X-Git-Url: http://rtime.felk.cvut.cz/gitweb/coffee/buildroot.git/blobdiff_plain/07941f42777f83adeb5527cfb02b343458c39ede..HEAD:/Config.in diff --git a/Config.in b/Config.in index 63feef8598..6b5b2b043c 100644 --- a/Config.in +++ b/Config.in @@ -14,18 +14,28 @@ config BR2_HOSTARCH string option env="HOSTARCH" -config BR2_EXTERNAL +config BR2_BUILD_DIR string - option env="BR2_EXTERNAL" + option env="BUILD_DIR" # Hidden config symbols for packages to check system gcc version config BR2_HOST_GCC_VERSION string option env="HOST_GCC_VERSION" +config BR2_HOST_GCC_AT_LEAST_4_5 + bool + default y if BR2_HOST_GCC_VERSION = "4 5" + +config BR2_HOST_GCC_AT_LEAST_4_6 + bool + default y if BR2_HOST_GCC_VERSION = "4 6" + select BR2_HOST_GCC_AT_LEAST_4_5 + config BR2_HOST_GCC_AT_LEAST_4_7 bool default y if BR2_HOST_GCC_VERSION = "4 7" + select BR2_HOST_GCC_AT_LEAST_4_6 config BR2_HOST_GCC_AT_LEAST_4_8 bool @@ -42,8 +52,23 @@ config BR2_HOST_GCC_AT_LEAST_5 default y if BR2_HOST_GCC_VERSION = "5" select BR2_HOST_GCC_AT_LEAST_4_9 +config BR2_HOST_GCC_AT_LEAST_6 + bool + default y if BR2_HOST_GCC_VERSION = "6" + select BR2_HOST_GCC_AT_LEAST_5 + +config BR2_HOST_GCC_AT_LEAST_7 + bool + default y if BR2_HOST_GCC_VERSION = "7" + select BR2_HOST_GCC_AT_LEAST_6 + +config BR2_HOST_GCC_AT_LEAST_8 + bool + default y if BR2_HOST_GCC_VERSION = "8" + select BR2_HOST_GCC_AT_LEAST_7 + # Hidden boolean selected by packages in need of Java in order to build -# (example: xbmc) +# (example: kodi) config BR2_NEEDS_HOST_JAVA bool @@ -69,6 +94,11 @@ config BR2_HOSTARCH_NEEDS_IA32_LIBS config BR2_HOSTARCH_NEEDS_IA32_COMPILER bool +# Hidden boolean selected by packages that need the host to have an +# UTF8 locale. +config BR2_NEEDS_HOST_UTF8_LOCALE + bool + source "arch/Config.in" menu "Build options" @@ -81,7 +111,7 @@ config BR2_WGET config BR2_SVN string "Subversion (svn) command" - default "svn" + default "svn --non-interactive" config BR2_BZR string "Bazaar (bzr) command" @@ -115,9 +145,9 @@ config BR2_ZCAT string "zcat command" default "gzip -d -c" help - Command to be used to extract a gzip'ed file to stdout. - zcat is identical to gunzip -c except that the former may - not be available on your system. + Command to be used to extract a gzip'ed file to stdout. zcat + is identical to gunzip -c except that the former may not be + available on your system. Default is "gzip -d -c" Other possible values include "gunzip -c" or "zcat". @@ -138,13 +168,20 @@ config BR2_XZCAT Command to be used to extract a xz'ed file to stdout. Default is "xzcat" +config BR2_LZCAT + string "lzcat command" + default "lzip -d -c" + help + Command to be used to extract a lzip'ed file to stdout. + Default is "lzip -d -c" + config BR2_TAR_OPTIONS string "Tar options" default "" help Options to pass to tar when extracting the sources. - E.g. " -v --exclude='*.svn*'" to exclude all .svn internal files - and to be verbose. + E.g. " -v --exclude='*.svn*'" to exclude all .svn internal + files and to be verbose. endmenu @@ -157,8 +194,8 @@ config BR2_DEFCONFIG default BR2_DEFCONFIG_FROM_ENV if BR2_DEFCONFIG_FROM_ENV != "" default "$(CONFIG_DIR)/defconfig" help - When running 'make savedefconfig', the defconfig file will be saved - in this location. + When running 'make savedefconfig', the defconfig file will be + saved in this location. config BR2_DL_DIR string "Download dir" @@ -166,7 +203,11 @@ config BR2_DL_DIR help Directory to store all the source files that we need to fetch. If the Linux shell environment has defined the BR2_DL_DIR - environment variable, then this overrides this configuration item. + environment variable, then this overrides this configuration + item. + The directory is organized with a subdirectory for each + package. Each package has its own $(LIBFOO_DL_DIR) variable + that can be used to find the correct path. The default is $(TOPDIR)/dl @@ -174,9 +215,9 @@ config BR2_HOST_DIR string "Host dir" default "$(BASE_DIR)/host" help - Directory to store all the binary files that are built for the host. - This includes the cross compilation toolchain when building the - internal buildroot toolchain. + Directory to store all the binary files that are built for the + host. This includes the cross compilation toolchain when + building the internal buildroot toolchain. The default is $(BASE_DIR)/host @@ -186,9 +227,9 @@ config BR2_PRIMARY_SITE string "Primary download site" default "" help - Primary site to download from. If this option is set then buildroot - will try to download package source first from this site and try the - default if the file is not found. + Primary site to download from. If this option is set then + buildroot will try to download package source first from this + site and try the default if the file is not found. Valid URIs are: - URIs recognized by $(WGET) - local URIs of the form file://absolutepath @@ -201,11 +242,11 @@ config BR2_PRIMARY_SITE_ONLY If this option is enabled, downloads will only be attempted from the primary download site. Other locations, like the package's official download location or the backup download - site, will not be considered. Therefore, if the package is - not present on the primary site, the download fails. + site, will not be considered. Therefore, if the package is not + present on the primary site, the download fails. - This is useful for project developers who want to ensure - that the project can be built even if the upstream tarball + This is useful for project developers who want to ensure that + the project can be built even if the upstream tarball locations disappear. if !BR2_PRIMARY_SITE_ONLY @@ -214,32 +255,36 @@ config BR2_BACKUP_SITE string "Backup download site" default "http://sources.buildroot.net" help - Backup site to download from. If this option is set then buildroot - will fall back to download package sources from here if the - normal location fails. + Backup site to download from. If this option is set then + buildroot will fall back to download package sources from here + if the normal location fails. config BR2_KERNEL_MIRROR string "Kernel.org mirror" - default "https://www.kernel.org/pub" + default "https://cdn.kernel.org/pub" help - kernel.org is mirrored on a number of servers around the world. - The following allows you to select your preferred mirror. + kernel.org is mirrored on a number of servers around the + world. The following allows you to select your preferred + mirror. By default, a CDN is used, which automatically + redirects to a mirror geographically close to you. - Have a look on the kernel.org site for a list of mirrors, then enter - the URL to the base directory. Examples: + Have a look on the kernel.org site for a list of mirrors, then + enter the URL to the base directory. Examples: http://www.XX.kernel.org/pub (XX = country code) http://mirror.aarnet.edu.au/pub/ftp.kernel.org config BR2_GNU_MIRROR string "GNU Software mirror" - default "http://ftp.gnu.org/pub/gnu" + default "http://ftpmirror.gnu.org" help - GNU has multiple software mirrors scattered around the world. - The following allows you to select your preferred mirror. + GNU has multiple software mirrors scattered around the + world. The following allows you to select your preferred + mirror. By default, a generic address is used, which + automatically selects an up-to-date and local mirror. - Have a look on the gnu.org site for a list of mirrors, then enter - the URL to the base directory. Examples: + Have a look on the gnu.org site for a list of mirrors, then + enter the URL to the base directory. Examples: http://ftp.gnu.org/pub/gnu http://mirror.aarnet.edu.au/pub/gnu @@ -256,8 +301,8 @@ config BR2_CPAN_MIRROR string "CPAN mirror (Perl packages)" default "http://cpan.metacpan.org" help - CPAN (Comprehensive Perl Archive Network) is a repository - of Perl packages. It has multiple software mirrors scattered + CPAN (Comprehensive Perl Archive Network) is a repository of + Perl packages. It has multiple software mirrors scattered around the world. This option allows you to select a mirror. The list of mirrors is available at: @@ -271,24 +316,22 @@ config BR2_JLEVEL int "Number of jobs to run simultaneously (0 for auto)" default "0" help - Number of jobs to run simultaneously. If 0, determine - automatically according to number of CPUs on the host - system. + Number of jobs to run simultaneously. If 0, determine + automatically according to number of CPUs on the host system. config BR2_CCACHE bool "Enable compiler cache" help - This option will enable the use of ccache, a compiler - cache. It will cache the result of previous builds to speed - up future builds. By default, the cache is stored in + This option will enable the use of ccache, a compiler cache. + It will cache the result of previous builds to speed up future + builds. By default, the cache is stored in $HOME/.buildroot-ccache. Note that Buildroot does not try to invalidate the cache - contents when the compiler changes in an incompatible - way. Therefore, if you make a change to the compiler version - and/or configuration, you are responsible for purging the - ccache cache by removing the $HOME/.buildroot-ccache - directory. + contents when the compiler changes in an incompatible way. + Therefore, if you make a change to the compiler version and/or + configuration, you are responsible for purging the ccache + cache by removing the $HOME/.buildroot-ccache directory. if BR2_CCACHE @@ -297,20 +340,26 @@ config BR2_CCACHE_DIR default "$(HOME)/.buildroot-ccache" help Where ccache should store cached files. + If the Linux shell environment has defined the BR2_CCACHE_DIR + environment variable, then this overrides this configuration + item. config BR2_CCACHE_INITIAL_SETUP string "Compiler cache initial setup" help - Initial ccache settings to apply, such as --max-files or --max-size. + Initial ccache settings to apply, such as --max-files or + --max-size. - For example, if your project is known to require more space than the - default max cache size, then you might want to increase the cache size - to a suitable amount using the -M (--max-size) option. + For example, if your project is known to require more space + than the default max cache size, then you might want to + increase the cache size to a suitable amount using the -M + (--max-size) option. - The string you specify here is passed verbatim to ccache. Refer to - ccache documentation for more details. + The string you specify here is passed verbatim to ccache. + Refer to ccache documentation for more details. - These initial settings are applied after ccache has been compiled. + These initial settings are applied after ccache has been + compiled. config BR2_CCACHE_USE_BASEDIR bool "Use relative paths" @@ -319,55 +368,25 @@ config BR2_CCACHE_USE_BASEDIR Allow ccache to convert absolute paths within the output directory into relative paths. - During the build, many -I include directives are given with - an absolute path. These absolute paths end up in the hashes - that are computed by ccache. Therefore, when you build from a - different directory, the hash will be different and the - cached object will not be used. + During the build, many -I include directives are given with an + absolute path. These absolute paths end up in the hashes that + are computed by ccache. Therefore, when you build from a + different directory, the hash will be different and the cached + object will not be used. To improve cache performance, set this option to y. This allows ccache to rewrite absolute paths within the output - directory into relative paths. Note that only paths within - the output directory will be rewritten; therefore, if you - change BR2_HOST_DIR to point outside the output directory and + directory into relative paths. Note that only paths within the + output directory will be rewritten; therefore, if you change + BR2_HOST_DIR to point outside the output directory and subsequently move it to a different location, this will lead to cache misses. This option has as a result that the debug information in the object files also has only relative paths. Therefore, make sure you cd to the build directory before starting gdb. See - the section "COMPILING IN DIFFERENT DIRECTORIES" in the - ccache manual for more information. - -endif - -config BR2_DEPRECATED - bool "Show options and packages that are deprecated or obsolete" - help - This option shows outdated/obsolete versions of packages and - options that are otherwise hidden. - -if BR2_DEPRECATED - -config BR2_DEPRECATED_SINCE_2015_02 - bool - default y - -config BR2_DEPRECATED_SINCE_2015_05 - bool - default y - -config BR2_DEPRECATED_SINCE_2015_08 - bool - default y - -config BR2_DEPRECATED_SINCE_2015_11 - bool - default y - -config BR2_DEPRECATED_SINCE_2016_02 - bool - default y + the section "COMPILING IN DIFFERENT DIRECTORIES" in the ccache + manual for more information. endif @@ -391,11 +410,11 @@ choice config BR2_DEBUG_1 bool "debug level 1" help - Debug level 1 produces minimal information, enough - for making backtraces in parts of the program that - you don't plan to debug. This includes descriptions - of functions and external variables, but no information - about local variables and no line numbers. + Debug level 1 produces minimal information, enough for making + backtraces in parts of the program that you don't plan to + debug. This includes descriptions of functions and external + variables, but no information about local variables and no + line numbers. config BR2_DEBUG_2 bool "debug level 2" @@ -405,51 +424,41 @@ config BR2_DEBUG_2 config BR2_DEBUG_3 bool "debug level 3" help - Level 3 includes extra information, such as all the - macro definitions present in the program. Some debuggers - support macro expansion when you use -g3. + Level 3 includes extra information, such as all the macro + definitions present in the program. Some debuggers support + macro expansion when you use -g3. endchoice endif -choice - prompt "strip command for binaries on target" - default BR2_STRIP_strip - config BR2_STRIP_strip - bool "strip" + bool "strip target binaries" + default y depends on !BR2_PACKAGE_HOST_ELF2FLT help Binaries and libraries in the target filesystem will be - stripped using the normal 'strip' command. This allows to - save space, mainly by removing debugging symbols. Debugging - symbols on the target are needed for native debugging, but - not when remote debugging is used. - -config BR2_STRIP_none - bool "none" - help - Do not strip binaries and libraries in the target - filesystem. -endchoice + stripped using the normal 'strip' command. This allows to save + space, mainly by removing debugging symbols. Debugging symbols + on the target are needed for native debugging, but not when + remote debugging is used. config BR2_STRIP_EXCLUDE_FILES string "executables that should not be stripped" - depends on !BR2_STRIP_none default "" + depends on BR2_STRIP_strip help - You may specify a space-separated list of binaries and libraries - here that should not be stripped on the target. + You may specify a space-separated list of binaries and + libraries here that should not be stripped on the target. config BR2_STRIP_EXCLUDE_DIRS string "directories that should be skipped when stripping" - depends on !BR2_STRIP_none default "" + depends on BR2_STRIP_strip help - You may specify a space-separated list of directories that should - be skipped when stripping. Binaries and libraries in these - directories will not be touched. - The directories should be specified relative to the target directory, - without leading slash. + You may specify a space-separated list of directories that + should be skipped when stripping. Binaries and libraries in + these directories will not be touched. The directories should + be specified relative to the target directory, without leading + slash. choice prompt "gcc optimization level" @@ -460,77 +469,107 @@ choice config BR2_OPTIMIZE_0 bool "optimization level 0" help - Do not optimize. This is the default. + Do not optimize. config BR2_OPTIMIZE_1 bool "optimization level 1" help - Optimize. Optimizing compilation takes somewhat more time, - and a lot more memory for a large function. With -O, the - compiler tries to reduce code size and execution time, - without performing any optimizations that take a great deal - of compilation time. -O turns on the following optimization + Optimize. Optimizing compilation takes somewhat more time, and + a lot more memory for a large function. With -O, the compiler + tries to reduce code size and execution time, without + performing any optimizations that take a great deal of + compilation time. -O turns on the following optimization flags: -fdefer-pop -fdelayed-branch -fguess-branch-probability -fcprop-registers -floop-optimize -fif-conversion -fif-conversion2 -ftree-ccp -ftree-dce -ftree-dominator-opts -ftree-dse -ftree-ter -ftree-lrs -ftree-sra -ftree-copyrename - -ftree-fre -ftree-ch -funit-at-a-time -fmerge-constants - -O also turns on -fomit-frame-pointer on machines where doing - so does not interfere with debugging. + -ftree-fre -ftree-ch -funit-at-a-time -fmerge-constants. -O + also turns on -fomit-frame-pointer on machines where doing so + does not interfere with debugging. config BR2_OPTIMIZE_2 bool "optimization level 2" help - Optimize even more. GCC performs nearly all supported optimizations - that do not involve a space-speed tradeoff. The compiler does not - perform loop unrolling or function inlining when you specify -O2. - As compared to -O, this option increases both compilation time and - the performance of the generated code. -O2 turns on all optimization - flags specified by -O. It also turns on the following optimization - flags: -fthread-jumps -fcrossjumping -foptimize-sibling-calls + Optimize even more. GCC performs nearly all supported + optimizations that do not involve a space-speed tradeoff. The + compiler does not perform loop unrolling or function inlining + when you specify -O2. As compared to -O, this option increases + both compilation time and the performance of the generated + code. -O2 turns on all optimization flags specified by -O. It + also turns on the following optimization flags: + -fthread-jumps -fcrossjumping -foptimize-sibling-calls -fcse-follow-jumps -fcse-skip-blocks -fgcse -fgcse-lm - -fexpensive-optimizations -fstrength-reduce -frerun-cse-after-loop - -frerun-loop-opt -fcaller-saves -fpeephole2 -fschedule-insns - -fschedule-insns2 -fsched-interblock -fsched-spec -fregmove - -fstrict-aliasing -fdelete-null-pointer-checks -freorder-blocks - -freorder-functions -falign-functions -falign-jumps -falign-loops - -falign-labels -ftree-vrp -ftree-pre - Please note the warning under -fgcse about invoking -O2 on programs + -fexpensive-optimizations -fstrength-reduce + -frerun-cse-after-loop -frerun-loop-opt -fcaller-saves + -fpeephole2 -fschedule-insns -fschedule-insns2 + -fsched-interblock -fsched-spec -fregmove -fstrict-aliasing + -fdelete-null-pointer-checks -freorder-blocks + -freorder-functions -falign-functions -falign-jumps + -falign-loops -falign-labels -ftree-vrp -ftree-pre. Please + note the warning under -fgcse about invoking -O2 on programs that use computed gotos. config BR2_OPTIMIZE_3 bool "optimization level 3" help - Optimize yet more. -O3 turns on all optimizations specified by -O2 - and also turns on the -finline-functions, -funswitch-loops and - -fgcse-after-reload options. + Optimize yet more. -O3 turns on all optimizations specified by + -O2 and also turns on the -finline-functions, -funswitch-loops + and -fgcse-after-reload options. + +config BR2_OPTIMIZE_G + bool "optimize for debugging" + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 + help + Optimize for debugging. This enables optimizations that do not + interfere with debugging. It should be the optimization level + of choice for the standard edit-compile-debug cycle, offering + a reasonable level of optimization while maintaining fast + compilation and a good debugging experience. config BR2_OPTIMIZE_S bool "optimize for size" help - Optimize for size. -Os enables all -O2 optimizations that do not - typically increase code size. It also performs further optimizations - designed to reduce code size. -Os disables the following optimization - flags: -falign-functions -falign-jumps -falign-loops -falign-labels - -freorder-blocks -freorder-blocks-and-partition -fprefetch-loop-arrays + Optimize for size. -Os enables all -O2 optimizations that do + not typically increase code size. It also performs further + optimizations designed to reduce code size. -Os disables the + following optimization flags: -falign-functions -falign-jumps + -falign-loops -falign-labels -freorder-blocks + -freorder-blocks-and-partition -fprefetch-loop-arrays -ftree-vect-loop-version + This is the default. + +config BR2_OPTIMIZE_FAST + bool "optimize for fast" + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_6 + help + Optimize for fast. Disregard strict standards + compliance. -Ofast enables all -O3 optimizations. It also + enables optimizations that are not valid for all + standard-compliant programs. It turns on -ffast-math and the + Fortran-specific -fstack-arrays, unless -fmax-stack-var-size + is specified, and -fno-protect-parens. endchoice config BR2_GOOGLE_BREAKPAD_ENABLE bool "Enable google-breakpad support" - select BR2_PACKAGE_GOOGLE_BREAKPAD depends on BR2_INSTALL_LIBSTDCPP - depends on BR2_TOOLCHAIN_USES_GLIBC + depends on BR2_HOST_GCC_AT_LEAST_4_8 # C++11 + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 # C++11 + depends on BR2_USE_WCHAR + depends on BR2_TOOLCHAIN_HAS_THREADS + depends on (BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_UCLIBC) depends on BR2_PACKAGE_GOOGLE_BREAKPAD_ARCH_SUPPORTS + depends on BR2_PACKAGE_HOST_GOOGLE_BREAKPAD_ARCH_SUPPORTS + select BR2_PACKAGE_GOOGLE_BREAKPAD help - This option will enable the use of google breakpad, a - library and tool suite that allows you to distribute an - application to users with compiler-provided debugging - information removed, record crashes in compact "minidump" - files, send them back to your server and produce C and C++ - stack traces from these minidumps. Breakpad can also write - minidumps on request for programs that have not crashed. + This option will enable the use of google breakpad, a library + and tool suite that allows you to distribute an application to + users with compiler-provided debugging information removed, + record crashes in compact "minidump" files, send them back to + your server and produce C and C++ stack traces from these + minidumps. Breakpad can also write minidumps on request for + programs that have not crashed. if BR2_GOOGLE_BREAKPAD_ENABLE @@ -551,19 +590,132 @@ config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES endif choice - bool "build code with Stack Smashing Protection" + bool "libraries" + default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED + default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED + help + Select the type of libraries you want to use on the target. + + The default is to build dynamic libraries and use those on the + target filesystem, except when the architecture and/or the + selected binary format does not support shared libraries. + +config BR2_STATIC_LIBS + bool "static only" + help + Build and use only static libraries. No shared libraries will + be installed on the target. This potentially increases your + code size and should only be used if you know what you are + doing. Note that some packages may not be available when this + option is enabled, due to their need for dynamic library + support. + +config BR2_SHARED_LIBS + bool "shared only" + depends on BR2_BINFMT_SUPPORTS_SHARED + help + Build and use only shared libraries. This is the recommended + solution as it saves space and build time. + +config BR2_SHARED_STATIC_LIBS + bool "both static and shared" + depends on BR2_BINFMT_SUPPORTS_SHARED + help + Build both shared and static libraries, but link executables + dynamically. While building both shared and static libraries + take more time and more disk space, having static libraries + may be useful to link some of the applications statically. + +endchoice + +config BR2_PACKAGE_OVERRIDE_FILE + string "location of a package override file" + default "$(CONFIG_DIR)/local.mk" + help + A package override file is a short makefile that contains + variable definitions of the form _OVERRIDE_SRCDIR, which + allows to tell Buildroot to use an existing directory as the + source directory for a particular package. See the Buildroot + documentation for more details on this feature. + +config BR2_GLOBAL_PATCH_DIR + string "global patch directories" + help + You may specify a space separated list of one or more + directories containing global package patches. For a specific + version of a specific package , + patches are applied as follows: + + First, the default Buildroot patch set for the package is + applied from the package's directory in Buildroot. + + Then for every directory - - that exists in + BR2_GLOBAL_PATCH_DIR, if the directory + /// exists, + then all *.patch files in this directory will be applied. + + Otherwise, if the directory / + exists, then all *.patch files in the directory will be + applied. + +menu "Advanced" + +config BR2_COMPILER_PARANOID_UNSAFE_PATH + bool "paranoid check of library/header paths" + default y + help + By default, when this option is disabled, when the Buildroot + cross-compiler will encounter an unsafe library or header path + (such as /usr/include, or /usr/lib), the compiler will display + a warning. + + By enabling this option, this warning is turned into an error, + which will completely abort the build when such unsafe paths + are encountered. + + Note that this mechanism is available for both the internal + toolchain (through the toolchain wrapper and binutils patches) + and external toolchain backends (through the toolchain + wrapper). + +config BR2_REPRODUCIBLE + bool "Make the build reproducible (experimental)" + # SOURCE_DATE_EPOCH support in toolchain-wrapper requires GCC 4.4 + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_4 + help + This option will remove all sources of non-reproducibility + from the build process. For a given Buildroot configuration, + this allows to generate exactly identical binaries from one + build to the other, including on different machines. + + The current implementation is restricted to builds with the + same output directory. Many (absolute) paths are recorded in + intermediary files, and it is very likely that some of these + paths leak into the target rootfs. If you build with the + same O=... path, however, the result is identical. + + This is labeled as an experimental feature, as not all + packages behave properly to ensure reproducibility. + +endmenu + +comment "Security Hardening Options" + +choice + bool "Stack Smashing Protection" default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy depends on BR2_TOOLCHAIN_HAS_SSP help Enable stack smashing protection support using GCC's -fstack-protector option family. - See http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt + See + http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt for details. - Note that this requires the toolchain to have SSP - support. This is always the case for glibc and eglibc - toolchain, but is optional in uClibc toolchains. + Note that this requires the toolchain to have SSP support. + This is always the case for glibc and eglibc toolchain, but is + optional in uClibc toolchains. config BR2_SSP_NONE bool "None" @@ -605,95 +757,75 @@ comment "Stack Smashing Protection needs a toolchain w/ SSP" depends on !BR2_TOOLCHAIN_HAS_SSP choice - bool "libraries" - default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED - default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED + bool "RELRO Protection" + depends on BR2_SHARED_LIBS help - Select the type of libraries you want to use on the target. - - The default is to build dynamic libraries and use those on - the target filesystem, except when the architecture and/or - the selected binary format does not support shared - libraries. + Enable a link-time protection know as RELRO (RELocation Read + Only) which helps to protect from certain type of exploitation + techniques altering the content of some ELF sections. -config BR2_STATIC_LIBS - bool "static only" +config BR2_RELRO_NONE + bool "None" help - Build and use only static libraries. No shared libraries - will be instaled on the target. This potentially increases - your code size and should only be used if you know what you - are doing. Note that some packages may not be available when - this option is enabled, due to their need for dynamic - library support. + Disables Relocation link-time protections. -config BR2_SHARED_LIBS - bool "shared only" - depends on BR2_BINFMT_SUPPORTS_SHARED +config BR2_RELRO_PARTIAL + bool "Partial" help - Build and use only shared libraries. This is the recommended - solution as it saves space and build time. + This option makes the dynamic section not writeable after + initialization (with almost no performance penalty). -config BR2_SHARED_STATIC_LIBS - bool "both static and shared" - depends on BR2_BINFMT_SUPPORTS_SHARED +config BR2_RELRO_FULL + bool "Full" help - Build both shared and static libraries, but link executables - dynamically. While building both shared and static libraries - take more time and more disk space, having static libraries - may be useful to link some of the applications statically. + This option includes the partial configuration, but also marks + the GOT as read-only at the cost of initialization time during + program loading, i.e every time an executable is started. endchoice +comment "RELocation Read Only (RELRO) needs shared libraries" + depends on !BR2_SHARED_LIBS -config BR2_PACKAGE_OVERRIDE_FILE - string "location of a package override file" - default "$(CONFIG_DIR)/local.mk" - help - A package override file is a short makefile that contains - variable definitions of the form _OVERRIDE_SRCDIR, - which allows to tell Buildroot to use an existing directory - as the source directory for a particular package. See the - Buildroot documentation for more details on this feature. - -config BR2_GLOBAL_PATCH_DIR - string "global patch directories" +choice + bool "Buffer-overflow Detection (FORTIFY_SOURCE)" + depends on BR2_TOOLCHAIN_USES_GLIBC + depends on !BR2_OPTIMIZE_0 help - You may specify a space separated list of one or more directories - containing global package patches. For a specific version - of a specific package , patches are - applied as follows: - - First, the default Buildroot patch set for the package is applied - from the package's directory in Buildroot. - - Then for every directory - - that exists in - BR2_GLOBAL_PATCH_DIR, if the directory - /// exists, then all - *.patch files in this directory will be applied. + Enable the _FORTIFY_SOURCE macro which introduces additional + checks to detect buffer-overflows in the following standard + library functions: memcpy, mempcpy, memmove, memset, strcpy, + stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf, + vsnprintf, gets. - Otherwise, if the directory / exists, - then all *.patch files in the directory will be applied. + NOTE: This feature requires an optimization level of s/1/2/3/g -menu "Advanced" + Support for this feature has been present since GCC 4.x. -config BR2_COMPILER_PARANOID_UNSAFE_PATH - bool "paranoid check of library/header paths" +config BR2_FORTIFY_SOURCE_NONE + bool "None" help - By default, when this option is disabled, when the Buildroot - cross-compiler will encounter an unsafe library or header - path (such as /usr/include, or /usr/lib), the compiler will - display a warning. + Disables additional checks to detect buffer-overflows. - By enabling this option, this warning is turned into an - error, which will completely abort the build when such - unsafe paths are encountered. +config BR2_FORTIFY_SOURCE_1 + bool "Conservative" + help + This option sets _FORTIFY_SOURCE to 1 and only introduces + checks that shouldn't change the behavior of conforming + programs. Adds checks at compile-time only. - Note that this mechanism is available for both the internal - toolchain (through gcc and binutils patches) and external - toolchain backends (through the external toolchain wrapper). +config BR2_FORTIFY_SOURCE_2 + bool "Aggressive" + help + This option sets _FORTIFY_SOURCES to 2 and some more + checking is added, but some conforming programs might fail. + Also adds checks at run-time (detected buffer overflow + terminates the program) -endmenu +endchoice +comment "Fortify Source needs a glibc toolchain and optimization" + depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0) endmenu source "toolchain/Config.in" @@ -712,9 +844,4 @@ source "package/Config.in.host" source "Config.in.legacy" -menu "User-provided options" - depends on BR2_EXTERNAL != "support/dummy-external" - -source "$BR2_EXTERNAL/Config.in" - -endmenu +source "$BR2_BUILD_DIR/.br2-external.in"