3 mainmenu "Buildroot $BR2_VERSION Configuration"
5 config BR2_HAVE_DOT_CONFIG
11 option env="BR2_VERSION_FULL"
21 # br2-external paths definitions
22 source "$BR2_BASE_DIR/.br2-external.in.paths"
24 # Hidden config symbols for packages to check system gcc version
25 config BR2_HOST_GCC_VERSION
27 option env="HOST_GCC_VERSION"
29 config BR2_HOST_GCC_AT_LEAST_4_9
31 default y if BR2_HOST_GCC_VERSION = "4 9"
33 config BR2_HOST_GCC_AT_LEAST_5
35 default y if BR2_HOST_GCC_VERSION = "5"
36 select BR2_HOST_GCC_AT_LEAST_4_9
38 config BR2_HOST_GCC_AT_LEAST_6
40 default y if BR2_HOST_GCC_VERSION = "6"
41 select BR2_HOST_GCC_AT_LEAST_5
43 config BR2_HOST_GCC_AT_LEAST_7
45 default y if BR2_HOST_GCC_VERSION = "7"
46 select BR2_HOST_GCC_AT_LEAST_6
48 config BR2_HOST_GCC_AT_LEAST_8
50 default y if BR2_HOST_GCC_VERSION = "8"
51 select BR2_HOST_GCC_AT_LEAST_7
53 config BR2_HOST_GCC_AT_LEAST_9
55 default y if BR2_HOST_GCC_VERSION = "9"
56 select BR2_HOST_GCC_AT_LEAST_8
58 config BR2_HOST_GCC_AT_LEAST_10
60 default y if BR2_HOST_GCC_VERSION = "10"
61 select BR2_HOST_GCC_AT_LEAST_9
63 config BR2_HOST_GCC_AT_LEAST_11
65 default y if BR2_HOST_GCC_VERSION = "11"
66 select BR2_HOST_GCC_AT_LEAST_10
68 # When adding new entries above, be sure to update
69 # the HOSTCC_MAX_VERSION variable in the Makefile.
71 # Hidden boolean selected by packages in need of Java in order to build
73 config BR2_NEEDS_HOST_JAVA
76 # Hidden boolean selected by pre-built packages for x86, when they
77 # need to run on x86-64 machines (example: pre-built external
78 # toolchains, binary tools, etc.).
79 config BR2_HOSTARCH_NEEDS_IA32_LIBS
82 # Hidden boolean selected by packages that need to build 32 bits
83 # binaries with the host compiler, even on 64 bits build machines (e.g
85 config BR2_HOSTARCH_NEEDS_IA32_COMPILER
88 # Hidden boolean selected by packages that need the host to have an
90 config BR2_NEEDS_HOST_UTF8_LOCALE
93 # Hidden boolean selected by packages that need the host to have
94 # support for building gcc plugins
95 config BR2_NEEDS_HOST_GCC_PLUGIN_SUPPORT
98 source "arch/Config.in"
100 source "toolchain/Config.in"
107 string "Wget command"
108 default "wget -nd -t 3"
111 string "Subversion (svn) command"
112 default "svn --non-interactive"
115 string "Bazaar (bzr) command"
126 config BR2_LOCALFILES
127 string "Local files retrieval command"
131 string "Secure copy (scp) command"
135 string "Secure file transfer (sftp) command"
139 string "Mercurial (hg) command"
143 string "zcat command"
146 Command to be used to extract a gzip'ed file to stdout. zcat
147 is identical to gunzip -c except that the former may not be
148 available on your system.
149 Default is "gzip -d -c"
150 Other possible values include "gunzip -c" or "zcat".
153 string "bzcat command"
156 Command to be used to extract a bzip2'ed file to stdout.
157 bzcat is identical to bunzip2 -c except that the former may
158 not be available on your system.
160 Other possible values include "bunzip2 -c" or "bzip2 -d -c".
163 string "xzcat command"
166 Command to be used to extract a xz'ed file to stdout.
170 string "lzcat command"
173 Command to be used to extract a lzip'ed file to stdout.
174 Default is "lzip -d -c"
176 config BR2_TAR_OPTIONS
180 Options to pass to tar when extracting the sources.
181 E.g. " -v --exclude='*.svn*'" to exclude all .svn internal
182 files and to be verbose.
186 config BR2_DEFCONFIG_FROM_ENV
188 option env="BR2_DEFCONFIG"
191 string "Location to save buildroot config"
192 default BR2_DEFCONFIG_FROM_ENV if BR2_DEFCONFIG_FROM_ENV != ""
193 default "$(CONFIG_DIR)/defconfig"
195 When running 'make savedefconfig', the defconfig file will be
196 saved in this location.
199 string "Download dir"
200 default "$(TOPDIR)/dl"
202 Directory to store all the source files that we need to fetch.
203 If the Linux shell environment has defined the BR2_DL_DIR
204 environment variable, then this overrides this configuration
206 The directory is organized with a subdirectory for each
207 package. Each package has its own $(LIBFOO_DL_DIR) variable
208 that can be used to find the correct path.
210 The default is $(TOPDIR)/dl
214 default "$(BASE_DIR)/host"
216 Directory to store all the binary files that are built for the
217 host. This includes the cross compilation toolchain when
218 building the internal buildroot toolchain.
220 The default is $(BASE_DIR)/host
222 menu "Mirrors and Download locations"
224 config BR2_PRIMARY_SITE
225 string "Primary download site"
228 Primary site to download from. If this option is set then
229 buildroot will try to download package source first from this
230 site and try the default if the file is not found.
232 - URIs recognized by $(WGET)
233 - local URIs of the form file://absolutepath
234 - scp URIs of the form scp://[user@]host:path.
236 config BR2_PRIMARY_SITE_ONLY
237 bool "Only allow downloads from primary download site"
238 depends on BR2_PRIMARY_SITE != ""
240 If this option is enabled, downloads will only be attempted
241 from the primary download site. Other locations, like the
242 package's official download location or the backup download
243 site, will not be considered. Therefore, if the package is not
244 present on the primary site, the download fails.
246 This is useful for project developers who want to ensure that
247 the project can be built even if the upstream tarball
250 if !BR2_PRIMARY_SITE_ONLY
252 config BR2_BACKUP_SITE
253 string "Backup download site"
254 default "https://sources.buildroot.net"
256 Backup site to download from. If this option is set then
257 buildroot will fall back to download package sources from here
258 if the normal location fails.
260 config BR2_KERNEL_MIRROR
261 string "Kernel.org mirror"
262 default "https://cdn.kernel.org/pub"
264 kernel.org is mirrored on a number of servers around the
265 world. The following allows you to select your preferred
266 mirror. By default, a CDN is used, which automatically
267 redirects to a mirror geographically close to you.
269 Have a look on the kernel.org site for a list of mirrors, then
270 enter the URL to the base directory. Examples:
272 http://www.XX.kernel.org/pub (XX = country code)
273 http://mirror.aarnet.edu.au/pub/ftp.kernel.org
275 config BR2_GNU_MIRROR
276 string "GNU Software mirror"
277 default "http://ftpmirror.gnu.org"
279 GNU has multiple software mirrors scattered around the
280 world. The following allows you to select your preferred
281 mirror. By default, a generic address is used, which
282 automatically selects an up-to-date and local mirror.
284 Have a look on the gnu.org site for a list of mirrors, then
285 enter the URL to the base directory. Examples:
287 http://ftp.gnu.org/pub/gnu
288 http://mirror.aarnet.edu.au/pub/gnu
290 config BR2_LUAROCKS_MIRROR
291 string "LuaRocks mirror"
292 default "http://rocks.moonscript.org"
296 See http://luarocks.org
298 config BR2_CPAN_MIRROR
299 string "CPAN mirror (Perl packages)"
300 default "https://cpan.metacpan.org"
302 CPAN (Comprehensive Perl Archive Network) is a repository of
303 Perl packages. It has multiple software mirrors scattered
304 around the world. This option allows you to select a mirror.
306 The list of mirrors is available at:
307 http://mirrors.cpan.org/ (tabular)
308 http://mirrors.cpan.org/map.html (clickable world map)
315 int "Number of jobs to run simultaneously (0 for auto)"
318 Number of jobs to run simultaneously. If 0, determine
319 automatically according to number of CPUs on the host system.
321 comment "ccache needs a host gcc >= 8"
322 depends on !BR2_HOST_GCC_AT_LEAST_8
325 bool "Enable compiler cache"
326 depends on BR2_HOST_GCC_AT_LEAST_8
328 This option will enable the use of ccache, a compiler cache.
329 It will cache the result of previous builds to speed up future
330 builds. By default, the cache is stored in
331 $HOME/.buildroot-ccache.
333 Note that Buildroot does not try to invalidate the cache
334 contents when the compiler changes in an incompatible way.
335 Therefore, if you make a change to the compiler version and/or
336 configuration, you are responsible for purging the ccache
337 cache by removing the $HOME/.buildroot-ccache directory.
341 config BR2_CCACHE_DIR
342 string "Compiler cache location"
343 default "$(HOME)/.buildroot-ccache"
345 Where ccache should store cached files.
346 If the Linux shell environment has defined the BR2_CCACHE_DIR
347 environment variable, then this overrides this configuration
350 config BR2_CCACHE_INITIAL_SETUP
351 string "Compiler cache initial setup"
353 Initial ccache settings to apply, such as --max-files or
356 For example, if your project is known to require more space
357 than the default max cache size, then you might want to
358 increase the cache size to a suitable amount using the -M
361 The string you specify here is passed verbatim to ccache.
362 Refer to ccache documentation for more details.
364 These initial settings are applied after ccache has been
367 config BR2_CCACHE_USE_BASEDIR
368 bool "Use relative paths"
371 Allow ccache to convert absolute paths within the output
372 directory into relative paths.
374 During the build, many -I include directives are given with an
375 absolute path. These absolute paths end up in the hashes that
376 are computed by ccache. Therefore, when you build from a
377 different directory, the hash will be different and the cached
378 object will not be used.
380 To improve cache performance, set this option to y. This
381 allows ccache to rewrite absolute paths within the output
382 directory into relative paths. Note that only paths within the
383 output directory will be rewritten; therefore, if you change
384 BR2_HOST_DIR to point outside the output directory and
385 subsequently move it to a different location, this will lead
388 This option has as a result that the debug information in the
389 object files also has only relative paths. Therefore, make
390 sure you cd to the build directory before starting gdb. See
391 the section "COMPILING IN DIFFERENT DIRECTORIES" in the ccache
392 manual for more information.
396 config BR2_ENABLE_DEBUG
397 bool "build packages with debugging symbols"
399 Build packages with debugging symbols enabled. All libraries
400 and binaries in the 'staging' directory will have debugging
401 symbols, which allows remote debugging even if libraries and
402 binaries are stripped on the target. Whether libraries and
403 binaries are stripped on the target is controlled by the
404 BR2_STRIP_* options below.
408 prompt "gcc debug level"
411 Set the debug level for gcc
416 Debug level 1 produces minimal information, enough for making
417 backtraces in parts of the program that you don't plan to
418 debug. This includes descriptions of functions and external
419 variables, but no information about local variables and no
425 The default gcc debug level is 2
430 Level 3 includes extra information, such as all the macro
431 definitions present in the program. Some debuggers support
432 macro expansion when you use -g3.
436 config BR2_ENABLE_RUNTIME_DEBUG
437 bool "build packages with runtime debugging info"
439 Some packages may have runtime assertions, extra traces, and
440 similar runtime elements that can help debugging. However,
441 these elements may negatively influence performance so should
442 normally not be enabled on production systems.
444 Enable this option to enable such runtime debugging.
446 Note: disabling this option is not a guarantee that all
447 packages effectively removed these runtime debugging elements.
449 config BR2_STRIP_strip
450 bool "strip target binaries"
452 depends on BR2_BINFMT_ELF
454 Binaries and libraries in the target filesystem will be
455 stripped using the normal 'strip' command. This allows to save
456 space, mainly by removing debugging symbols. Debugging symbols
457 on the target are needed for native debugging, but not when
458 remote debugging is used.
460 config BR2_STRIP_EXCLUDE_FILES
461 string "executables that should not be stripped"
463 depends on BR2_STRIP_strip
465 You may specify a space-separated list of binaries and
466 libraries here that should not be stripped on the target.
468 config BR2_STRIP_EXCLUDE_DIRS
469 string "directories that should be skipped when stripping"
471 depends on BR2_STRIP_strip
473 You may specify a space-separated list of directories that
474 should be skipped when stripping. Binaries and libraries in
475 these directories will not be touched. The directories should
476 be specified relative to the target directory, without leading
480 prompt "gcc optimization level"
481 default BR2_OPTIMIZE_2
483 Set the optimization level for gcc
485 config BR2_OPTIMIZE_0
486 bool "optimization level 0"
490 config BR2_OPTIMIZE_1
491 bool "optimization level 1"
493 Optimize. Optimizing compilation takes somewhat more time, and
494 a lot more memory for a large function. With -O, the compiler
495 tries to reduce code size and execution time, without
496 performing any optimizations that take a great deal of
497 compilation time. -O turns on the following optimization
498 flags: -fdefer-pop -fdelayed-branch -fguess-branch-probability
499 -fcprop-registers -floop-optimize -fif-conversion
500 -fif-conversion2 -ftree-ccp -ftree-dce -ftree-dominator-opts
501 -ftree-dse -ftree-ter -ftree-lrs -ftree-sra -ftree-copyrename
502 -ftree-fre -ftree-ch -funit-at-a-time -fmerge-constants. -O
503 also turns on -fomit-frame-pointer on machines where doing so
504 does not interfere with debugging.
506 config BR2_OPTIMIZE_2
507 bool "optimization level 2"
509 Optimize even more. GCC performs nearly all supported
510 optimizations that do not involve a space-speed tradeoff. The
511 compiler does not perform loop unrolling or function inlining
512 when you specify -O2. As compared to -O, this option increases
513 both compilation time and the performance of the generated
514 code. -O2 turns on all optimization flags specified by -O. It
515 also turns on the following optimization flags:
516 -fthread-jumps -fcrossjumping -foptimize-sibling-calls
517 -fcse-follow-jumps -fcse-skip-blocks -fgcse -fgcse-lm
518 -fexpensive-optimizations -fstrength-reduce
519 -frerun-cse-after-loop -frerun-loop-opt -fcaller-saves
520 -fpeephole2 -fschedule-insns -fschedule-insns2
521 -fsched-interblock -fsched-spec -fregmove -fstrict-aliasing
522 -fdelete-null-pointer-checks -freorder-blocks
523 -freorder-functions -falign-functions -falign-jumps
524 -falign-loops -falign-labels -ftree-vrp -ftree-pre. Please
525 note the warning under -fgcse about invoking -O2 on programs
526 that use computed gotos.
529 config BR2_OPTIMIZE_3
530 bool "optimization level 3"
532 Optimize yet more. -O3 turns on all optimizations specified by
533 -O2 and also turns on the -finline-functions, -funswitch-loops
534 and -fgcse-after-reload options.
536 config BR2_OPTIMIZE_G
537 bool "optimize for debugging"
538 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8
540 Optimize for debugging. This enables optimizations that do not
541 interfere with debugging. It should be the optimization level
542 of choice for the standard edit-compile-debug cycle, offering
543 a reasonable level of optimization while maintaining fast
544 compilation and a good debugging experience.
546 config BR2_OPTIMIZE_S
547 bool "optimize for size"
549 Optimize for size. -Os enables all -O2 optimizations that do
550 not typically increase code size. It also performs further
551 optimizations designed to reduce code size. -Os disables the
552 following optimization flags: -falign-functions -falign-jumps
553 -falign-loops -falign-labels -freorder-blocks
554 -freorder-blocks-and-partition -fprefetch-loop-arrays
555 -ftree-vect-loop-version
557 config BR2_OPTIMIZE_FAST
558 bool "optimize for fast (may break packages!)"
559 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_6
561 Optimize for fast. Disregard strict standards
562 compliance. -Ofast enables all -O3 optimizations. It also
563 enables optimizations that are not valid for all
564 standard-compliant programs, so be careful, as it may break
565 some packages. It turns on -ffast-math and the
566 Fortran-specific -fstack-arrays, unless -fmax-stack-var-size
567 is specified, and -fno-protect-parens.
571 config BR2_ENABLE_LTO
572 bool "build packages with link-time optimisation"
574 Enable the link-time optimisation (LTO) option when building
575 packages. Link-time optimisation re-runs optimisations at
576 link time, which allows the compiler to do interprocedural
577 analysis across compilation units and thus come with better
578 results: smaller size and better performance.
580 Note that this analysis is limited to statically linked
581 object files and libraries.
583 This option may significantly increase build times,
584 sometimes 5 times longer, with only limited gains.
586 At this time, this option only enables LTO in packages that
587 have an explicit configuration option for it. Other packages
588 always enable LTO, but most packages never enable LTO.
590 config BR2_GOOGLE_BREAKPAD_ENABLE
591 bool "Enable google-breakpad support"
592 depends on BR2_INSTALL_LIBSTDCPP
593 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_7 # C++17
594 depends on BR2_USE_WCHAR
595 depends on BR2_TOOLCHAIN_HAS_THREADS
596 depends on BR2_TOOLCHAIN_USES_GLIBC
597 depends on BR2_PACKAGE_GOOGLE_BREAKPAD_ARCH_SUPPORTS
598 depends on BR2_PACKAGE_HOST_GOOGLE_BREAKPAD_ARCH_SUPPORTS
599 select BR2_PACKAGE_GOOGLE_BREAKPAD
601 This option will enable the use of google breakpad, a library
602 and tool suite that allows you to distribute an application to
603 users with compiler-provided debugging information removed,
604 record crashes in compact "minidump" files, send them back to
605 your server and produce C and C++ stack traces from these
606 minidumps. Breakpad can also write minidumps on request for
607 programs that have not crashed.
609 if BR2_GOOGLE_BREAKPAD_ENABLE
611 config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES
612 string "List of executables and libraries to extract symbols from"
615 You may specify a space-separated list of binaries and
616 libraries with full paths relative to $(TARGET_DIR) of which
617 debug symbols will be dumped for further use with google
620 A directory structure that can be used by minidump-stackwalk
623 $(STAGING_DIR)/usr/share/google-breakpad-symbols
629 default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED
630 default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED
632 Select the type of libraries you want to use on the target.
634 The default is to build dynamic libraries and use those on the
635 target filesystem, except when the architecture and/or the
636 selected binary format does not support shared libraries.
638 config BR2_STATIC_LIBS
640 depends on !BR2_TOOLCHAIN_USES_GLIBC
642 Build and use only static libraries. No shared libraries will
643 be installed on the target. This potentially increases your
644 code size and should only be used if you know what you are
645 doing. Note that some packages may not be available when this
646 option is enabled, due to their need for dynamic library
649 comment "static only needs a toolchain w/ uclibc or musl"
650 depends on BR2_TOOLCHAIN_USES_GLIBC
652 config BR2_SHARED_LIBS
654 depends on BR2_BINFMT_SUPPORTS_SHARED
656 Build and use only shared libraries. This is the recommended
657 solution as it saves space and build time.
659 config BR2_SHARED_STATIC_LIBS
660 bool "both static and shared"
661 depends on BR2_BINFMT_SUPPORTS_SHARED
663 Build both shared and static libraries, but link executables
664 dynamically. While building both shared and static libraries
665 take more time and more disk space, having static libraries
666 may be useful to link some of the applications statically.
670 config BR2_PACKAGE_OVERRIDE_FILE
671 string "location of a package override file"
672 default "$(CONFIG_DIR)/local.mk"
674 A package override file is a short makefile that contains
675 variable definitions of the form <pkg>_OVERRIDE_SRCDIR, which
676 allows to tell Buildroot to use an existing directory as the
677 source directory for a particular package. See the Buildroot
678 documentation for more details on this feature.
680 config BR2_GLOBAL_PATCH_DIR
681 string "global patch and hash directories"
683 You may specify a space separated list of one or more
684 directories containing global package patches and/or hashes.
685 For a specific version <packageversion> of a specific package
686 <packagename>, patches are looked up as follows:
688 First, the default Buildroot patch set for the package is
689 applied from the package's directory in Buildroot.
691 Then for every directory - <global-patch-dir> - that exists in
692 BR2_GLOBAL_PATCH_DIR, if the directory
693 <global-patch-dir>/<packagename>/<packageversion>/ exists,
694 then all *.patch files in this directory will be applied.
696 Otherwise, if the directory <global-patch-dir>/<packagename>
697 exists, then all *.patch files in the directory will be
700 The hash files are looked up similarly to the patches.
704 config BR2_FORCE_HOST_BUILD
705 bool "Force the building of host dependencies"
707 Build all available host dependencies, even if they are
708 already installed on the system.
710 This option can be used to ensure that the download cache of
711 source archives for packages remain consistent between
712 different build hosts.
714 This option will increase build time.
716 config BR2_DOWNLOAD_FORCE_CHECK_HASHES
717 bool "Force all downloads to have a valid hash"
719 Say 'y' here to enforce downloads to have at least one valid
720 hash (and of course, that all hashes be valid).
722 By default, Buildroot checks hashes of all packages
723 downloaded, except those for which a custom version is
726 With this option turned on, Buildroot will check hashes of
727 all packages, including those that use a custom version. In
728 order to provide hashes for such packages, place additional
729 hash files in BR2_GLOBAL_PATCH_DIR directories.
731 config BR2_REPRODUCIBLE
732 bool "Make the build reproducible (experimental)"
733 # SOURCE_DATE_EPOCH support in toolchain-wrapper requires GCC 4.4
734 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_4
736 This option will remove all sources of non-reproducibility
737 from the build process. For a given Buildroot configuration,
738 this allows to generate exactly identical binaries from one
739 build to the other, including on different machines.
741 The current implementation is restricted to builds with the
742 same output directory. Many (absolute) paths are recorded in
743 intermediary files, and it is very likely that some of these
744 paths leak into the target rootfs. If you build with the
745 same O=... path, however, the result is identical.
747 This is labeled as an experimental feature, as not all
748 packages behave properly to ensure reproducibility.
750 config BR2_PER_PACKAGE_DIRECTORIES
751 bool "Use per-package directories (experimental)"
753 This option will change the build process of Buildroot
754 package to use per-package target and host directories.
756 This is useful for two related purposes:
758 - Cleanly isolate the build of each package, so that a
759 given package only "sees" the dependencies it has
760 explicitly expressed, and not other packages that may
761 have by chance been built before.
763 - Enable top-level parallel build.
765 This is labeled as an experimental feature, as not all
766 packages behave properly with per-package directories.
770 config BR2_TIME_BITS_64
771 bool "Build Y2038-ready code"
772 depends on BR2_TOOLCHAIN_USES_GLIBC && !BR2_ARCH_IS_64
774 This option will pass -D_TIME_BITS=64 in the compiler flags
775 to ensure the glibc C library uses a 64-bit representation
776 for time_t and other time types, which ensures that
777 programs/libraries will correctly handle time past year
780 This option only has an effect with glibc >= 2.34, as
781 earlier glibc versions did not have support for 64-bit
784 comment "Security Hardening Options"
786 config BR2_PIC_PIE_ARCH_SUPPORTS
789 # Microblaze glibc toolchains don't work with PIC/PIE enabled
790 depends on !BR2_microblaze
791 # Nios2 toolchains produce non working binaries with -fPIC
792 depends on !BR2_nios2
795 bool "Build code with PIC/PIE"
797 depends on BR2_PIC_PIE_ARCH_SUPPORTS
798 depends on BR2_SHARED_LIBS
799 depends on BR2_TOOLCHAIN_SUPPORTS_PIE
801 Generate Position-Independent Code (PIC) and link
802 Position-Independent Executables (PIE).
804 comment "PIC/PIE needs a toolchain w/ PIE"
805 depends on BR2_PIC_PIE_ARCH_SUPPORTS
806 depends on BR2_SHARED_LIBS
807 depends on !BR2_TOOLCHAIN_SUPPORTS_PIE
810 bool "Stack Smashing Protection"
811 default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
812 default BR2_SSP_STRONG if BR2_TOOLCHAIN_HAS_SSP_STRONG
813 default BR2_SSP_REGULAR
814 depends on BR2_TOOLCHAIN_HAS_SSP
816 Enable stack smashing protection support using GCC's
817 -fstack-protector option family.
820 http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
823 Note that this requires the toolchain to have SSP support.
824 This is always the case for glibc and eglibc toolchain, but is
825 optional in uClibc toolchains.
830 Disable stack-smashing protection.
832 config BR2_SSP_REGULAR
833 bool "-fstack-protector"
835 Emit extra code to check for buffer overflows, such as stack
836 smashing attacks. This is done by adding a guard variable to
837 functions with vulnerable objects. This includes functions
838 that call alloca, and functions with buffers larger than 8
839 bytes. The guards are initialized when a function is entered
840 and then checked when the function exits. If a guard check
841 fails, an error message is printed and the program exits.
843 config BR2_SSP_STRONG
844 bool "-fstack-protector-strong"
845 depends on BR2_TOOLCHAIN_HAS_SSP_STRONG
847 Like -fstack-protector but includes additional functions to be
848 protected - those that have local array definitions, or have
849 references to local frame addresses.
851 -fstack-protector-strong officially appeared in gcc 4.9, but
852 some vendors have backported -fstack-protector-strong to older
856 bool "-fstack-protector-all"
858 Like -fstack-protector except that all functions are
859 protected. This option might have a significant performance
860 impact on the compiled binaries.
864 config BR2_SSP_OPTION
866 default "-fstack-protector" if BR2_SSP_REGULAR
867 default "-fstack-protector-strong" if BR2_SSP_STRONG
868 default "-fstack-protector-all" if BR2_SSP_ALL
870 comment "Stack Smashing Protection needs a toolchain w/ SSP"
871 depends on !BR2_TOOLCHAIN_HAS_SSP
874 bool "RELRO Protection"
875 default BR2_RELRO_FULL if BR2_TOOLCHAIN_SUPPORTS_PIE
876 default BR2_RELRO_PARTIAL
877 depends on BR2_SHARED_LIBS
879 Enable a link-time protection know as RELRO (RELocation Read
880 Only) which helps to protect from certain type of exploitation
881 techniques altering the content of some ELF sections.
883 config BR2_RELRO_NONE
886 Disables Relocation link-time protections.
888 config BR2_RELRO_PARTIAL
891 This option makes the dynamic section not writeable after
892 initialization (with almost no performance penalty).
894 config BR2_RELRO_FULL
896 depends on BR2_PIC_PIE_ARCH_SUPPORTS
897 depends on BR2_TOOLCHAIN_SUPPORTS_PIE
900 This option includes the partial configuration, but also marks
901 the GOT as read-only at the cost of initialization time during
902 program loading, i.e every time an executable is started.
904 comment "RELRO Full needs a toolchain w/ PIE"
905 depends on BR2_PIC_PIE_ARCH_SUPPORTS
906 depends on !BR2_TOOLCHAIN_SUPPORTS_PIE
910 comment "RELocation Read Only (RELRO) needs shared libraries"
911 depends on !BR2_SHARED_LIBS
913 config BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
916 # Microblaze glibc toolchains don't work with Fortify Source enabled
917 depends on !BR2_microblaze
920 bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
921 default BR2_FORTIFY_SOURCE_1
922 depends on BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
923 depends on BR2_TOOLCHAIN_USES_GLIBC
924 depends on !BR2_OPTIMIZE_0
926 Enable the _FORTIFY_SOURCE macro which introduces additional
927 checks to detect buffer-overflows in the following standard
928 library functions: memcpy, mempcpy, memmove, memset, strcpy,
929 stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf,
932 NOTE: This feature requires an optimization level of s/1/2/3/g
934 Support for this feature has been present since GCC 4.x.
936 config BR2_FORTIFY_SOURCE_NONE
939 Disables additional checks to detect buffer-overflows.
941 config BR2_FORTIFY_SOURCE_1
943 # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
944 depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6
946 This option sets _FORTIFY_SOURCE to 1 and only introduces
947 checks that shouldn't change the behavior of conforming
948 programs. Adds checks at compile-time only.
950 config BR2_FORTIFY_SOURCE_2
952 # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
953 depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6
955 This option sets _FORTIFY_SOURCES to 2 and some more
956 checking is added, but some conforming programs might fail.
957 Also adds checks at run-time (detected buffer overflow
958 terminates the program)
960 config BR2_FORTIFY_SOURCE_3
962 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_12
964 This option sets _FORTIFY_SOURCES to 3 and even more
965 checking is added compared to level 2. Extends checks at
966 run-time that can introduce an additional performance
971 comment "Fortify Source needs a glibc toolchain and optimization"
972 depends on BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
973 depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0)
976 source "system/Config.in"
978 source "linux/Config.in"
980 source "package/Config.in"
982 source "fs/Config.in"
984 source "boot/Config.in"
986 source "package/Config.in.host"
988 source "Config.in.legacy"
990 # br2-external menus definitions
991 source "$BR2_BASE_DIR/.br2-external.in.menus"
projects / buildroot-mgba.git / blob