aboutsummaryrefslogtreecommitdiffstats
path: root/config/Config-build.in
Commit message (Collapse)AuthorAgeFilesLines
* buildsystem: add CONFIG_SECCOMPFlorian Eckert2021-10-161-0/+12
| | | | | | | | | | | | | | | | | | | | | Until now, this feature was switched on via the kernel configuration option KERNEL_SECCOMP. The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that the package procd-seccomp must also enabled for buildinmg. However, this is not the case we have no dependency and the imagebuilder cannot build the image, because of the implicit package selection. This change adds a new configuration option CONFIG_SECCOMP. The new option has the same behaviour as the configuration option CONFIG_SELINUX. If the CONFIG_SECCOMP is selected then the package procd-seccomp and KERNEL_SECCOMP is enabled for this build. Signed-off-by: Florian Eckert <fe@dev.tdt.de> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* build: create profiles.json per defaultPaul Spooren2021-06-211-1/+1
| | | | | | | | | | | | | The file is a info file just like config.buildinfo, feeds.buildinfo and version.buildinfo. It bundles these and more information in a machine readable way. This commit enables the creation of profiles.json by default and not only for buildbots. By doing so it follow the behaviour of the ImageBuilder which always creates the file, lastly this increases the files visibility for downstream projects. Signed-off-by: Paul Spooren <mail@aparcar.org>
* build: use SPDX license tagsPaul Spooren2021-02-051-4/+2
| | | | | | | | | The license folder is a core part of OpenWrt and all GPL-2.0 licensed. Use SPDX license tags to allow machines to check licenses. Signed-off-by: Paul Spooren <mail@aparcar.org> [rebase, keep some Copyright lines, sharpen commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* config: add big EXPERIMENTAL optionDaniel Golle2020-12-101-1/+15
| | | | | | | | | | | | As discussed in the today's (2020-12-10) meeting, add a new option to menuconfig to group the selection of all experimental features to be selected by default. Developers are recommended to make use of this new symbol to guard new features. Other developers and community members should feel encouraged to build with this flag enabled to help testing and provide feedback. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libcxx[abi]: removeRosen Penev2020-12-071-4/+0
| | | | | | | | | | | | This is a neat project, but offers no benefit to OpenWrt. The initial reason for it was to be a replacement for libstdcpp as it is smaller and lacks compatibility for C++98. Unfortunately, compiling several packages with it results in larger ipk sizes. While not a member of the packages feed, this will be moved to packages-abandoned to keep it somewhere. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* tools/sstrip: update to latest versionRui Salvaterra2020-11-261-0/+8
| | | | | | | | | | | | | | | | Drop our local sstrip copy and use the current ELFKickers upstream version. Patch the original makefile in order to avoid building elftoc, since it fails with musl's elf.h. This is fine, since we only need sstrip anyway. Finally, add the possibility to pass additional arguments to sstrip and pass -z (remove trailing zeros) by default, which matches the behaviour of the previous version. Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> [shorten long commit msg lines] Signed-off-by: Paul Spooren <mail@aparcar.org>
* config: clean double whitespace in Config-build.inPaul Spooren2020-11-251-2/+2
| | | | | | | | Trivial cosmetic cleanup. This also helps for script that parse for options in Config files. Signed-off-by: Paul Spooren <mail@aparcar.org> Reviewed-by: Petr Štetiar <ynezz@true.cz>
* Revert "refpolicy: add variant that builds modular policy"Daniel Golle2020-11-221-6/+0
| | | | | | | | | | This reverts commit 9eb9943f82e0b2d5e32ffe1c63f5a82caca5094d. Building the 'modular' variant requires 'semodule_package' from 'selinux-python' to be installed on the buildhost. Apart from that, this change also broke the monolithic refpolicy 'targeted' build. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* refpolicy: add variant that builds modular policyW. Michael Petullo2020-11-091-0/+6
| | | | | | | | | This adds a variant of refpolicy that builds the modular form of the policy. While this requires more memory on the target device, along with some tricks to deal with OpenWrt's volatile /var directory, it is useful for experiementing with SELinux policy. Signed-off-by: W. Michael Petullo <mike@flyn.org>
* config: clean up SELinux optionsDaniel Golle2020-10-161-3/+21
| | | | | | | | | In order to make it easier for users to build with SELinux, have a single option in 'Global build settings' to enable all necessary kernel features, userland packages and build-system hooks. Also add better descriptions and help messages while at it. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* config: add option for dssp selinux policyDaniel Golle2020-10-091-1/+4
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* config: prepare for choice of SELinux policyDaniel Golle2020-09-291-1/+12
| | | | | | Only 'targeted' from refpolicy is supported for now. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* build: add support for SELinux to include/image.mkThomas Petazzoni2020-08-311-0/+10
| | | | | | | | | This allows the build process to prepare a squashfs filesystem for use with SELinux. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [rebase, add commit message] Signed-off-by: W. Michael Petullo <mike@flyn.org>
* build: make prefix mapping of debug information optionalFelix Fietkau2020-08-061-0/+9
| | | | | | | | | | | | | | Remapping the local build path in debug information makes debugging using ./scripts/remote-gdb harder, because files no longer refer to the full path on the build host. For local builds, debug information does not need to be reproducible, since it will be stripped out of packages anyway. For buildbot builds, it makes sense to keep debug information reproducible, since the full path is not needed (nor desired) anywhere. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* build: Remove dependency of user space stack cookies from kernelHauke Mehrtens2020-07-241-2/+0
| | | | | | | | | | | | Currently the user space stack cookies work well also when the kernel stack cookies are not activated. This is handled completely in user space and does not need kernel support. This dependency was probably needed some years ago when the libc did not support stack cookies. Reviewed-by: Ian Cooper <iancooper@hotmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* toolchain: remove gcc libssp and use libc variantIan Cooper2020-06-171-4/+0
| | | | | | | | | | | | | | | Removes the standalone implementation of stack smashing protection in gcc's libssp in favour of the native implementation available in glibc and uclibc. Musl libc already uses its native ssp, so this patch does not affect musl-based toolchains. Stack smashing protection configuration options are now uniform across all supported libc variants. This also makes kernel-level stack smashing protection available for x86_64 and i386 builds using non-musl libc. Signed-off-by: Ian Cooper <iancooper@hotmail.com>
* build: refactor JSON info files to `profiles.json`Paul Spooren2020-04-031-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | JSON info files contain machine readable information of built profiles and resulting images. These files were added in commit 881ed09ee6e2 ("build: create JSON files containing image info"). They are useful for firmware wizards and script checking for reproducibility. Currently all JSON files are stored next to the built images, resulting in up to 168 individual files for the ath79/generic target. This patch refactors the JSON creation to store individual per image (not per profile) files in $(BUILD_DIR)/json_info_files and create an single overview file called `profiles.json` in the target directory. Storing per image files and not per profile solves the problem of parallel file writes. If a profiles sysupgrade and factory image are finished at the same time both processes would write to the same JSON file, resulting in randomly broken outputs. Some target like x86/64 do not use the image code yet, resulting in missing JSON files. If no JSON info files were created, no `profiles.json` files is created as it would be empty anyway. As before, this creation is enabled by default only if `BUILDBOT` is set. Tested via buildroot & ImageBuilder on ath79/generic, imx6 and x86/64. Signed-off-by: Paul Spooren <mail@aparcar.org> [json_info_files dir handling in Make, if case refactoring] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* base-files: add all buildinfo with INCLUDE_CONFIGXu Wang2020-02-271-1/+1
| | | | | | | | | | CONFIG_INCLUDE_CONFIG option is helpful for being able to rebuild the exact same firmware as you see on a live OpenWRT instance, but it's crucially missing feeds information, so we can't rebuild the exact same package versions. This commit fixes this by adding the remaining feeds (and version) buildinfo files to the image. Signed-off-by: Xu Wang <xwang1498@gmx.com>
* buildsystem: Make PIE ASLR option tristateHauke Mehrtens2020-01-131-4/+18
| | | | | | | | | | | | | | | | | | | | | | | | This tristate choose allows to select to build only some applications with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE is activated for the, which is a huge increase. Network exposed applications like dnsmasq should then be build with PIE enabled, but some applications which are normally not parsing data from the network do not have it activated. The regular option should give a good trade off between extra flash and RAM memory usage and security. This changes the default from building no applications with PIE to build some specifically marked applications with PIE enabled. This option is only activated for targets with bigger flash and RAM to not consume extra memory on the very small targets. On SDK builds the Regular option should always be selected, because some tiny targets share the applications with big targets and only the images for the tiny targets should contain the none PIE applications, but the images for the normal targets should use PIE. The shared packages should always use PIE when it should be normally activated. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* libcxx: Depenency fixesRosen Penev2019-12-231-0/+1
| | | | | | | | | | | | | Don't build with uClibc-ng. It's totally unsupported as several functions are missing. Make the musl libc support conditional. Fix hash with make check FIXUP=1. Apparently I based the Makefile off of libedit and forgot to fix the hash. Signed-off-by: Rosen Penev <rosenp@gmail.com> Fixes: 856ea2bad3b3 ("libcxx: Add package")
* libcxx: Add packageRosen Penev2019-12-231-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently in OpenWrt, there are two libc++: libstdcpp and uClibc++. The former is huge and the latter supports only C++98 with some basic support for C++11. Those C++ versions seem to be specific to the compiler version libcxx supports C++11 and above while being much smaller than libstdcpp. On mt7621, these are the sizes of the ipks that I get: libstdcpp: 460786 libcxx: 182881 uClibc++:67720 libcxx is faster than uClibc++ and is under active development as part of the LLVM project while uClibc++ is effectively dead. This PR modifies uclibc++.mk to expose the make menuconfig option. Further cleanup is beyond the scope of this PR. What that means is, this is not used by default. A g++-libcxx wrapper based on the uClibc++ one was added. Works the same way. Compile tested with all packages that use uclibc++.mk in their Makefiles under mipsel_24kc. kismet fails compilation but that package needs to be cleaned up and updated. Runtime tested with gddrescue, gdisk, dcwapd, bonnie++, and aircrack-ng on a TP-Link Archer C7v2. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* Revert "build: separate signing logic"John Crispin2019-10-211-10/+2
| | | | | | | | This reverts commit 4a45e69d190f72ed94878487b271ed7651dd9efa. This broke the buildbots Signed-off-by: John Crispin <john@phrozen.org>
* build: separate signing logicPaul Spooren2019-10-211-2/+10
| | | | | | | | | | | | | | | | This separates the options for signature creation and verification * SIGNED_PACKAGES create Packages.sig * SIGNED_IMAGES add ucert signature to created images * CHECK_SIGNATURE add verification capabilities to images * INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys Right now the buildbot.git contains some hacks to create images that have signature verification capabilities while not storing private keys on buildbot slaves. This commit allows to disable these steps for the buildbots and only perform signing on the master. Signed-off-by: Paul Spooren <mail@aparcar.org>
* config: remove unused GCC_VERSION_4_8 config symbolsPaul Spooren2019-10-091-2/+0
| | | | | | | | | Lets remove unused GCC_VERSION_4_8 symbol after the series of patches which has switched to target gcc-8 by default. Signed-off-by: Paul Spooren <mail@aparcar.org> [refactored into separate commit] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* build: create JSON files containing image infoPaul Spooren2019-09-291-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The JSON info files contain details about the created firmware images per device and are stored next to the created images. The JSON files are stored as "$(IMAGE_PREFIX).json" and contain some device/image meta data as well as a list of created firmware images. An example of openwrt-ramips-rt305x-aztech_hw550-3g.json { "id": "aztech_hw550-3g", "image_prefix": "openwrt-ramips-rt305x-aztech_hw550-3g", "images": [ { "name": "openwrt-ramips-rt305x-aztech_hw550-3g-squashfs-sysupgrade.bin", "sha256": "db2b34b0ec4a83d9bf612cf66fab0dc3722b191cb9bedf111e5627a4298baf20", "type": "sysupgrade" } ], "metadata_version": 1, "supported_devices": [ "aztech,hw550-3g", "hw550-3g" ], "target": "ramips/rt305x", "titles": [ { "model": "HW550-3G", "vendor": "Aztech" }, { "model": "ALL0239-3G", "vendor": "Allnet" } ], "version_commit": "r10920+123-0cc87b3bac", "version_number": "SNAPSHOT" } Signed-off-by: Paul Spooren <mail@aparcar.org>
* build: add buildinfo files for reproducibilityPaul Spooren2019-08-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | generate feeds.buildinfo and version.buildinfo in build dir after containing the feed revisions (via ./scripts/feeds list -sf) as well as the current revision of buildroot (via ./scripts/getver.sh). With this information it should be possible to reproduce any build, especially the release builds. Usage would be to move feeds.buildinfo to feeds.conf and git checkout the revision hash of version.buildinfo. Content of feeds.buildinfo would look similar to this: src-git routing https://git.openwrt.org/feed/routing.git^bf475d6 src-git telephony https://git.openwrt.org/feed/telephony.git^470eb8e ... Content of version.buildinfo would look similar to this: r10203+1-c12bd3a21b Without the exact feed revision it is not possible to determine installed package versions. Also rename config.seed to config.buildinfo to follow the recommended style of https://reproducible-builds.org/docs/recording/ Signed-off-by: Paul Spooren <mail@aparcar.org>
* config: introduce separate CONFIG_SIGNATURE_CHECK optionJo-Philipp Wich2019-08-061-0/+4
| | | | | | | | | | | | | | | | | | | Introduce a new option CONFIG_SIGNATURE_CHECK which defaults to the value of CONFIG_SIGNED_PACKAGES and thus is enabled by default. This option is needed to support building target opkg with enabled signature verification while having the signed package lists disabled. Our buildbots currently disable package signing globally in the buildroot and SDK to avoid the need to ship private signing keys to the build workers and to prevent the triggering of random key generation on the worker nodes since package signing happens off-line on the master nodes. As unintended side-effect, updated opkg packages will get built with disabled signature verification, hence the need for a new override option. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* build: add a config option for enabling a testing version of the target kernelFelix Fietkau2019-05-111-0/+9
| | | | | | | If the target supports a newer kernel version that is not used by default yet, it can be enabled with this option Signed-off-by: Felix Fietkau <nbd@nbd.name>
* build: Optionally provide file checksums in package metadataMichal Hrusecky2019-01-221-0/+8
| | | | | | | This may be useful if you don't entirely trust your flash and want to be able to check for corruptions. Signed-off-by: Michal Hrusecky <Michal@Hrusecky.net>
* kernel: Fix KERNEL_STACKPROTECTOR on kernel 4.19Hauke Mehrtens2018-12-261-0/+8
| | | | | | | | | | | | The configuration option was renamed with kernel 4.19 from CONFIG_CC_STACKPROTECTOR to CONFIG_STACKPROTECTOR adapt the code to set both options. CONFIG_STACKPROTECTOR now sets the regular stack protector and CONFIG_STACKPROTECTOR_STRONG activates the additional protection of more functions. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* build: cleanup SSP_SUPPORT configure optionJulien Dusser2018-01-271-2/+2
| | | | | | | | | | | | | | | | | | Configure variable SSP_SUPPORT is ambiguous for packages (tor, openssh, avahi, freeswitch). It means 'toolchain supporting SSP', but for toolchain and depends it means 'build gcc with libssp'. Musl no longer uses libssp (1877bc9d8f), it has internal support, so SSP_SUPPORT was disabled leading some package to not use SSP. No information why Glibc and uClibc use libssp, but they may also provide their own SSP support. uClibc used it own with commit 933b588e25 but it was reverted in f3cacb9e84 without details. Create an new configure GCC_LIBSSP and automatically enable SSP_SUPPORT if either USE_MUSL or GCC_LIBSSP. Signed-off-by: Julien Dusser <julien.dusser@free.fr>
* build: add hardened builds with PIE (ASLR) supportJulien Dusser2018-01-271-0/+16
| | | | | | | | | | | | | | | | | | Introduce a configuration option to build a "hardened" OpenWrt with ASLR PIE support. Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR) by building Position Independent Executables (PIE). This new option protects against "return-to-text" attacks. Busybox need a special care, link is done with ld, not gcc, leading to unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE. If other failing packages were found, PKG_ASLR_PIE:=0 should be added to their Makefiles. Original Work by: Yongkui Han <yonhan@cisco.com> Signed-off-by: Julien Dusser <julien.dusser@free.fr>
* build: disable BUILD_PATENTED by defaultYousong Zhou2018-01-261-1/+1
| | | | | | | | This is mainly for legal considerations and not promoting the usage of and no redistribution of binaries of patented technologies seems to be also the established practice in other linux distros. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* config: make CONFIG_ALL_* select other CONIFG_ALL_* optionsHauke Mehrtens2017-08-261-3/+4
| | | | | | | | | | | | | Select the other CONFIG_ALL_* options in the hierarchy when the master option is selected. Currently CONFIG_ALL_KMODS is not selected when the build bot selects CONFIG_ALL_NONSHARED for example. Now the rtc kmods should get build when CONFIG_ALL_KMODS, CONFIG_ALL_NONSHARED or CONFIG_ALL and CONFIG_RTC_SUPPORT are selected like it is done by the build bots for targets with rtc support. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Jo-Philipp Wich <jo@mein.io>
* kernel: Hide kernel options behind a menuFlorian Fainelli2017-05-261-1/+3
| | | | | | | | We are starting to add more and more kernel configurable options, to the point where the Global build options menu is not really usable anymore, hide all kernel-related configuration options behind a menu. Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
* build: add devel option to store build config in firmwareVitaly Chekryzhev2017-03-181-0/+6
| | | | | | Store config.seed in firmware /etc/build.config Signed-off-by: Vitaly Chekryzhev <13hakta@gmail.com>
* build: add buildbot specific config option for setting defaultsFelix Fietkau2017-02-141-2/+12
| | | | | | | | | | This can be used to tweak the buildbot behavior without having to change buildbot's configuration. It will also allow us to add more aggressive clean steps (e.g. on toolchain changes), which would break developers' workflows if enable by default. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* build: remove obsolete parallel build related optionsFelix Fietkau2017-01-101-53/+0
| | | | | | Always use the main make jobserver, which has been the default for ages Signed-off-by: Felix Fietkau <nbd@nbd.name>
* config: enable shadow passwords unconditionallyMatthias Schiffer2016-09-261-3/+0
| | | | | | | | | | | | | Configurations without shadow passwords have been broken since the removal of telnet: as the default entry in /etc/passwd is not empty (but rather unset), there will be no way to log onto such a system by default. As disabling shadow passwords is not useful anyways, remove this configuration option. The config symbol is kept (for a while), as packages from feeds depend on it. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* toolchain: get rid of GCC_VERSION_5 config symbolFelix Fietkau2016-07-151-2/+2
| | | | | | Replace it with !GCC_VERSION_4_8 to be more future compatible Signed-off-by: Felix Fietkau <nbd@nbd.name>
* global: introduce ALL_NONSHARED symbolJo-Philipp Wich2016-04-131-0/+5
| | | | | | | | Introduce a new symbol ALL_NONSHARED which selects all non-sharable packages by default. This option is mainly intented for buildbot setups to build the target dependant software subset only. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* build: do not deselect CONFIG_USE_SSTRIP if CONFIG_DEBUG is enabledFelix Fietkau2016-01-261-2/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48504
* build: use sstrip by default for muslFelix Fietkau2016-01-181-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48313
* linux: make IPv6 builtin if selected (saves >30KB)Steven Barth2015-09-091-1/+1
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46834
* gcc: remove version 4.9-linaroFelix Fietkau2015-09-061-2/+2
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 46798
* enable strong SSP / Stackprotector on gcc5Steven Barth2015-08-181-2/+2
| | | | | | Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de> SVN-Revision: 46685
* build: disable kernel stack protector support for i386/x86_64Felix Fietkau2015-08-021-0/+1
| | | | | | | | | | | | When stack protector support is disabled in libc (always the case for !musl), gcc assumes that it needs to use __stack_chk_guard for the stack canary. This causes kernel build errors, because the kernel is only set up to handle TLS stack canaries. Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 46543
* hardening: disable user-space SSP for !muslSteven Barth2015-06-291-0/+1
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46146
* toolchain: add fortify-headers, enable FORTIFY_SOURCE by defaultSteven Barth2015-06-231-0/+1
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46117
* gcc/musl: rework SSP-supportSteven Barth2015-06-221-2/+2
| | | | | | | | | | | Make musl provide libssp_nonshared.a and make GCC link it unconditionally if musl is used. This should be a no-op if SSP is disabled and seems to be the only reliable way of dealing with SSP over all packages due to the mess that is linkerflags handling in packages. Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46108