the full versions of
|
|
iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
|
|
used, it is also built with locale support.
|
|
|
|
config SHADOW_PASSWORDS
|
|
bool
|
|
default y
|
|
|
|
config CLEAN_IPKG
|
|
bool
|
|
prompt "Remove ipkg/opkg status data files in final images"
|
|
help
|
|
This removes all ipkg/opkg status data files from the target directory
|
|
before building the root filesystem.
|
|
|
|
config IPK_FILES_CHECKSUMS
|
|
bool
|
|
prompt "Record files checksums in package metadata"
|
|
help
|
|
This makes file checksums part of package metadata. It increases size
|
|
but provides you with pkg_check command to check for flash corruptions.
|
|
|
|
config INCLUDE_CONFIG
|
|
bool "Include build configuration in firmware" if DEVEL
|
|
help
|
|
If enabled, buildinfo files will be stored in /etc/build.* of firmware.
|
|
|
|
config REPRODUCIBLE_DEBUG_INFO
|
|
bool "Make debug information reproducible"
|
|
default BUILDBOT
|
|
help
|
|
This strips the local build path out of debug information. This has the
|
|
advantage of making it reproducible, but the disadvantage of making local
|
|
debugging using ./scripts/remote-gdb harder, since the debug data will
|
|
no longer point to the full path on the build host.
|
|
|
|
config COLLECT_KERNEL_DEBUG
|
|
bool
|
|
prompt "Collect kernel debug information"
|
|
select KERNEL_DEBUG_INFO
|
|
default BUILDBOT
|
|
help
|
|
This collects debugging symbols from the kernel and all compiled modules.
|
|
Useful for release builds, so that kernel issues can be debugged offline
|
|
later.
|
|
|
|
menu "Kernel build options"
|
|
|
|
source "config/Config-kernel.in"
|
|
|
|
endmenu
|
|
|
|
comment "Package build options"
|
|
|
|
config DEBUG
|
|
bool
|
|
prompt "Compile packages with debugging info"
|
|
help
|
|
Adds -g3 to the CFLAGS.
|
|
|
|
config USE_GC_SECTIONS
|
|
bool
|
|
prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
|
|
help
|
|
Places functions and data items into its own sections to use the linker's
|
|
garbage collection capabilites.
|
|
Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections
|
|
|
|
config USE_LTO
|
|
bool
|
|
prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
|
|
help
|
|
Adds LTO flags to the CFLAGS and LDFLAGS.
|
|
Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto
|
|
|
|
config MOLD
|
|
depends on (aarch64 || arm || i386 || i686 || m68k || powerpc || powerpc64 || sh4 || x86_64)
|
|
depends on !GCC_USE_VERSION_11
|
|
def_bool $(shell, ./config/check-hostcxx.sh 10 2 12)
|
|
|
|
config USE_MOLD
|
|
bool
|
|
prompt "Use the mold linker for all packages"
|
|
depends on MOLD
|
|
help
|
|
Link packages with mold, a modern linker
|
|
Packages can opt-out via setting PKG_BUILD_FLAGS:=no-mold
|
|
|
|
config IPV6
|
|
def_bool y
|
|
|
|
comment "Stripping options"
|
|
|
|
choice
|
|
prompt "Binary stripping method"
|
|
default USE_STRIP if USE_GLIBC
|
|
default USE_SSTRIP
|
|
help
|
|
Select the binary stripping method you wish to use.
|
|
|
|
config NO_STRIP
|
|
bool "none"
|
|
help
|
|
This will install unstripped binaries (useful for native
|
|
compiling/debugging).
|
|
|
|
config USE_STRIP
|
|
bool "strip"
|
|
help
|
|
This will install binaries stripped using strip from binutils.
|
|
|
|
config USE_SSTRIP
|
|
bool "sstrip"
|
|
depends on !USE_GLIBC
|
|
help
|
|
This will install binaries stripped using sstrip.
|
|
endchoice
|
|
|
|
config STRIP_ARGS
|
|
string
|
|
prompt "Strip arguments"
|
|
depends on USE_STRIP
|
|
default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
|
|
default "--strip-all"
|
|
help
|
|
Specifies arguments passed to the strip command when stripping binaries.
|
|
|
|
config SSTRIP_DISCARD_TRAILING_ZEROES
|
|
bool "Strip trailing zero bytes"
|
|
depends on USE_SSTRIP && !USE_MOLD
|
|
default y
|
|
help
|
|
Use sstrip's -z option to discard trailing zero bytes
|
|
|
|
config STRIP_KERNEL_EXPORTS
|
|
bool "Strip unnecessary exports from the kernel image"
|
|
help
|
|
Reduces kernel size by stripping unused kernel exports from the kernel
|
|
image. Note that this might make the kernel incompatible with any kernel
|
|
modules that were not selected at the time the kernel image was created.
|
|
|
|
config USE_MKLIBS
|
|
bool "Strip unnecessary functions from libraries"
|
|
help
|
|
Reduces libraries to only those functions that are necessary for using all
|
|
selected packages (including those selected as <M>). Note that this will
|
|
make the system libraries incompatible with most of the packages that are
|
|
not selected during the build process.
|
|
|
|
comment "Hardening build options"
|
|
|
|
config PKG_CHECK_FORMAT_SECURITY
|
|
bool
|
|
prompt "Enable gcc format-security"
|
|
default y
|
|
help
|
|
Add -Wformat -Werror=format-security to the CFLAGS. You can disable
|
|
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
|
|
Makefile.
|
|
|
|
choice
|
|
prompt "User space ASLR PIE compilation"
|
|
default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
|
|
default PKG_ASLR_PIE_REGULAR
|
|
help
|
|
Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
|
|
This enables package build as Position Independent Executables (PIE)
|
|
to protect against "return-to-text" attacks. This belongs to the
|
|
feature of Address Space Layout Randomisation (ASLR), which is
|
|
implemented by the kernel and the ELF loader by randomising the
|
|
location of memory allocations. This makes memory addresses harder
|
|
to predict when an attacker is attempting a memory-corruption exploit.
|
|
You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
|
|
Makefile.
|
|
Be ware that ASLR increases the binary size.
|
|
config PKG_ASLR_PIE_NONE
|
|
bool "None"
|
|
help
|
|
PIE is deactivated for all applications
|
|
config PKG_ASLR_PIE_REGULAR
|
|
bool "Regular"
|
|
help
|
|
PIE is activated for some binaries, mostly network exposed applications
|
|
config PKG_ASLR_PIE_ALL
|
|
bool "All"
|
|
select BUSYBOX_DEFAULT_PIE
|
|
help
|
|
PIE is activated for all applications
|
|
endchoice
|
|
|
|
choice
|
|
prompt "User space Stack-Smashing Protection"
|
|
default PKG_CC_STACKPROTECTOR_REGULAR
|
|
help
|
|
Enable GCC Stack Smashing Protection (SSP) for userspace applications
|
|
config PKG_CC_STACKPROTECTOR_NONE
|
|
bool "None"
|
|
config PKG_CC_STACKPROTECTOR_REGULAR
|
|
bool "Regular"
|
|
config PKG_CC_STACKPROTECTOR_STRONG
|
|
bool "Strong"
|
|
config PKG_CC_STACKPROTECTOR_ALL
|
|
bool "All"
|
|
endchoice
|
|
|
|
choice
|
|
prompt "Kernel space Stack-Smashing Protection"
|
|
default KERNEL_CC_STACKPROTECTOR_REGULAR
|
|
help
|
|
Enable GCC Stack-Smashing Protection (SSP) for the kernel
|
|
config KERNEL_CC_STACKPROTECTOR_NONE
|
|
bool "None"
|
|
config KERNEL_CC_STACKPROTECTOR_REGULAR
|
|
bool "Regular"
|
|
config KERNEL_CC_STACKPROTECTOR_STRONG
|
|
bool "Strong"
|
|
endchoice
|
|
|
|
config KERNEL_STACKPROTECTOR
|
|
bool
|
|
default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG
|
|
|
|
config KERNEL_STACKPROTECTOR_STRONG
|
|
bool
|
|
default KERNEL_CC_STACKPROTECTOR_STRONG
|
|
|
|
choice
|
|
prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
|
|
default PKG_FORTIFY_SOURCE_1
|
|
help
|
|
Enable the _FORTIFY_SOURCE macro which introduces additional
|
|
checks to detect buffer-overflows in the following standard library
|
|
functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
|
|
strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
|
|
gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
|
|
checks that shouldn't change the behavior of conforming programs,
|
|
while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
|
|
added, but some conforming programs might fail.
|
|
config PKG_FORTIFY_SOURCE_NONE
|
|
bool "None"
|
|
config PKG_FORTIFY_SOURCE_1
|
|
bool "Conservative"
|
|
config PKG_FORTIFY_SOURCE_2
|
|
bool "Aggressive"
|
|
endchoice
|
|
|
|
choice
|
|
prompt "Enable RELRO protection"
|
|
default PKG_RELRO_FULL
|
|
help
|
|
Enable a link-time protection known as RELRO (Relocation Read Only)
|
|
which helps to protect from certain type of exploitation techniques
|
|
altering the content of some ELF sections. "Partial" RELRO makes the
|
|
.dynamic section not writeable after initialization, introducing
|
|
almost no performance penalty, while "full" RELRO also marks the GOT
|
|
as read-only at the cost of initializing all of it at startup.
|
|
config PKG_RELRO_NONE
|
|
bool "None"
|
|
config PKG_RELRO_PARTIAL
|
|
bool "Partial"
|
|
config PKG_RELRO_FULL
|
|
bool "Full"
|
|
endchoice
|
|
|
|
config TARGET_ROOTFS_SECURITY_LABELS
|
|
bool
|
|
select KERNEL_SQUASHFS_XATTR
|
|
select KERNEL_EXT4_FS_SECURITY
|
|
select KERNEL_F2FS_FS_SECURITY
|
|
select KERNEL_UBIFS_FS_SECURITY
|
|
select KERNEL_JFFS2_FS_SECURITY
|
|
|
|
config SELINUX
|
|
bool "Enable SELinux"
|
|
select KERNEL_SECURITY_SELINUX
|
|
select TARGET_ROOTFS_SECURITY_LABELS
|
|
select PACKAGE_procd-selinux
|
|
select PACKAGE_busybox-selinux
|
|
help
|
|
This option enables SELinux kernel features, applies security labels
|
|
in squashfs rootfs and selects the selinux-variants of busybox and procd.
|
|
|
|
Selecting this option results in about 0.5MiB of additional flash space
|
|
usage accounting for increased kernel and rootfs size.
|
|
|
|
choice
|
|
prompt "default SELinux type"
|
|
depends on TARGET_ROOTFS_SECURITY_LABELS
|
|
default SELINUXTYPE_dssp
|
|
help
|
|
Select SELinux policy to be installed and used for applying rootfs labels.
|
|
|
|
config SELINUXTYPE_targeted
|
|
bool "targeted"
|
|
select PACKAGE_refpolicy
|
|
help
|
|
SELinux Reference Policy (refpolicy)
|
|
|
|
config SELINUXTYPE_dssp
|
|
bool "dssp"
|
|
select PACKAGE_selinux-policy
|
|
help
|
|
Defensec SELinux Security Policy -- OpenWrt edition
|
|
|
|
endchoice
|
|
|
|
config SECCOMP
|
|
bool "Enable SECCOMP"
|
|
select KERNEL_SECCOMP
|
|
select PACKAGE_procd-seccomp
|
|
depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
|
|
depends on !TARGET_uml
|
|
default y
|
|
help
|
|
This option enables seccomp kernel features to safely
|
|
execute untrusted bytecode and selects the seccomp-variants
|
|
of procd
|
|
|
|
endmenu
|