string
option env="HOSTARCH"
-config BR2_EXTERNAL
+config BR2_BUILD_DIR
string
- option env="BR2_EXTERNAL"
+ option env="BUILD_DIR"
# Hidden config symbols for packages to check system gcc version
config BR2_HOST_GCC_VERSION
string
option env="HOST_GCC_VERSION"
+config BR2_HOST_GCC_AT_LEAST_4_5
+ bool
+ default y if BR2_HOST_GCC_VERSION = "4 5"
+
+config BR2_HOST_GCC_AT_LEAST_4_6
+ bool
+ default y if BR2_HOST_GCC_VERSION = "4 6"
+ select BR2_HOST_GCC_AT_LEAST_4_5
+
config BR2_HOST_GCC_AT_LEAST_4_7
bool
default y if BR2_HOST_GCC_VERSION = "4 7"
+ select BR2_HOST_GCC_AT_LEAST_4_6
config BR2_HOST_GCC_AT_LEAST_4_8
bool
default y if BR2_HOST_GCC_VERSION = "5"
select BR2_HOST_GCC_AT_LEAST_4_9
+config BR2_HOST_GCC_AT_LEAST_6
+ bool
+ default y if BR2_HOST_GCC_VERSION = "6"
+ select BR2_HOST_GCC_AT_LEAST_5
+
+config BR2_HOST_GCC_AT_LEAST_7
+ bool
+ default y if BR2_HOST_GCC_VERSION = "7"
+ select BR2_HOST_GCC_AT_LEAST_6
+
+config BR2_HOST_GCC_AT_LEAST_8
+ bool
+ default y if BR2_HOST_GCC_VERSION = "8"
+ select BR2_HOST_GCC_AT_LEAST_7
+
# Hidden boolean selected by packages in need of Java in order to build
-# (example: xbmc)
+# (example: kodi)
config BR2_NEEDS_HOST_JAVA
bool
config BR2_HOSTARCH_NEEDS_IA32_COMPILER
bool
+# Hidden boolean selected by packages that need the host to have an
+# UTF8 locale.
+config BR2_NEEDS_HOST_UTF8_LOCALE
+ bool
+
source "arch/Config.in"
menu "Build options"
config BR2_SVN
string "Subversion (svn) command"
- default "svn"
+ default "svn --non-interactive"
config BR2_BZR
string "Bazaar (bzr) command"
string "zcat command"
default "gzip -d -c"
help
- Command to be used to extract a gzip'ed file to stdout.
- zcat is identical to gunzip -c except that the former may
- not be available on your system.
+ Command to be used to extract a gzip'ed file to stdout. zcat
+ is identical to gunzip -c except that the former may not be
+ available on your system.
Default is "gzip -d -c"
Other possible values include "gunzip -c" or "zcat".
Command to be used to extract a xz'ed file to stdout.
Default is "xzcat"
+config BR2_LZCAT
+ string "lzcat command"
+ default "lzip -d -c"
+ help
+ Command to be used to extract a lzip'ed file to stdout.
+ Default is "lzip -d -c"
+
config BR2_TAR_OPTIONS
string "Tar options"
default ""
help
Options to pass to tar when extracting the sources.
- E.g. " -v --exclude='*.svn*'" to exclude all .svn internal files
- and to be verbose.
+ E.g. " -v --exclude='*.svn*'" to exclude all .svn internal
+ files and to be verbose.
endmenu
default BR2_DEFCONFIG_FROM_ENV if BR2_DEFCONFIG_FROM_ENV != ""
default "$(CONFIG_DIR)/defconfig"
help
- When running 'make savedefconfig', the defconfig file will be saved
- in this location.
+ When running 'make savedefconfig', the defconfig file will be
+ saved in this location.
config BR2_DL_DIR
string "Download dir"
help
Directory to store all the source files that we need to fetch.
If the Linux shell environment has defined the BR2_DL_DIR
- environment variable, then this overrides this configuration item.
+ environment variable, then this overrides this configuration
+ item.
+ The directory is organized with a subdirectory for each
+ package. Each package has its own $(LIBFOO_DL_DIR) variable
+ that can be used to find the correct path.
The default is $(TOPDIR)/dl
string "Host dir"
default "$(BASE_DIR)/host"
help
- Directory to store all the binary files that are built for the host.
- This includes the cross compilation toolchain when building the
- internal buildroot toolchain.
+ Directory to store all the binary files that are built for the
+ host. This includes the cross compilation toolchain when
+ building the internal buildroot toolchain.
The default is $(BASE_DIR)/host
string "Primary download site"
default ""
help
- Primary site to download from. If this option is set then buildroot
- will try to download package source first from this site and try the
- default if the file is not found.
+ Primary site to download from. If this option is set then
+ buildroot will try to download package source first from this
+ site and try the default if the file is not found.
Valid URIs are:
- URIs recognized by $(WGET)
- local URIs of the form file://absolutepath
If this option is enabled, downloads will only be attempted
from the primary download site. Other locations, like the
package's official download location or the backup download
- site, will not be considered. Therefore, if the package is
- not present on the primary site, the download fails.
+ site, will not be considered. Therefore, if the package is not
+ present on the primary site, the download fails.
- This is useful for project developers who want to ensure
- that the project can be built even if the upstream tarball
+ This is useful for project developers who want to ensure that
+ the project can be built even if the upstream tarball
locations disappear.
if !BR2_PRIMARY_SITE_ONLY
string "Backup download site"
default "http://sources.buildroot.net"
help
- Backup site to download from. If this option is set then buildroot
- will fall back to download package sources from here if the
- normal location fails.
+ Backup site to download from. If this option is set then
+ buildroot will fall back to download package sources from here
+ if the normal location fails.
config BR2_KERNEL_MIRROR
string "Kernel.org mirror"
- default "https://www.kernel.org/pub"
+ default "https://cdn.kernel.org/pub"
help
- kernel.org is mirrored on a number of servers around the world.
- The following allows you to select your preferred mirror.
+ kernel.org is mirrored on a number of servers around the
+ world. The following allows you to select your preferred
+ mirror. By default, a CDN is used, which automatically
+ redirects to a mirror geographically close to you.
- Have a look on the kernel.org site for a list of mirrors, then enter
- the URL to the base directory. Examples:
+ Have a look on the kernel.org site for a list of mirrors, then
+ enter the URL to the base directory. Examples:
http://www.XX.kernel.org/pub (XX = country code)
http://mirror.aarnet.edu.au/pub/ftp.kernel.org
config BR2_GNU_MIRROR
string "GNU Software mirror"
- default "http://ftp.gnu.org/pub/gnu"
+ default "http://ftpmirror.gnu.org"
help
- GNU has multiple software mirrors scattered around the world.
- The following allows you to select your preferred mirror.
+ GNU has multiple software mirrors scattered around the
+ world. The following allows you to select your preferred
+ mirror. By default, a generic address is used, which
+ automatically selects an up-to-date and local mirror.
- Have a look on the gnu.org site for a list of mirrors, then enter
- the URL to the base directory. Examples:
+ Have a look on the gnu.org site for a list of mirrors, then
+ enter the URL to the base directory. Examples:
http://ftp.gnu.org/pub/gnu
http://mirror.aarnet.edu.au/pub/gnu
string "CPAN mirror (Perl packages)"
default "http://cpan.metacpan.org"
help
- CPAN (Comprehensive Perl Archive Network) is a repository
- of Perl packages. It has multiple software mirrors scattered
+ CPAN (Comprehensive Perl Archive Network) is a repository of
+ Perl packages. It has multiple software mirrors scattered
around the world. This option allows you to select a mirror.
The list of mirrors is available at:
int "Number of jobs to run simultaneously (0 for auto)"
default "0"
help
- Number of jobs to run simultaneously. If 0, determine
- automatically according to number of CPUs on the host
- system.
+ Number of jobs to run simultaneously. If 0, determine
+ automatically according to number of CPUs on the host system.
config BR2_CCACHE
bool "Enable compiler cache"
help
- This option will enable the use of ccache, a compiler
- cache. It will cache the result of previous builds to speed
- up future builds. By default, the cache is stored in
+ This option will enable the use of ccache, a compiler cache.
+ It will cache the result of previous builds to speed up future
+ builds. By default, the cache is stored in
$HOME/.buildroot-ccache.
Note that Buildroot does not try to invalidate the cache
- contents when the compiler changes in an incompatible
- way. Therefore, if you make a change to the compiler version
- and/or configuration, you are responsible for purging the
- ccache cache by removing the $HOME/.buildroot-ccache
- directory.
+ contents when the compiler changes in an incompatible way.
+ Therefore, if you make a change to the compiler version and/or
+ configuration, you are responsible for purging the ccache
+ cache by removing the $HOME/.buildroot-ccache directory.
if BR2_CCACHE
default "$(HOME)/.buildroot-ccache"
help
Where ccache should store cached files.
+ If the Linux shell environment has defined the BR2_CCACHE_DIR
+ environment variable, then this overrides this configuration
+ item.
config BR2_CCACHE_INITIAL_SETUP
string "Compiler cache initial setup"
help
- Initial ccache settings to apply, such as --max-files or --max-size.
+ Initial ccache settings to apply, such as --max-files or
+ --max-size.
- For example, if your project is known to require more space than the
- default max cache size, then you might want to increase the cache size
- to a suitable amount using the -M (--max-size) option.
+ For example, if your project is known to require more space
+ than the default max cache size, then you might want to
+ increase the cache size to a suitable amount using the -M
+ (--max-size) option.
- The string you specify here is passed verbatim to ccache. Refer to
- ccache documentation for more details.
+ The string you specify here is passed verbatim to ccache.
+ Refer to ccache documentation for more details.
- These initial settings are applied after ccache has been compiled.
+ These initial settings are applied after ccache has been
+ compiled.
config BR2_CCACHE_USE_BASEDIR
bool "Use relative paths"
Allow ccache to convert absolute paths within the output
directory into relative paths.
- During the build, many -I include directives are given with
- an absolute path. These absolute paths end up in the hashes
- that are computed by ccache. Therefore, when you build from a
- different directory, the hash will be different and the
- cached object will not be used.
+ During the build, many -I include directives are given with an
+ absolute path. These absolute paths end up in the hashes that
+ are computed by ccache. Therefore, when you build from a
+ different directory, the hash will be different and the cached
+ object will not be used.
To improve cache performance, set this option to y. This
allows ccache to rewrite absolute paths within the output
- directory into relative paths. Note that only paths within
- the output directory will be rewritten; therefore, if you
- change BR2_HOST_DIR to point outside the output directory and
+ directory into relative paths. Note that only paths within the
+ output directory will be rewritten; therefore, if you change
+ BR2_HOST_DIR to point outside the output directory and
subsequently move it to a different location, this will lead
to cache misses.
This option has as a result that the debug information in the
object files also has only relative paths. Therefore, make
sure you cd to the build directory before starting gdb. See
- the section "COMPILING IN DIFFERENT DIRECTORIES" in the
- ccache manual for more information.
-
-endif
-
-config BR2_DEPRECATED
- bool "Show options and packages that are deprecated or obsolete"
- help
- This option shows outdated/obsolete versions of packages and
- options that are otherwise hidden.
-
-if BR2_DEPRECATED
-
-config BR2_DEPRECATED_SINCE_2015_02
- bool
- default y
-
-config BR2_DEPRECATED_SINCE_2015_05
- bool
- default y
-
-config BR2_DEPRECATED_SINCE_2015_08
- bool
- default y
-
-config BR2_DEPRECATED_SINCE_2015_11
- bool
- default y
+ the section "COMPILING IN DIFFERENT DIRECTORIES" in the ccache
+ manual for more information.
endif
config BR2_DEBUG_1
bool "debug level 1"
help
- Debug level 1 produces minimal information, enough
- for making backtraces in parts of the program that
- you don't plan to debug. This includes descriptions
- of functions and external variables, but no information
- about local variables and no line numbers.
+ Debug level 1 produces minimal information, enough for making
+ backtraces in parts of the program that you don't plan to
+ debug. This includes descriptions of functions and external
+ variables, but no information about local variables and no
+ line numbers.
config BR2_DEBUG_2
bool "debug level 2"
config BR2_DEBUG_3
bool "debug level 3"
help
- Level 3 includes extra information, such as all the
- macro definitions present in the program. Some debuggers
- support macro expansion when you use -g3.
+ Level 3 includes extra information, such as all the macro
+ definitions present in the program. Some debuggers support
+ macro expansion when you use -g3.
endchoice
endif
-choice
- prompt "strip command for binaries on target"
- default BR2_STRIP_strip
-
config BR2_STRIP_strip
- bool "strip"
+ bool "strip target binaries"
+ default y
depends on !BR2_PACKAGE_HOST_ELF2FLT
help
Binaries and libraries in the target filesystem will be
- stripped using the normal 'strip' command. This allows to
- save space, mainly by removing debugging symbols. Debugging
- symbols on the target are needed for native debugging, but
- not when remote debugging is used.
-
-config BR2_STRIP_none
- bool "none"
- help
- Do not strip binaries and libraries in the target
- filesystem.
-endchoice
+ stripped using the normal 'strip' command. This allows to save
+ space, mainly by removing debugging symbols. Debugging symbols
+ on the target are needed for native debugging, but not when
+ remote debugging is used.
config BR2_STRIP_EXCLUDE_FILES
string "executables that should not be stripped"
- depends on !BR2_STRIP_none
default ""
+ depends on BR2_STRIP_strip
help
- You may specify a space-separated list of binaries and libraries
- here that should not be stripped on the target.
+ You may specify a space-separated list of binaries and
+ libraries here that should not be stripped on the target.
config BR2_STRIP_EXCLUDE_DIRS
string "directories that should be skipped when stripping"
- depends on !BR2_STRIP_none
default ""
+ depends on BR2_STRIP_strip
help
- You may specify a space-separated list of directories that should
- be skipped when stripping. Binaries and libraries in these
- directories will not be touched.
- The directories should be specified relative to the target directory,
- without leading slash.
+ You may specify a space-separated list of directories that
+ should be skipped when stripping. Binaries and libraries in
+ these directories will not be touched. The directories should
+ be specified relative to the target directory, without leading
+ slash.
choice
prompt "gcc optimization level"
config BR2_OPTIMIZE_0
bool "optimization level 0"
help
- Do not optimize. This is the default.
+ Do not optimize.
config BR2_OPTIMIZE_1
bool "optimization level 1"
help
- Optimize. Optimizing compilation takes somewhat more time,
- and a lot more memory for a large function. With -O, the
- compiler tries to reduce code size and execution time,
- without performing any optimizations that take a great deal
- of compilation time. -O turns on the following optimization
+ Optimize. Optimizing compilation takes somewhat more time, and
+ a lot more memory for a large function. With -O, the compiler
+ tries to reduce code size and execution time, without
+ performing any optimizations that take a great deal of
+ compilation time. -O turns on the following optimization
flags: -fdefer-pop -fdelayed-branch -fguess-branch-probability
-fcprop-registers -floop-optimize -fif-conversion
-fif-conversion2 -ftree-ccp -ftree-dce -ftree-dominator-opts
-ftree-dse -ftree-ter -ftree-lrs -ftree-sra -ftree-copyrename
- -ftree-fre -ftree-ch -funit-at-a-time -fmerge-constants
- -O also turns on -fomit-frame-pointer on machines where doing
- so does not interfere with debugging.
+ -ftree-fre -ftree-ch -funit-at-a-time -fmerge-constants. -O
+ also turns on -fomit-frame-pointer on machines where doing so
+ does not interfere with debugging.
config BR2_OPTIMIZE_2
bool "optimization level 2"
help
- Optimize even more. GCC performs nearly all supported optimizations
- that do not involve a space-speed tradeoff. The compiler does not
- perform loop unrolling or function inlining when you specify -O2.
- As compared to -O, this option increases both compilation time and
- the performance of the generated code. -O2 turns on all optimization
- flags specified by -O. It also turns on the following optimization
- flags: -fthread-jumps -fcrossjumping -foptimize-sibling-calls
+ Optimize even more. GCC performs nearly all supported
+ optimizations that do not involve a space-speed tradeoff. The
+ compiler does not perform loop unrolling or function inlining
+ when you specify -O2. As compared to -O, this option increases
+ both compilation time and the performance of the generated
+ code. -O2 turns on all optimization flags specified by -O. It
+ also turns on the following optimization flags:
+ -fthread-jumps -fcrossjumping -foptimize-sibling-calls
-fcse-follow-jumps -fcse-skip-blocks -fgcse -fgcse-lm
- -fexpensive-optimizations -fstrength-reduce -frerun-cse-after-loop
- -frerun-loop-opt -fcaller-saves -fpeephole2 -fschedule-insns
- -fschedule-insns2 -fsched-interblock -fsched-spec -fregmove
- -fstrict-aliasing -fdelete-null-pointer-checks -freorder-blocks
- -freorder-functions -falign-functions -falign-jumps -falign-loops
- -falign-labels -ftree-vrp -ftree-pre
- Please note the warning under -fgcse about invoking -O2 on programs
+ -fexpensive-optimizations -fstrength-reduce
+ -frerun-cse-after-loop -frerun-loop-opt -fcaller-saves
+ -fpeephole2 -fschedule-insns -fschedule-insns2
+ -fsched-interblock -fsched-spec -fregmove -fstrict-aliasing
+ -fdelete-null-pointer-checks -freorder-blocks
+ -freorder-functions -falign-functions -falign-jumps
+ -falign-loops -falign-labels -ftree-vrp -ftree-pre. Please
+ note the warning under -fgcse about invoking -O2 on programs
that use computed gotos.
config BR2_OPTIMIZE_3
bool "optimization level 3"
help
- Optimize yet more. -O3 turns on all optimizations specified by -O2
- and also turns on the -finline-functions, -funswitch-loops and
- -fgcse-after-reload options.
+ Optimize yet more. -O3 turns on all optimizations specified by
+ -O2 and also turns on the -finline-functions, -funswitch-loops
+ and -fgcse-after-reload options.
+
+config BR2_OPTIMIZE_G
+ bool "optimize for debugging"
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8
+ help
+ Optimize for debugging. This enables optimizations that do not
+ interfere with debugging. It should be the optimization level
+ of choice for the standard edit-compile-debug cycle, offering
+ a reasonable level of optimization while maintaining fast
+ compilation and a good debugging experience.
config BR2_OPTIMIZE_S
bool "optimize for size"
help
- Optimize for size. -Os enables all -O2 optimizations that do not
- typically increase code size. It also performs further optimizations
- designed to reduce code size. -Os disables the following optimization
- flags: -falign-functions -falign-jumps -falign-loops -falign-labels
- -freorder-blocks -freorder-blocks-and-partition -fprefetch-loop-arrays
+ Optimize for size. -Os enables all -O2 optimizations that do
+ not typically increase code size. It also performs further
+ optimizations designed to reduce code size. -Os disables the
+ following optimization flags: -falign-functions -falign-jumps
+ -falign-loops -falign-labels -freorder-blocks
+ -freorder-blocks-and-partition -fprefetch-loop-arrays
-ftree-vect-loop-version
+ This is the default.
+
+config BR2_OPTIMIZE_FAST
+ bool "optimize for fast"
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_6
+ help
+ Optimize for fast. Disregard strict standards
+ compliance. -Ofast enables all -O3 optimizations. It also
+ enables optimizations that are not valid for all
+ standard-compliant programs. It turns on -ffast-math and the
+ Fortran-specific -fstack-arrays, unless -fmax-stack-var-size
+ is specified, and -fno-protect-parens.
endchoice
config BR2_GOOGLE_BREAKPAD_ENABLE
bool "Enable google-breakpad support"
- select BR2_PACKAGE_GOOGLE_BREAKPAD
depends on BR2_INSTALL_LIBSTDCPP
- depends on BR2_TOOLCHAIN_USES_GLIBC
+ depends on BR2_HOST_GCC_AT_LEAST_4_8 # C++11
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 # C++11
+ depends on BR2_USE_WCHAR
+ depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on (BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_UCLIBC)
depends on BR2_PACKAGE_GOOGLE_BREAKPAD_ARCH_SUPPORTS
+ depends on BR2_PACKAGE_HOST_GOOGLE_BREAKPAD_ARCH_SUPPORTS
+ select BR2_PACKAGE_GOOGLE_BREAKPAD
help
- This option will enable the use of google breakpad, a
- library and tool suite that allows you to distribute an
- application to users with compiler-provided debugging
- information removed, record crashes in compact "minidump"
- files, send them back to your server and produce C and C++
- stack traces from these minidumps. Breakpad can also write
- minidumps on request for programs that have not crashed.
+ This option will enable the use of google breakpad, a library
+ and tool suite that allows you to distribute an application to
+ users with compiler-provided debugging information removed,
+ record crashes in compact "minidump" files, send them back to
+ your server and produce C and C++ stack traces from these
+ minidumps. Breakpad can also write minidumps on request for
+ programs that have not crashed.
if BR2_GOOGLE_BREAKPAD_ENABLE
endif
choice
- bool "build code with Stack Smashing Protection"
+ bool "libraries"
+ default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED
+ default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED
+ help
+ Select the type of libraries you want to use on the target.
+
+ The default is to build dynamic libraries and use those on the
+ target filesystem, except when the architecture and/or the
+ selected binary format does not support shared libraries.
+
+config BR2_STATIC_LIBS
+ bool "static only"
+ help
+ Build and use only static libraries. No shared libraries will
+ be installed on the target. This potentially increases your
+ code size and should only be used if you know what you are
+ doing. Note that some packages may not be available when this
+ option is enabled, due to their need for dynamic library
+ support.
+
+config BR2_SHARED_LIBS
+ bool "shared only"
+ depends on BR2_BINFMT_SUPPORTS_SHARED
+ help
+ Build and use only shared libraries. This is the recommended
+ solution as it saves space and build time.
+
+config BR2_SHARED_STATIC_LIBS
+ bool "both static and shared"
+ depends on BR2_BINFMT_SUPPORTS_SHARED
+ help
+ Build both shared and static libraries, but link executables
+ dynamically. While building both shared and static libraries
+ take more time and more disk space, having static libraries
+ may be useful to link some of the applications statically.
+
+endchoice
+
+config BR2_PACKAGE_OVERRIDE_FILE
+ string "location of a package override file"
+ default "$(CONFIG_DIR)/local.mk"
+ help
+ A package override file is a short makefile that contains
+ variable definitions of the form <pkg>_OVERRIDE_SRCDIR, which
+ allows to tell Buildroot to use an existing directory as the
+ source directory for a particular package. See the Buildroot
+ documentation for more details on this feature.
+
+config BR2_GLOBAL_PATCH_DIR
+ string "global patch directories"
+ help
+ You may specify a space separated list of one or more
+ directories containing global package patches. For a specific
+ version <packageversion> of a specific package <packagename>,
+ patches are applied as follows:
+
+ First, the default Buildroot patch set for the package is
+ applied from the package's directory in Buildroot.
+
+ Then for every directory - <global-patch-dir> - that exists in
+ BR2_GLOBAL_PATCH_DIR, if the directory
+ <global-patch-dir>/<packagename>/<packageversion>/ exists,
+ then all *.patch files in this directory will be applied.
+
+ Otherwise, if the directory <global-patch-dir>/<packagename>
+ exists, then all *.patch files in the directory will be
+ applied.
+
+menu "Advanced"
+
+config BR2_COMPILER_PARANOID_UNSAFE_PATH
+ bool "paranoid check of library/header paths"
+ default y
+ help
+ By default, when this option is disabled, when the Buildroot
+ cross-compiler will encounter an unsafe library or header path
+ (such as /usr/include, or /usr/lib), the compiler will display
+ a warning.
+
+ By enabling this option, this warning is turned into an error,
+ which will completely abort the build when such unsafe paths
+ are encountered.
+
+ Note that this mechanism is available for both the internal
+ toolchain (through the toolchain wrapper and binutils patches)
+ and external toolchain backends (through the toolchain
+ wrapper).
+
+config BR2_REPRODUCIBLE
+ bool "Make the build reproducible (experimental)"
+ # SOURCE_DATE_EPOCH support in toolchain-wrapper requires GCC 4.4
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_4
+ help
+ This option will remove all sources of non-reproducibility
+ from the build process. For a given Buildroot configuration,
+ this allows to generate exactly identical binaries from one
+ build to the other, including on different machines.
+
+ The current implementation is restricted to builds with the
+ same output directory. Many (absolute) paths are recorded in
+ intermediary files, and it is very likely that some of these
+ paths leak into the target rootfs. If you build with the
+ same O=... path, however, the result is identical.
+
+ This is labeled as an experimental feature, as not all
+ packages behave properly to ensure reproducibility.
+
+endmenu
+
+comment "Security Hardening Options"
+
+choice
+ bool "Stack Smashing Protection"
default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
depends on BR2_TOOLCHAIN_HAS_SSP
help
Enable stack smashing protection support using GCC's
-fstack-protector option family.
- See http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
+ See
+ http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
for details.
- Note that this requires the toolchain to have SSP
- support. This is always the case for glibc and eglibc
- toolchain, but is optional in uClibc toolchains.
+ Note that this requires the toolchain to have SSP support.
+ This is always the case for glibc and eglibc toolchain, but is
+ optional in uClibc toolchains.
config BR2_SSP_NONE
bool "None"
depends on !BR2_TOOLCHAIN_HAS_SSP
choice
- bool "libraries"
- default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED
- default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED
+ bool "RELRO Protection"
+ depends on BR2_SHARED_LIBS
help
- Select the type of libraries you want to use on the target.
+ Enable a link-time protection know as RELRO (RELocation Read
+ Only) which helps to protect from certain type of exploitation
+ techniques altering the content of some ELF sections.
- The default is to build dynamic libraries and use those on
- the target filesystem, except when the architecture and/or
- the selected binary format does not support shared
- libraries.
-
-config BR2_STATIC_LIBS
- bool "static only"
+config BR2_RELRO_NONE
+ bool "None"
help
- Build and use only static libraries. No shared libraries
- will be instaled on the target. This potentially increases
- your code size and should only be used if you know what you
- are doing. Note that some packages may not be available when
- this option is enabled, due to their need for dynamic
- library support.
+ Disables Relocation link-time protections.
-config BR2_SHARED_LIBS
- bool "shared only"
- depends on BR2_BINFMT_SUPPORTS_SHARED
+config BR2_RELRO_PARTIAL
+ bool "Partial"
help
- Build and use only shared libraries. This is the recommended
- solution as it saves space and build time.
+ This option makes the dynamic section not writeable after
+ initialization (with almost no performance penalty).
-config BR2_SHARED_STATIC_LIBS
- bool "both static and shared"
- depends on BR2_BINFMT_SUPPORTS_SHARED
+config BR2_RELRO_FULL
+ bool "Full"
help
- Build both shared and static libraries, but link executables
- dynamically. While building both shared and static libraries
- take more time and more disk space, having static libraries
- may be useful to link some of the applications statically.
+ This option includes the partial configuration, but also marks
+ the GOT as read-only at the cost of initialization time during
+ program loading, i.e every time an executable is started.
endchoice
+comment "RELocation Read Only (RELRO) needs shared libraries"
+ depends on !BR2_SHARED_LIBS
-config BR2_PACKAGE_OVERRIDE_FILE
- string "location of a package override file"
- default "$(CONFIG_DIR)/local.mk"
- help
- A package override file is a short makefile that contains
- variable definitions of the form <pkg>_OVERRIDE_SRCDIR,
- which allows to tell Buildroot to use an existing directory
- as the source directory for a particular package. See the
- Buildroot documentation for more details on this feature.
-
-config BR2_GLOBAL_PATCH_DIR
- string "global patch directories"
+choice
+ bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
+ depends on BR2_TOOLCHAIN_USES_GLIBC
+ depends on !BR2_OPTIMIZE_0
help
- You may specify a space separated list of one or more directories
- containing global package patches. For a specific version
- <packageversion> of a specific package <packagename>, patches are
- applied as follows:
-
- First, the default Buildroot patch set for the package is applied
- from the package's directory in Buildroot.
-
- Then for every directory - <global-patch-dir> - that exists in
- BR2_GLOBAL_PATCH_DIR, if the directory
- <global-patch-dir>/<packagename>/<packageversion>/ exists, then all
- *.patch files in this directory will be applied.
+ Enable the _FORTIFY_SOURCE macro which introduces additional
+ checks to detect buffer-overflows in the following standard
+ library functions: memcpy, mempcpy, memmove, memset, strcpy,
+ stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf,
+ vsnprintf, gets.
- Otherwise, if the directory <global-patch-dir>/<packagename> exists,
- then all *.patch files in the directory will be applied.
+ NOTE: This feature requires an optimization level of s/1/2/3/g
-menu "Advanced"
+ Support for this feature has been present since GCC 4.x.
-config BR2_COMPILER_PARANOID_UNSAFE_PATH
- bool "paranoid check of library/header paths"
+config BR2_FORTIFY_SOURCE_NONE
+ bool "None"
help
- By default, when this option is disabled, when the Buildroot
- cross-compiler will encounter an unsafe library or header
- path (such as /usr/include, or /usr/lib), the compiler will
- display a warning.
+ Disables additional checks to detect buffer-overflows.
- By enabling this option, this warning is turned into an
- error, which will completely abort the build when such
- unsafe paths are encountered.
+config BR2_FORTIFY_SOURCE_1
+ bool "Conservative"
+ help
+ This option sets _FORTIFY_SOURCE to 1 and only introduces
+ checks that shouldn't change the behavior of conforming
+ programs. Adds checks at compile-time only.
- Note that this mechanism is available for both the internal
- toolchain (through gcc and binutils patches) and external
- toolchain backends (through the external toolchain wrapper).
+config BR2_FORTIFY_SOURCE_2
+ bool "Aggressive"
+ help
+ This option sets _FORTIFY_SOURCES to 2 and some more
+ checking is added, but some conforming programs might fail.
+ Also adds checks at run-time (detected buffer overflow
+ terminates the program)
-endmenu
+endchoice
+comment "Fortify Source needs a glibc toolchain and optimization"
+ depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0)
endmenu
source "toolchain/Config.in"
source "Config.in.legacy"
-menu "User-provided options"
- depends on BR2_EXTERNAL != "support/dummy-external"
-
-source "$BR2_EXTERNAL/Config.in"
-
-endmenu
+source "$BR2_BUILD_DIR/.br2-external.in"