X-Git-Url: https://git.archive.openwrt.org/?a=blobdiff_plain;f=config%2FConfig-build.in;h=5ad940ba6c235cc222557003640c8a4136b8f2dd;hb=f650c74ddff8e8db6eaec159be90e2025f3f0f6d;hp=89cf964a8ee6f692b853ec57b134148adf49ca40;hpb=1a5eca2660210d05d44e97c25f82f35caba4e35d;p=openwrt.git diff --git a/config/Config-build.in b/config/Config-build.in index 89cf964a8e..5ad940ba6c 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -6,10 +6,18 @@ menu "Global build settings" + config ALL_KMODS + bool "Select all kernel module packages by default" + default ALL + config ALL - bool "Select all packages by default" + bool "Select all userspace packages by default" default n + config SIGNED_PACKAGES + bool "Cryptographically signed package lists" + default y + comment "General build options" config DISPLAY_SUPPORT @@ -32,14 +40,6 @@ menu "Global build settings" iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is used, it is also built with locale support. - config BUILD_STATIC_TOOLS - default n - bool "Attempt to link host utilities statically" - help - Linking host utilities like sed or firmware-utils statically increases the - portability of the generated ImageBuilder and SDK tarballs; however, it may - fail on some Linux distributions. - config SHADOW_PASSWORDS bool prompt "Enable shadow password support" @@ -83,7 +83,7 @@ menu "Global build settings" prompt "Enable IPv6 support in packages" default y help - Enable IPv6 support in packages (passes --enable-ipv6 to configure scripts). + Enables IPv6 support in kernel (builtin) and packages. config PKG_BUILD_PARALLEL bool @@ -97,15 +97,6 @@ menu "Global build settings" If you are unsure, select N. - config PKG_CHECK_FORMAT_SECURITY - bool - prompt "Enable gcc format-security" - default n - help - Add -Wformat -Werror=format-security to the CFLAGS. You can disable - this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package - Makefile. - config PKG_BUILD_USE_JOBSERVER bool prompt "Use top-level make jobserver for packages" @@ -152,7 +143,7 @@ menu "Global build settings" choice prompt "Binary stripping method" default USE_STRIP if EXTERNAL_TOOLCHAIN - default USE_STRIP if USE_GLIBC || USE_EGLIBC || USE_MUSL + default USE_STRIP if USE_GLIBC default USE_SSTRIP help Select the binary stripping method you wish to use. @@ -161,7 +152,7 @@ menu "Global build settings" bool "none" help This will install unstripped binaries (useful for native - compiling/debugging). + compiling/debugging). config USE_STRIP bool "strip" @@ -171,9 +162,7 @@ menu "Global build settings" config USE_SSTRIP bool "sstrip" - depends on !DEBUG depends on !USE_GLIBC - depends on !USE_EGLIBC help This will install binaries stripped using sstrip. endchoice @@ -204,7 +193,7 @@ menu "Global build settings" choice prompt "Preferred standard C++ library" - default USE_LIBSTDCXX if USE_EGLIBC + default USE_LIBSTDCXX if USE_GLIBC default USE_UCLIBCXX help Select the preferred standard C++ library for all packages that support this. @@ -216,4 +205,87 @@ menu "Global build settings" bool "libstdc++" endchoice + comment "Hardening build options" + + config PKG_CHECK_FORMAT_SECURITY + bool + prompt "Enable gcc format-security" + default y + help + Add -Wformat -Werror=format-security to the CFLAGS. You can disable + this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package + Makefile. + + choice + prompt "User space Stack-Smashing Protection" + depends on USE_MUSL + default PKG_CC_STACKPROTECTOR_REGULAR + help + Enable GCC Stack Smashing Protection (SSP) for userspace applications + config PKG_CC_STACKPROTECTOR_NONE + bool "None" + config PKG_CC_STACKPROTECTOR_REGULAR + bool "Regular" + select SSP_SUPPORT if !USE_MUSL + depends on KERNEL_CC_STACKPROTECTOR_REGULAR + config PKG_CC_STACKPROTECTOR_STRONG + bool "Strong" + select SSP_SUPPORT if !USE_MUSL + depends on GCC_VERSION_5 + depends on KERNEL_CC_STACKPROTECTOR_STRONG + endchoice + + choice + prompt "Kernel space Stack-Smashing Protection" + default KERNEL_CC_STACKPROTECTOR_REGULAR + depends on USE_MUSL || !(x86_64 || i386) + help + Enable GCC Stack-Smashing Protection (SSP) for the kernel + config KERNEL_CC_STACKPROTECTOR_NONE + bool "None" + config KERNEL_CC_STACKPROTECTOR_REGULAR + bool "Regular" + config KERNEL_CC_STACKPROTECTOR_STRONG + depends on GCC_VERSION_5 + bool "Strong" + endchoice + + choice + prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)" + default PKG_FORTIFY_SOURCE_1 + help + Enable the _FORTIFY_SOURCE macro which introduces additional + checks to detect buffer-overflows in the following standard library + functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, + strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, + gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces + checks that shouldn't change the behavior of conforming programs, + while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is + added, but some conforming programs might fail. + config PKG_FORTIFY_SOURCE_NONE + bool "None" + config PKG_FORTIFY_SOURCE_1 + bool "Conservative" + config PKG_FORTIFY_SOURCE_2 + bool "Aggressive" + endchoice + + choice + prompt "Enable RELRO protection" + default PKG_RELRO_FULL + help + Enable a link-time protection known as RELRO (Relocation Read Only) + which helps to protect from certain type of exploitation techniques + altering the content of some ELF sections. "Partial" RELRO makes the + .dynamic section not writeable after initialization, introducing + almost no performance penalty, while "full" RELRO also marks the GOT + as read-only at the cost of initializing all of it at startup. + config PKG_RELRO_NONE + bool "None" + config PKG_RELRO_PARTIAL + bool "Partial" + config PKG_RELRO_FULL + bool "Full" + endchoice + endmenu