| # |
| |
| mainmenu "Buildroot $BR2_VERSION Configuration" |
| |
| config BR2_HAVE_DOT_CONFIG |
| bool |
| default y |
| |
| config BR2_VERSION |
| string |
| option env="BR2_VERSION_FULL" |
| |
| config BR2_HOSTARCH |
| string |
| option env="HOSTARCH" |
| |
| config BR2_BASE_DIR |
| string |
| option env="BASE_DIR" |
| |
| # br2-external paths definitions |
| source "$BR2_BASE_DIR/.br2-external.in.paths" |
| |
| # Hidden config symbols for packages to check system gcc version |
| config BR2_HOST_GCC_VERSION |
| string |
| option env="HOST_GCC_VERSION" |
| |
| config BR2_HOST_GCC_AT_LEAST_4_9 |
| bool |
| default y if BR2_HOST_GCC_VERSION = "4 9" |
| |
| config BR2_HOST_GCC_AT_LEAST_5 |
| bool |
| default y if BR2_HOST_GCC_VERSION = "5" |
| select BR2_HOST_GCC_AT_LEAST_4_9 |
| |
| config BR2_HOST_GCC_AT_LEAST_6 |
| bool |
| default y if BR2_HOST_GCC_VERSION = "6" |
| select BR2_HOST_GCC_AT_LEAST_5 |
| |
| config BR2_HOST_GCC_AT_LEAST_7 |
| bool |
| default y if BR2_HOST_GCC_VERSION = "7" |
| select BR2_HOST_GCC_AT_LEAST_6 |
| |
| config BR2_HOST_GCC_AT_LEAST_8 |
| bool |
| default y if BR2_HOST_GCC_VERSION = "8" |
| select BR2_HOST_GCC_AT_LEAST_7 |
| |
| config BR2_HOST_GCC_AT_LEAST_9 |
| bool |
| default y if BR2_HOST_GCC_VERSION = "9" |
| select BR2_HOST_GCC_AT_LEAST_8 |
| |
| # When adding new entries above, be sure to update |
| # the HOSTCC_MAX_VERSION variable in the Makefile. |
| |
| # Hidden boolean selected by packages in need of Java in order to build |
| # (example: kodi) |
| config BR2_NEEDS_HOST_JAVA |
| bool |
| |
| # Hidden boolean selected by pre-built packages for x86, when they |
| # need to run on x86-64 machines (example: pre-built external |
| # toolchains, binary tools like SAM-BA, etc.). |
| config BR2_HOSTARCH_NEEDS_IA32_LIBS |
| bool |
| |
| # Hidden boolean selected by packages that need to build 32 bits |
| # binaries with the host compiler, even on 64 bits build machines (e.g |
| # bootloaders). |
| config BR2_HOSTARCH_NEEDS_IA32_COMPILER |
| bool |
| |
| # Hidden boolean selected by packages that need the host to have an |
| # UTF8 locale. |
| config BR2_NEEDS_HOST_UTF8_LOCALE |
| bool |
| |
| source "arch/Config.in" |
| |
| menu "Build options" |
| |
| menu "Commands" |
| |
| config BR2_WGET |
| string "Wget command" |
| default "wget --passive-ftp -nd -t 3" |
| |
| config BR2_SVN |
| string "Subversion (svn) command" |
| default "svn --non-interactive" |
| |
| config BR2_BZR |
| string "Bazaar (bzr) command" |
| default "bzr" |
| |
| config BR2_GIT |
| string "Git command" |
| default "git" |
| |
| config BR2_CVS |
| string "CVS command" |
| default "cvs" |
| |
| config BR2_LOCALFILES |
| string "Local files retrieval command" |
| default "cp" |
| |
| config BR2_SCP |
| string "Secure copy (scp) command" |
| default "scp" |
| |
| config BR2_HG |
| string "Mercurial (hg) command" |
| default "hg" |
| |
| config BR2_ZCAT |
| string "zcat command" |
| default "gzip -d -c" |
| help |
| Command to be used to extract a gzip'ed file to stdout. zcat |
| is identical to gunzip -c except that the former may not be |
| available on your system. |
| Default is "gzip -d -c" |
| Other possible values include "gunzip -c" or "zcat". |
| |
| config BR2_BZCAT |
| string "bzcat command" |
| default "bzcat" |
| help |
| Command to be used to extract a bzip2'ed file to stdout. |
| bzcat is identical to bunzip2 -c except that the former may |
| not be available on your system. |
| Default is "bzcat" |
| Other possible values include "bunzip2 -c" or "bzip2 -d -c". |
| |
| config BR2_XZCAT |
| string "xzcat command" |
| default "xzcat" |
| help |
| Command to be used to extract a xz'ed file to stdout. |
| Default is "xzcat" |
| |
| config BR2_LZCAT |
| string "lzcat command" |
| default "lzip -d -c" |
| help |
| Command to be used to extract a lzip'ed file to stdout. |
| Default is "lzip -d -c" |
| |
| config BR2_TAR_OPTIONS |
| string "Tar options" |
| default "" |
| help |
| Options to pass to tar when extracting the sources. |
| E.g. " -v --exclude='*.svn*'" to exclude all .svn internal |
| files and to be verbose. |
| |
| endmenu |
| |
| config BR2_DEFCONFIG_FROM_ENV |
| string |
| option env="BR2_DEFCONFIG" |
| |
| config BR2_DEFCONFIG |
| string "Location to save buildroot config" |
| default BR2_DEFCONFIG_FROM_ENV if BR2_DEFCONFIG_FROM_ENV != "" |
| default "$(CONFIG_DIR)/defconfig" |
| help |
| When running 'make savedefconfig', the defconfig file will be |
| saved in this location. |
| |
| config BR2_DL_DIR |
| string "Download dir" |
| default "$(TOPDIR)/dl" |
| help |
| Directory to store all the source files that we need to fetch. |
| If the Linux shell environment has defined the BR2_DL_DIR |
| environment variable, then this overrides this configuration |
| item. |
| The directory is organized with a subdirectory for each |
| package. Each package has its own $(LIBFOO_DL_DIR) variable |
| that can be used to find the correct path. |
| |
| The default is $(TOPDIR)/dl |
| |
| config BR2_HOST_DIR |
| string "Host dir" |
| default "$(BASE_DIR)/host" |
| help |
| Directory to store all the binary files that are built for the |
| host. This includes the cross compilation toolchain when |
| building the internal buildroot toolchain. |
| |
| The default is $(BASE_DIR)/host |
| |
| menu "Mirrors and Download locations" |
| |
| config BR2_PRIMARY_SITE |
| string "Primary download site" |
| default "" |
| help |
| Primary site to download from. If this option is set then |
| buildroot will try to download package source first from this |
| site and try the default if the file is not found. |
| Valid URIs are: |
| - URIs recognized by $(WGET) |
| - local URIs of the form file://absolutepath |
| - scp URIs of the form scp://[user@]host:path. |
| |
| config BR2_PRIMARY_SITE_ONLY |
| bool "Only allow downloads from primary download site" |
| depends on BR2_PRIMARY_SITE != "" |
| help |
| If this option is enabled, downloads will only be attempted |
| from the primary download site. Other locations, like the |
| package's official download location or the backup download |
| site, will not be considered. Therefore, if the package is not |
| present on the primary site, the download fails. |
| |
| This is useful for project developers who want to ensure that |
| the project can be built even if the upstream tarball |
| locations disappear. |
| |
| if !BR2_PRIMARY_SITE_ONLY |
| |
| config BR2_BACKUP_SITE |
| string "Backup download site" |
| default "http://sources.buildroot.net" |
| help |
| Backup site to download from. If this option is set then |
| buildroot will fall back to download package sources from here |
| if the normal location fails. |
| |
| config BR2_KERNEL_MIRROR |
| string "Kernel.org mirror" |
| default "https://cdn.kernel.org/pub" |
| help |
| kernel.org is mirrored on a number of servers around the |
| world. The following allows you to select your preferred |
| mirror. By default, a CDN is used, which automatically |
| redirects to a mirror geographically close to you. |
| |
| Have a look on the kernel.org site for a list of mirrors, then |
| enter the URL to the base directory. Examples: |
| |
| http://www.XX.kernel.org/pub (XX = country code) |
| http://mirror.aarnet.edu.au/pub/ftp.kernel.org |
| |
| config BR2_GNU_MIRROR |
| string "GNU Software mirror" |
| default "http://ftpmirror.gnu.org" |
| help |
| GNU has multiple software mirrors scattered around the |
| world. The following allows you to select your preferred |
| mirror. By default, a generic address is used, which |
| automatically selects an up-to-date and local mirror. |
| |
| Have a look on the gnu.org site for a list of mirrors, then |
| enter the URL to the base directory. Examples: |
| |
| http://ftp.gnu.org/pub/gnu |
| http://mirror.aarnet.edu.au/pub/gnu |
| |
| config BR2_LUAROCKS_MIRROR |
| string "LuaRocks mirror" |
| default "http://rocks.moonscript.org" |
| help |
| LuaRocks repository. |
| |
| See http://luarocks.org |
| |
| config BR2_CPAN_MIRROR |
| string "CPAN mirror (Perl packages)" |
| default "http://cpan.metacpan.org" |
| help |
| CPAN (Comprehensive Perl Archive Network) is a repository of |
| Perl packages. It has multiple software mirrors scattered |
| around the world. This option allows you to select a mirror. |
| |
| The list of mirrors is available at: |
| http://search.cpan.org/mirror |
| |
| endif |
| |
| endmenu |
| |
| config BR2_JLEVEL |
| int "Number of jobs to run simultaneously (0 for auto)" |
| default "0" |
| help |
| Number of jobs to run simultaneously. If 0, determine |
| automatically according to number of CPUs on the host system. |
| |
| config BR2_CCACHE |
| bool "Enable compiler cache" |
| help |
| This option will enable the use of ccache, a compiler cache. |
| It will cache the result of previous builds to speed up future |
| builds. By default, the cache is stored in |
| $HOME/.buildroot-ccache. |
| |
| Note that Buildroot does not try to invalidate the cache |
| contents when the compiler changes in an incompatible way. |
| Therefore, if you make a change to the compiler version and/or |
| configuration, you are responsible for purging the ccache |
| cache by removing the $HOME/.buildroot-ccache directory. |
| |
| if BR2_CCACHE |
| |
| config BR2_CCACHE_DIR |
| string "Compiler cache location" |
| default "$(HOME)/.buildroot-ccache" |
| help |
| Where ccache should store cached files. |
| If the Linux shell environment has defined the BR2_CCACHE_DIR |
| environment variable, then this overrides this configuration |
| item. |
| |
| config BR2_CCACHE_INITIAL_SETUP |
| string "Compiler cache initial setup" |
| help |
| Initial ccache settings to apply, such as --max-files or |
| --max-size. |
| |
| For example, if your project is known to require more space |
| than the default max cache size, then you might want to |
| increase the cache size to a suitable amount using the -M |
| (--max-size) option. |
| |
| The string you specify here is passed verbatim to ccache. |
| Refer to ccache documentation for more details. |
| |
| These initial settings are applied after ccache has been |
| compiled. |
| |
| config BR2_CCACHE_USE_BASEDIR |
| bool "Use relative paths" |
| default y |
| help |
| Allow ccache to convert absolute paths within the output |
| directory into relative paths. |
| |
| During the build, many -I include directives are given with an |
| absolute path. These absolute paths end up in the hashes that |
| are computed by ccache. Therefore, when you build from a |
| different directory, the hash will be different and the cached |
| object will not be used. |
| |
| To improve cache performance, set this option to y. This |
| allows ccache to rewrite absolute paths within the output |
| directory into relative paths. Note that only paths within the |
| output directory will be rewritten; therefore, if you change |
| BR2_HOST_DIR to point outside the output directory and |
| subsequently move it to a different location, this will lead |
| to cache misses. |
| |
| This option has as a result that the debug information in the |
| object files also has only relative paths. Therefore, make |
| sure you cd to the build directory before starting gdb. See |
| the section "COMPILING IN DIFFERENT DIRECTORIES" in the ccache |
| manual for more information. |
| |
| endif |
| |
| config BR2_ENABLE_DEBUG |
| bool "build packages with debugging symbols" |
| help |
| Build packages with debugging symbols enabled. All libraries |
| and binaries in the 'staging' directory will have debugging |
| symbols, which allows remote debugging even if libraries and |
| binaries are stripped on the target. Whether libraries and |
| binaries are stripped on the target is controlled by the |
| BR2_STRIP_* options below. |
| |
| if BR2_ENABLE_DEBUG |
| choice |
| prompt "gcc debug level" |
| default BR2_DEBUG_2 |
| help |
| Set the debug level for gcc |
| |
| config BR2_DEBUG_1 |
| bool "debug level 1" |
| help |
| Debug level 1 produces minimal information, enough for making |
| backtraces in parts of the program that you don't plan to |
| debug. This includes descriptions of functions and external |
| variables, but no information about local variables and no |
| line numbers. |
| |
| config BR2_DEBUG_2 |
| bool "debug level 2" |
| help |
| The default gcc debug level is 2 |
| |
| config BR2_DEBUG_3 |
| bool "debug level 3" |
| help |
| Level 3 includes extra information, such as all the macro |
| definitions present in the program. Some debuggers support |
| macro expansion when you use -g3. |
| endchoice |
| endif |
| |
| config BR2_STRIP_strip |
| bool "strip target binaries" |
| default y |
| depends on !BR2_PACKAGE_HOST_ELF2FLT |
| help |
| Binaries and libraries in the target filesystem will be |
| stripped using the normal 'strip' command. This allows to save |
| space, mainly by removing debugging symbols. Debugging symbols |
| on the target are needed for native debugging, but not when |
| remote debugging is used. |
| |
| config BR2_STRIP_EXCLUDE_FILES |
| string "executables that should not be stripped" |
| default "" |
| depends on BR2_STRIP_strip |
| help |
| You may specify a space-separated list of binaries and |
| libraries here that should not be stripped on the target. |
| |
| config BR2_STRIP_EXCLUDE_DIRS |
| string "directories that should be skipped when stripping" |
| default "" |
| depends on BR2_STRIP_strip |
| help |
| You may specify a space-separated list of directories that |
| should be skipped when stripping. Binaries and libraries in |
| these directories will not be touched. The directories should |
| be specified relative to the target directory, without leading |
| slash. |
| |
| choice |
| prompt "gcc optimization level" |
| default BR2_OPTIMIZE_S |
| help |
| Set the optimization level for gcc |
| |
| config BR2_OPTIMIZE_0 |
| bool "optimization level 0" |
| help |
| Do not optimize. |
| |
| config BR2_OPTIMIZE_1 |
| bool "optimization level 1" |
| help |
| Optimize. Optimizing compilation takes somewhat more time, and |
| a lot more memory for a large function. With -O, the compiler |
| tries to reduce code size and execution time, without |
| performing any optimizations that take a great deal of |
| compilation time. -O turns on the following optimization |
| flags: -fdefer-pop -fdelayed-branch -fguess-branch-probability |
| -fcprop-registers -floop-optimize -fif-conversion |
| -fif-conversion2 -ftree-ccp -ftree-dce -ftree-dominator-opts |
| -ftree-dse -ftree-ter -ftree-lrs -ftree-sra -ftree-copyrename |
| -ftree-fre -ftree-ch -funit-at-a-time -fmerge-constants. -O |
| also turns on -fomit-frame-pointer on machines where doing so |
| does not interfere with debugging. |
| |
| config BR2_OPTIMIZE_2 |
| bool "optimization level 2" |
| help |
| Optimize even more. GCC performs nearly all supported |
| optimizations that do not involve a space-speed tradeoff. The |
| compiler does not perform loop unrolling or function inlining |
| when you specify -O2. As compared to -O, this option increases |
| both compilation time and the performance of the generated |
| code. -O2 turns on all optimization flags specified by -O. It |
| also turns on the following optimization flags: |
| -fthread-jumps -fcrossjumping -foptimize-sibling-calls |
| -fcse-follow-jumps -fcse-skip-blocks -fgcse -fgcse-lm |
| -fexpensive-optimizations -fstrength-reduce |
| -frerun-cse-after-loop -frerun-loop-opt -fcaller-saves |
| -fpeephole2 -fschedule-insns -fschedule-insns2 |
| -fsched-interblock -fsched-spec -fregmove -fstrict-aliasing |
| -fdelete-null-pointer-checks -freorder-blocks |
| -freorder-functions -falign-functions -falign-jumps |
| -falign-loops -falign-labels -ftree-vrp -ftree-pre. Please |
| note the warning under -fgcse about invoking -O2 on programs |
| that use computed gotos. |
| |
| config BR2_OPTIMIZE_3 |
| bool "optimization level 3" |
| help |
| Optimize yet more. -O3 turns on all optimizations specified by |
| -O2 and also turns on the -finline-functions, -funswitch-loops |
| and -fgcse-after-reload options. |
| |
| config BR2_OPTIMIZE_G |
| bool "optimize for debugging" |
| depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 |
| help |
| Optimize for debugging. This enables optimizations that do not |
| interfere with debugging. It should be the optimization level |
| of choice for the standard edit-compile-debug cycle, offering |
| a reasonable level of optimization while maintaining fast |
| compilation and a good debugging experience. |
| |
| config BR2_OPTIMIZE_S |
| bool "optimize for size" |
| help |
| Optimize for size. -Os enables all -O2 optimizations that do |
| not typically increase code size. It also performs further |
| optimizations designed to reduce code size. -Os disables the |
| following optimization flags: -falign-functions -falign-jumps |
| -falign-loops -falign-labels -freorder-blocks |
| -freorder-blocks-and-partition -fprefetch-loop-arrays |
| -ftree-vect-loop-version |
| This is the default. |
| |
| config BR2_OPTIMIZE_FAST |
| bool "optimize for fast (may break packages!)" |
| depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_6 |
| help |
| Optimize for fast. Disregard strict standards |
| compliance. -Ofast enables all -O3 optimizations. It also |
| enables optimizations that are not valid for all |
| standard-compliant programs, so be careful, as it may break |
| some packages. It turns on -ffast-math and the |
| Fortran-specific -fstack-arrays, unless -fmax-stack-var-size |
| is specified, and -fno-protect-parens. |
| |
| endchoice |
| |
| config BR2_GOOGLE_BREAKPAD_ENABLE |
| bool "Enable google-breakpad support" |
| depends on BR2_INSTALL_LIBSTDCPP |
| depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 # C++11 |
| depends on BR2_USE_WCHAR |
| depends on BR2_TOOLCHAIN_HAS_THREADS |
| depends on (BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_UCLIBC) |
| depends on BR2_PACKAGE_GOOGLE_BREAKPAD_ARCH_SUPPORTS |
| depends on BR2_PACKAGE_HOST_GOOGLE_BREAKPAD_ARCH_SUPPORTS |
| select BR2_PACKAGE_GOOGLE_BREAKPAD |
| help |
| This option will enable the use of google breakpad, a library |
| and tool suite that allows you to distribute an application to |
| users with compiler-provided debugging information removed, |
| record crashes in compact "minidump" files, send them back to |
| your server and produce C and C++ stack traces from these |
| minidumps. Breakpad can also write minidumps on request for |
| programs that have not crashed. |
| |
| if BR2_GOOGLE_BREAKPAD_ENABLE |
| |
| config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES |
| string "List of executables and libraries to extract symbols from" |
| default "" |
| help |
| You may specify a space-separated list of binaries and |
| libraries with full paths relative to $(TARGET_DIR) of which |
| debug symbols will be dumped for further use with google |
| breakpad. |
| |
| A directory structure that can be used by minidump-stackwalk |
| will be created at: |
| |
| $(STAGING_DIR)/usr/share/google-breakpad-symbols |
| |
| endif |
| |
| choice |
| bool "libraries" |
| default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED |
| default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED |
| help |
| Select the type of libraries you want to use on the target. |
| |
| The default is to build dynamic libraries and use those on the |
| target filesystem, except when the architecture and/or the |
| selected binary format does not support shared libraries. |
| |
| config BR2_STATIC_LIBS |
| bool "static only" |
| help |
| Build and use only static libraries. No shared libraries will |
| be installed on the target. This potentially increases your |
| code size and should only be used if you know what you are |
| doing. Note that some packages may not be available when this |
| option is enabled, due to their need for dynamic library |
| support. |
| |
| config BR2_SHARED_LIBS |
| bool "shared only" |
| depends on BR2_BINFMT_SUPPORTS_SHARED |
| help |
| Build and use only shared libraries. This is the recommended |
| solution as it saves space and build time. |
| |
| config BR2_SHARED_STATIC_LIBS |
| bool "both static and shared" |
| depends on BR2_BINFMT_SUPPORTS_SHARED |
| help |
| Build both shared and static libraries, but link executables |
| dynamically. While building both shared and static libraries |
| take more time and more disk space, having static libraries |
| may be useful to link some of the applications statically. |
| |
| endchoice |
| |
| config BR2_PACKAGE_OVERRIDE_FILE |
| string "location of a package override file" |
| default "$(CONFIG_DIR)/local.mk" |
| help |
| A package override file is a short makefile that contains |
| variable definitions of the form <pkg>_OVERRIDE_SRCDIR, which |
| allows to tell Buildroot to use an existing directory as the |
| source directory for a particular package. See the Buildroot |
| documentation for more details on this feature. |
| |
| config BR2_GLOBAL_PATCH_DIR |
| string "global patch directories" |
| help |
| You may specify a space separated list of one or more |
| directories containing global package patches. For a specific |
| version <packageversion> of a specific package <packagename>, |
| patches are applied as follows: |
| |
| First, the default Buildroot patch set for the package is |
| applied from the package's directory in Buildroot. |
| |
| Then for every directory - <global-patch-dir> - that exists in |
| BR2_GLOBAL_PATCH_DIR, if the directory |
| <global-patch-dir>/<packagename>/<packageversion>/ exists, |
| then all *.patch files in this directory will be applied. |
| |
| Otherwise, if the directory <global-patch-dir>/<packagename> |
| exists, then all *.patch files in the directory will be |
| applied. |
| |
| menu "Advanced" |
| |
| config BR2_COMPILER_PARANOID_UNSAFE_PATH |
| bool "paranoid check of library/header paths" |
| default y |
| help |
| By default, when this option is disabled, when the Buildroot |
| cross-compiler will encounter an unsafe library or header path |
| (such as /usr/include, or /usr/lib), the compiler will display |
| a warning. |
| |
| By enabling this option, this warning is turned into an error, |
| which will completely abort the build when such unsafe paths |
| are encountered. |
| |
| Note that this mechanism is available for both the internal |
| toolchain (through the toolchain wrapper and binutils patches) |
| and external toolchain backends (through the toolchain |
| wrapper). |
| |
| config BR2_FORCE_HOST_BUILD |
| bool "Force the building of host dependencies" |
| help |
| Build all available host dependencies, even if they are |
| already installed on the system. |
| |
| This option can be used to ensure that the download cache of |
| source archives for packages remain consistent between |
| different build hosts. |
| |
| This option will increase build time. |
| |
| config BR2_REPRODUCIBLE |
| bool "Make the build reproducible (experimental)" |
| # SOURCE_DATE_EPOCH support in toolchain-wrapper requires GCC 4.4 |
| depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_4 |
| help |
| This option will remove all sources of non-reproducibility |
| from the build process. For a given Buildroot configuration, |
| this allows to generate exactly identical binaries from one |
| build to the other, including on different machines. |
| |
| The current implementation is restricted to builds with the |
| same output directory. Many (absolute) paths are recorded in |
| intermediary files, and it is very likely that some of these |
| paths leak into the target rootfs. If you build with the |
| same O=... path, however, the result is identical. |
| |
| This is labeled as an experimental feature, as not all |
| packages behave properly to ensure reproducibility. |
| |
| config BR2_PER_PACKAGE_DIRECTORIES |
| bool "Use per-package directories (experimental)" |
| help |
| This option will change the build process of Buildroot |
| package to use per-package target and host directories. |
| |
| This is useful for two related purposes: |
| |
| - Cleanly isolate the build of each package, so that a |
| given package only "sees" the dependencies it has |
| explicitly expressed, and not other packages that may |
| have by chance been built before. |
| |
| - Enable top-level parallel build. |
| |
| This is labeled as an experimental feature, as not all |
| packages behave properly with per-package directories. |
| |
| endmenu |
| |
| comment "Security Hardening Options" |
| |
| config BR2_PIC_PIE |
| bool "Build code with PIC/PIE" |
| depends on BR2_SHARED_LIBS |
| depends on BR2_TOOLCHAIN_SUPPORTS_PIE |
| help |
| Generate Position-Independent Code (PIC) and link |
| Position-Independent Executables (PIE). |
| |
| comment "PIC/PIE needs a toolchain w/ PIE" |
| depends on BR2_SHARED_LIBS |
| depends on !BR2_TOOLCHAIN_SUPPORTS_PIE |
| |
| choice |
| bool "Stack Smashing Protection" |
| default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy |
| depends on BR2_TOOLCHAIN_HAS_SSP |
| help |
| Enable stack smashing protection support using GCC's |
| -fstack-protector option family. |
| |
| See |
| http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt |
| for details. |
| |
| Note that this requires the toolchain to have SSP support. |
| This is always the case for glibc and eglibc toolchain, but is |
| optional in uClibc toolchains. |
| |
| config BR2_SSP_NONE |
| bool "None" |
| help |
| Disable stack-smashing protection. |
| |
| config BR2_SSP_REGULAR |
| bool "-fstack-protector" |
| help |
| Emit extra code to check for buffer overflows, such as stack |
| smashing attacks. This is done by adding a guard variable to |
| functions with vulnerable objects. This includes functions |
| that call alloca, and functions with buffers larger than 8 |
| bytes. The guards are initialized when a function is entered |
| and then checked when the function exits. If a guard check |
| fails, an error message is printed and the program exits. |
| |
| config BR2_SSP_STRONG |
| bool "-fstack-protector-strong" |
| depends on BR2_TOOLCHAIN_HAS_SSP_STRONG |
| help |
| Like -fstack-protector but includes additional functions to be |
| protected - those that have local array definitions, or have |
| references to local frame addresses. |
| |
| -fstack-protector-strong officially appeared in gcc 4.9, but |
| some vendors have backported -fstack-protector-strong to older |
| versions of gcc. |
| |
| config BR2_SSP_ALL |
| bool "-fstack-protector-all" |
| help |
| Like -fstack-protector except that all functions are |
| protected. This option might have a significant performance |
| impact on the compiled binaries. |
| |
| endchoice |
| |
| config BR2_SSP_OPTION |
| string |
| default "-fstack-protector" if BR2_SSP_REGULAR |
| default "-fstack-protector-strong" if BR2_SSP_STRONG |
| default "-fstack-protector-all" if BR2_SSP_ALL |
| |
| comment "Stack Smashing Protection needs a toolchain w/ SSP" |
| depends on !BR2_TOOLCHAIN_HAS_SSP |
| |
| choice |
| bool "RELRO Protection" |
| depends on BR2_SHARED_LIBS |
| help |
| Enable a link-time protection know as RELRO (RELocation Read |
| Only) which helps to protect from certain type of exploitation |
| techniques altering the content of some ELF sections. |
| |
| config BR2_RELRO_NONE |
| bool "None" |
| help |
| Disables Relocation link-time protections. |
| |
| config BR2_RELRO_PARTIAL |
| bool "Partial" |
| help |
| This option makes the dynamic section not writeable after |
| initialization (with almost no performance penalty). |
| |
| config BR2_RELRO_FULL |
| bool "Full" |
| depends on BR2_TOOLCHAIN_SUPPORTS_PIE |
| select BR2_PIC_PIE |
| help |
| This option includes the partial configuration, but also marks |
| the GOT as read-only at the cost of initialization time during |
| program loading, i.e every time an executable is started. |
| |
| comment "RELRO Full needs a toolchain w/ PIE" |
| depends on !BR2_TOOLCHAIN_SUPPORTS_PIE |
| |
| endchoice |
| |
| comment "RELocation Read Only (RELRO) needs shared libraries" |
| depends on !BR2_SHARED_LIBS |
| |
| choice |
| bool "Buffer-overflow Detection (FORTIFY_SOURCE)" |
| depends on BR2_TOOLCHAIN_USES_GLIBC |
| depends on !BR2_OPTIMIZE_0 |
| help |
| Enable the _FORTIFY_SOURCE macro which introduces additional |
| checks to detect buffer-overflows in the following standard |
| library functions: memcpy, mempcpy, memmove, memset, strcpy, |
| stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf, |
| vsnprintf, gets. |
| |
| NOTE: This feature requires an optimization level of s/1/2/3/g |
| |
| Support for this feature has been present since GCC 4.x. |
| |
| config BR2_FORTIFY_SOURCE_NONE |
| bool "None" |
| help |
| Disables additional checks to detect buffer-overflows. |
| |
| config BR2_FORTIFY_SOURCE_1 |
| bool "Conservative" |
| # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164 |
| depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6 |
| help |
| This option sets _FORTIFY_SOURCE to 1 and only introduces |
| checks that shouldn't change the behavior of conforming |
| programs. Adds checks at compile-time only. |
| |
| config BR2_FORTIFY_SOURCE_2 |
| bool "Aggressive" |
| # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164 |
| depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6 |
| help |
| This option sets _FORTIFY_SOURCES to 2 and some more |
| checking is added, but some conforming programs might fail. |
| Also adds checks at run-time (detected buffer overflow |
| terminates the program) |
| |
| endchoice |
| |
| comment "Fortify Source needs a glibc toolchain and optimization" |
| depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0) |
| endmenu |
| |
| source "toolchain/Config.in" |
| |
| source "system/Config.in" |
| |
| source "linux/Config.in" |
| |
| source "package/Config.in" |
| |
| source "fs/Config.in" |
| |
| source "boot/Config.in" |
| |
| source "package/Config.in.host" |
| |
| source "Config.in.legacy" |
| |
| # br2-external menus definitions |
| source "$BR2_BASE_DIR/.br2-external.in.menus" |