3 mainmenu "Buildroot $BR2_VERSION Configuration"
5 config BR2_HAVE_DOT_CONFIG
11 option env="BR2_VERSION_FULL"
21 # br2-external paths definitions
22 source "$BR2_BASE_DIR/.br2-external.in.paths"
24 # Hidden config symbols for packages to check system gcc version
25 config BR2_HOST_GCC_VERSION
27 option env="HOST_GCC_VERSION"
29 config BR2_HOST_GCC_AT_LEAST_4_9
31 default y if BR2_HOST_GCC_VERSION = "4 9"
33 config BR2_HOST_GCC_AT_LEAST_5
35 default y if BR2_HOST_GCC_VERSION = "5"
36 select BR2_HOST_GCC_AT_LEAST_4_9
38 config BR2_HOST_GCC_AT_LEAST_6
40 default y if BR2_HOST_GCC_VERSION = "6"
41 select BR2_HOST_GCC_AT_LEAST_5
43 config BR2_HOST_GCC_AT_LEAST_7
45 default y if BR2_HOST_GCC_VERSION = "7"
46 select BR2_HOST_GCC_AT_LEAST_6
48 config BR2_HOST_GCC_AT_LEAST_8
50 default y if BR2_HOST_GCC_VERSION = "8"
51 select BR2_HOST_GCC_AT_LEAST_7
53 config BR2_HOST_GCC_AT_LEAST_9
55 default y if BR2_HOST_GCC_VERSION = "9"
56 select BR2_HOST_GCC_AT_LEAST_8
58 config BR2_HOST_GCC_AT_LEAST_10
60 default y if BR2_HOST_GCC_VERSION = "10"
61 select BR2_HOST_GCC_AT_LEAST_9
63 config BR2_HOST_GCC_AT_LEAST_11
65 default y if BR2_HOST_GCC_VERSION = "11"
66 select BR2_HOST_GCC_AT_LEAST_10
68 # When adding new entries above, be sure to update
69 # the HOSTCC_MAX_VERSION variable in the Makefile.
71 # Hidden boolean selected by packages in need of Java in order to build
73 config BR2_NEEDS_HOST_JAVA
76 # Hidden boolean selected by pre-built packages for x86, when they
77 # need to run on x86-64 machines (example: pre-built external
78 # toolchains, binary tools, etc.).
79 config BR2_HOSTARCH_NEEDS_IA32_LIBS
82 # Hidden boolean selected by packages that need to build 32 bits
83 # binaries with the host compiler, even on 64 bits build machines (e.g
85 config BR2_HOSTARCH_NEEDS_IA32_COMPILER
88 # Hidden boolean selected by packages that need the host to have an
90 config BR2_NEEDS_HOST_UTF8_LOCALE
93 # Hidden boolean selected by packages that need the host to have
94 # support for building gcc plugins
95 config BR2_NEEDS_HOST_GCC_PLUGIN_SUPPORT
98 source "arch/Config.in"
100 source "toolchain/Config.in"
107 string "Curl command"
108 default "curl -q --ftp-pasv --retry 3"
111 string "Wget command"
112 default "wget -nd -t 3"
115 string "Subversion (svn) command"
116 default "svn --non-interactive"
119 string "Bazaar (bzr) command"
130 config BR2_LOCALFILES
131 string "Local files retrieval command"
135 string "Secure copy (scp) command"
139 string "Secure file transfer (sftp) command"
143 string "Mercurial (hg) command"
147 string "zcat command"
150 Command to be used to extract a gzip'ed file to stdout. zcat
151 is identical to gunzip -c except that the former may not be
152 available on your system.
153 Default is "gzip -d -c"
154 Other possible values include "gunzip -c" or "zcat".
157 string "bzcat command"
160 Command to be used to extract a bzip2'ed file to stdout.
161 bzcat is identical to bunzip2 -c except that the former may
162 not be available on your system.
164 Other possible values include "bunzip2 -c" or "bzip2 -d -c".
167 string "xzcat command"
170 Command to be used to extract a xz'ed file to stdout.
174 string "lzcat command"
177 Command to be used to extract a lzip'ed file to stdout.
178 Default is "lzip -d -c"
180 config BR2_TAR_OPTIONS
184 Options to pass to tar when extracting the sources.
185 E.g. " -v --exclude='*.svn*'" to exclude all .svn internal
186 files and to be verbose.
190 config BR2_DEFCONFIG_FROM_ENV
192 option env="BR2_DEFCONFIG"
195 string "Location to save buildroot config"
196 default BR2_DEFCONFIG_FROM_ENV if BR2_DEFCONFIG_FROM_ENV != ""
197 default "$(CONFIG_DIR)/defconfig"
199 When running 'make savedefconfig', the defconfig file will be
200 saved in this location.
203 string "Download dir"
204 default "$(TOPDIR)/dl"
206 Directory to store all the source files that we need to fetch.
207 If the Linux shell environment has defined the BR2_DL_DIR
208 environment variable, then this overrides this configuration
210 The directory is organized with a subdirectory for each
211 package. Each package has its own $(LIBFOO_DL_DIR) variable
212 that can be used to find the correct path.
214 The default is $(TOPDIR)/dl
218 default "$(BASE_DIR)/host"
220 Directory to store all the binary files that are built for the
221 host. This includes the cross compilation toolchain when
222 building the internal buildroot toolchain.
224 The default is $(BASE_DIR)/host
226 menu "Mirrors and Download locations"
228 config BR2_PRIMARY_SITE
229 string "Primary download site"
232 Primary site to download from. If this option is set then
233 buildroot will try to download package source first from this
234 site and try the default if the file is not found.
236 - URIs recognized by $(WGET)
237 - local URIs of the form file://absolutepath
238 - scp URIs of the form scp://[user@]host:path.
240 config BR2_PRIMARY_SITE_ONLY
241 bool "Only allow downloads from primary download site"
242 depends on BR2_PRIMARY_SITE != ""
244 If this option is enabled, downloads will only be attempted
245 from the primary download site. Other locations, like the
246 package's official download location or the backup download
247 site, will not be considered. Therefore, if the package is not
248 present on the primary site, the download fails.
250 This is useful for project developers who want to ensure that
251 the project can be built even if the upstream tarball
254 if !BR2_PRIMARY_SITE_ONLY
256 config BR2_BACKUP_SITE
257 string "Backup download site"
258 default "https://sources.buildroot.net"
260 Backup site to download from. If this option is set then
261 buildroot will fall back to download package sources from here
262 if the normal location fails.
264 config BR2_KERNEL_MIRROR
265 string "Kernel.org mirror"
266 default "https://cdn.kernel.org/pub"
268 kernel.org is mirrored on a number of servers around the
269 world. The following allows you to select your preferred
270 mirror. By default, a CDN is used, which automatically
271 redirects to a mirror geographically close to you.
273 Have a look on the kernel.org site for a list of mirrors, then
274 enter the URL to the base directory. Examples:
276 http://www.XX.kernel.org/pub (XX = country code)
277 http://mirror.aarnet.edu.au/pub/ftp.kernel.org
279 config BR2_GNU_MIRROR
280 string "GNU Software mirror"
281 default "http://ftpmirror.gnu.org"
283 GNU has multiple software mirrors scattered around the
284 world. The following allows you to select your preferred
285 mirror. By default, a generic address is used, which
286 automatically selects an up-to-date and local mirror.
288 Have a look on the gnu.org site for a list of mirrors, then
289 enter the URL to the base directory. Examples:
291 http://ftp.gnu.org/pub/gnu
292 http://mirror.aarnet.edu.au/pub/gnu
294 config BR2_LUAROCKS_MIRROR
295 string "LuaRocks mirror"
296 default "http://rocks.moonscript.org"
300 See http://luarocks.org
302 config BR2_CPAN_MIRROR
303 string "CPAN mirror (Perl packages)"
304 default "https://cpan.metacpan.org"
306 CPAN (Comprehensive Perl Archive Network) is a repository of
307 Perl packages. It has multiple software mirrors scattered
308 around the world. This option allows you to select a mirror.
310 The list of mirrors is available at:
311 http://mirrors.cpan.org/ (tabular)
312 http://mirrors.cpan.org/map.html (clickable world map)
319 int "Number of jobs to run simultaneously (0 for auto)"
322 Number of jobs to run simultaneously. If 0, determine
323 automatically according to number of CPUs on the host system.
325 comment "ccache needs a host gcc >= 8"
326 depends on !BR2_HOST_GCC_AT_LEAST_8
329 bool "Enable compiler cache"
330 depends on BR2_HOST_GCC_AT_LEAST_8
332 This option will enable the use of ccache, a compiler cache.
333 It will cache the result of previous builds to speed up future
334 builds. By default, the cache is stored in
335 $HOME/.buildroot-ccache.
337 Note that Buildroot does not try to invalidate the cache
338 contents when the compiler changes in an incompatible way.
339 Therefore, if you make a change to the compiler version and/or
340 configuration, you are responsible for purging the ccache
341 cache by removing the $HOME/.buildroot-ccache directory.
345 config BR2_CCACHE_DIR
346 string "Compiler cache location"
347 default "$(HOME)/.buildroot-ccache"
349 Where ccache should store cached files.
350 If the Linux shell environment has defined the BR2_CCACHE_DIR
351 environment variable, then this overrides this configuration
354 config BR2_CCACHE_INITIAL_SETUP
355 string "Compiler cache initial setup"
357 Initial ccache settings to apply, such as --max-files or
360 For example, if your project is known to require more space
361 than the default max cache size, then you might want to
362 increase the cache size to a suitable amount using the -M
365 The string you specify here is passed verbatim to ccache.
366 Refer to ccache documentation for more details.
368 These initial settings are applied after ccache has been
371 config BR2_CCACHE_USE_BASEDIR
372 bool "Use relative paths"
375 Allow ccache to convert absolute paths within the output
376 directory into relative paths.
378 During the build, many -I include directives are given with an
379 absolute path. These absolute paths end up in the hashes that
380 are computed by ccache. Therefore, when you build from a
381 different directory, the hash will be different and the cached
382 object will not be used.
384 To improve cache performance, set this option to y. This
385 allows ccache to rewrite absolute paths within the output
386 directory into relative paths. Note that only paths within the
387 output directory will be rewritten; therefore, if you change
388 BR2_HOST_DIR to point outside the output directory and
389 subsequently move it to a different location, this will lead
392 This option has as a result that the debug information in the
393 object files also has only relative paths. Therefore, make
394 sure you cd to the build directory before starting gdb. See
395 the section "COMPILING IN DIFFERENT DIRECTORIES" in the ccache
396 manual for more information.
400 config BR2_ENABLE_DEBUG
401 bool "build packages with debugging symbols"
403 Build packages with debugging symbols enabled. All libraries
404 and binaries in the 'staging' directory will have debugging
405 symbols, which allows remote debugging even if libraries and
406 binaries are stripped on the target. Whether libraries and
407 binaries are stripped on the target is controlled by the
408 BR2_STRIP_* options below.
412 prompt "gcc debug level"
415 Set the debug level for gcc
420 Debug level 1 produces minimal information, enough for making
421 backtraces in parts of the program that you don't plan to
422 debug. This includes descriptions of functions and external
423 variables, but no information about local variables and no
429 The default gcc debug level is 2
434 Level 3 includes extra information, such as all the macro
435 definitions present in the program. Some debuggers support
436 macro expansion when you use -g3.
440 config BR2_ENABLE_RUNTIME_DEBUG
441 bool "build packages with runtime debugging info"
443 Some packages may have runtime assertions, extra traces, and
444 similar runtime elements that can help debugging. However,
445 these elements may negatively influence performance so should
446 normally not be enabled on production systems.
448 Enable this option to enable such runtime debugging.
450 Note: disabling this option is not a guarantee that all
451 packages effectively removed these runtime debugging elements.
453 config BR2_STRIP_strip
454 bool "strip target binaries"
456 depends on BR2_BINFMT_ELF
458 Binaries and libraries in the target filesystem will be
459 stripped using the normal 'strip' command. This allows to save
460 space, mainly by removing debugging symbols. Debugging symbols
461 on the target are needed for native debugging, but not when
462 remote debugging is used.
464 config BR2_STRIP_EXCLUDE_FILES
465 string "executables that should not be stripped"
467 depends on BR2_STRIP_strip
469 You may specify a space-separated list of binaries and
470 libraries here that should not be stripped on the target.
472 config BR2_STRIP_EXCLUDE_DIRS
473 string "directories that should be skipped when stripping"
475 depends on BR2_STRIP_strip
477 You may specify a space-separated list of directories that
478 should be skipped when stripping. Binaries and libraries in
479 these directories will not be touched. The directories should
480 be specified relative to the target directory, without leading
484 prompt "gcc optimization level"
485 default BR2_OPTIMIZE_2
487 Set the optimization level for gcc
489 config BR2_OPTIMIZE_0
490 bool "optimization level 0"
494 config BR2_OPTIMIZE_1
495 bool "optimization level 1"
497 Optimize. Optimizing compilation takes somewhat more time, and
498 a lot more memory for a large function. With -O, the compiler
499 tries to reduce code size and execution time, without
500 performing any optimizations that take a great deal of
501 compilation time. -O turns on the following optimization
502 flags: -fdefer-pop -fdelayed-branch -fguess-branch-probability
503 -fcprop-registers -floop-optimize -fif-conversion
504 -fif-conversion2 -ftree-ccp -ftree-dce -ftree-dominator-opts
505 -ftree-dse -ftree-ter -ftree-lrs -ftree-sra -ftree-copyrename
506 -ftree-fre -ftree-ch -funit-at-a-time -fmerge-constants. -O
507 also turns on -fomit-frame-pointer on machines where doing so
508 does not interfere with debugging.
510 config BR2_OPTIMIZE_2
511 bool "optimization level 2"
513 Optimize even more. GCC performs nearly all supported
514 optimizations that do not involve a space-speed tradeoff. The
515 compiler does not perform loop unrolling or function inlining
516 when you specify -O2. As compared to -O, this option increases
517 both compilation time and the performance of the generated
518 code. -O2 turns on all optimization flags specified by -O. It
519 also turns on the following optimization flags:
520 -fthread-jumps -fcrossjumping -foptimize-sibling-calls
521 -fcse-follow-jumps -fcse-skip-blocks -fgcse -fgcse-lm
522 -fexpensive-optimizations -fstrength-reduce
523 -frerun-cse-after-loop -frerun-loop-opt -fcaller-saves
524 -fpeephole2 -fschedule-insns -fschedule-insns2
525 -fsched-interblock -fsched-spec -fregmove -fstrict-aliasing
526 -fdelete-null-pointer-checks -freorder-blocks
527 -freorder-functions -falign-functions -falign-jumps
528 -falign-loops -falign-labels -ftree-vrp -ftree-pre. Please
529 note the warning under -fgcse about invoking -O2 on programs
530 that use computed gotos.
533 config BR2_OPTIMIZE_3
534 bool "optimization level 3"
536 Optimize yet more. -O3 turns on all optimizations specified by
537 -O2 and also turns on the -finline-functions, -funswitch-loops
538 and -fgcse-after-reload options.
540 config BR2_OPTIMIZE_G
541 bool "optimize for debugging"
542 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8
544 Optimize for debugging. This enables optimizations that do not
545 interfere with debugging. It should be the optimization level
546 of choice for the standard edit-compile-debug cycle, offering
547 a reasonable level of optimization while maintaining fast
548 compilation and a good debugging experience.
550 config BR2_OPTIMIZE_S
551 bool "optimize for size"
553 Optimize for size. -Os enables all -O2 optimizations that do
554 not typically increase code size. It also performs further
555 optimizations designed to reduce code size. -Os disables the
556 following optimization flags: -falign-functions -falign-jumps
557 -falign-loops -falign-labels -freorder-blocks
558 -freorder-blocks-and-partition -fprefetch-loop-arrays
559 -ftree-vect-loop-version
561 config BR2_OPTIMIZE_FAST
562 bool "optimize for fast (may break packages!)"
563 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_6
565 Optimize for fast. Disregard strict standards
566 compliance. -Ofast enables all -O3 optimizations. It also
567 enables optimizations that are not valid for all
568 standard-compliant programs, so be careful, as it may break
569 some packages. It turns on -ffast-math and the
570 Fortran-specific -fstack-arrays, unless -fmax-stack-var-size
571 is specified, and -fno-protect-parens.
575 config BR2_ENABLE_LTO
576 bool "build packages with link-time optimisation"
578 Enable the link-time optimisation (LTO) option when building
579 packages. Link-time optimisation re-runs optimisations at
580 link time, which allows the compiler to do interprocedural
581 analysis across compilation units and thus come with better
582 results: smaller size and better performance.
584 Note that this analysis is limited to statically linked
585 object files and libraries.
587 This option may significantly increase build times,
588 sometimes 5 times longer, with only limited gains.
590 At this time, this option only enables LTO in packages that
591 have an explicit configuration option for it. Other packages
592 always enable LTO, but most packages never enable LTO.
594 config BR2_GOOGLE_BREAKPAD_ENABLE
595 bool "Enable google-breakpad support"
596 depends on BR2_INSTALL_LIBSTDCPP
597 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_7 # C++17
598 depends on BR2_USE_WCHAR
599 depends on BR2_TOOLCHAIN_HAS_THREADS
600 depends on BR2_TOOLCHAIN_USES_GLIBC
601 depends on BR2_PACKAGE_GOOGLE_BREAKPAD_ARCH_SUPPORTS
602 depends on BR2_PACKAGE_HOST_GOOGLE_BREAKPAD_ARCH_SUPPORTS
603 select BR2_PACKAGE_GOOGLE_BREAKPAD
605 This option will enable the use of google breakpad, a library
606 and tool suite that allows you to distribute an application to
607 users with compiler-provided debugging information removed,
608 record crashes in compact "minidump" files, send them back to
609 your server and produce C and C++ stack traces from these
610 minidumps. Breakpad can also write minidumps on request for
611 programs that have not crashed.
613 if BR2_GOOGLE_BREAKPAD_ENABLE
615 config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES
616 string "List of executables and libraries to extract symbols from"
619 You may specify a space-separated list of binaries and
620 libraries with full paths relative to $(TARGET_DIR) of which
621 debug symbols will be dumped for further use with google
624 A directory structure that can be used by minidump-stackwalk
627 $(STAGING_DIR)/usr/share/google-breakpad-symbols
633 default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED
634 default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED
636 Select the type of libraries you want to use on the target.
638 The default is to build dynamic libraries and use those on the
639 target filesystem, except when the architecture and/or the
640 selected binary format does not support shared libraries.
642 config BR2_STATIC_LIBS
644 depends on !BR2_TOOLCHAIN_USES_GLIBC
646 Build and use only static libraries. No shared libraries will
647 be installed on the target. This potentially increases your
648 code size and should only be used if you know what you are
649 doing. Note that some packages may not be available when this
650 option is enabled, due to their need for dynamic library
653 comment "static only needs a toolchain w/ uclibc or musl"
654 depends on BR2_TOOLCHAIN_USES_GLIBC
656 config BR2_SHARED_LIBS
658 depends on BR2_BINFMT_SUPPORTS_SHARED
660 Build and use only shared libraries. This is the recommended
661 solution as it saves space and build time.
663 config BR2_SHARED_STATIC_LIBS
664 bool "both static and shared"
665 depends on BR2_BINFMT_SUPPORTS_SHARED
667 Build both shared and static libraries, but link executables
668 dynamically. While building both shared and static libraries
669 take more time and more disk space, having static libraries
670 may be useful to link some of the applications statically.
674 config BR2_PACKAGE_OVERRIDE_FILE
675 string "location of a package override file"
676 default "$(CONFIG_DIR)/local.mk"
678 A package override file is a short makefile that contains
679 variable definitions of the form <pkg>_OVERRIDE_SRCDIR, which
680 allows to tell Buildroot to use an existing directory as the
681 source directory for a particular package. See the Buildroot
682 documentation for more details on this feature.
684 config BR2_GLOBAL_PATCH_DIR
685 string "global patch and hash directories"
687 You may specify a space separated list of one or more
688 directories containing global package patches and/or hashes.
689 For a specific version <packageversion> of a specific package
690 <packagename>, patches are looked up as follows:
692 First, the default Buildroot patch set for the package is
693 applied from the package's directory in Buildroot.
695 Then for every directory - <global-patch-dir> - that exists in
696 BR2_GLOBAL_PATCH_DIR, if the directory
697 <global-patch-dir>/<packagename>/<packageversion>/ exists,
698 then all *.patch files in this directory will be applied.
700 Otherwise, if the directory <global-patch-dir>/<packagename>
701 exists, then all *.patch files in the directory will be
704 The hash files are looked up similarly to the patches.
708 config BR2_FORCE_HOST_BUILD
709 bool "Force the building of host dependencies"
711 Build all available host dependencies, even if they are
712 already installed on the system.
714 This option can be used to ensure that the download cache of
715 source archives for packages remain consistent between
716 different build hosts.
718 This option will increase build time.
720 config BR2_DOWNLOAD_FORCE_CHECK_HASHES
721 bool "Force all downloads to have a valid hash"
723 Say 'y' here to enforce downloads to have at least one valid
724 hash (and of course, that all hashes be valid).
726 By default, Buildroot checks hashes of all packages
727 downloaded, except those for which a custom version is
730 With this option turned on, Buildroot will check hashes of
731 all packages, including those that use a custom version. In
732 order to provide hashes for such packages, place additional
733 hash files in BR2_GLOBAL_PATCH_DIR directories.
735 config BR2_REPRODUCIBLE
736 bool "Make the build reproducible (experimental)"
737 # SOURCE_DATE_EPOCH support in toolchain-wrapper requires GCC 4.4
738 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_4
740 This option will remove all sources of non-reproducibility
741 from the build process. For a given Buildroot configuration,
742 this allows to generate exactly identical binaries from one
743 build to the other, including on different machines.
745 The current implementation is restricted to builds with the
746 same output directory. Many (absolute) paths are recorded in
747 intermediary files, and it is very likely that some of these
748 paths leak into the target rootfs. If you build with the
749 same O=... path, however, the result is identical.
751 This is labeled as an experimental feature, as not all
752 packages behave properly to ensure reproducibility.
754 config BR2_PER_PACKAGE_DIRECTORIES
755 bool "Use per-package directories (experimental)"
757 This option will change the build process of Buildroot
758 package to use per-package target and host directories.
760 This is useful for two related purposes:
762 - Cleanly isolate the build of each package, so that a
763 given package only "sees" the dependencies it has
764 explicitly expressed, and not other packages that may
765 have by chance been built before.
767 - Enable top-level parallel build.
769 This is labeled as an experimental feature, as not all
770 packages behave properly with per-package directories.
774 config BR2_TIME_BITS_64
775 bool "Build Y2038-ready code"
776 depends on BR2_TOOLCHAIN_USES_GLIBC && !BR2_ARCH_IS_64
778 This option will pass -D_TIME_BITS=64 in the compiler flags
779 to ensure the glibc C library uses a 64-bit representation
780 for time_t and other time types, which ensures that
781 programs/libraries will correctly handle time past year
784 This option only has an effect with glibc >= 2.34, as
785 earlier glibc versions did not have support for 64-bit
788 comment "Security Hardening Options"
790 config BR2_PIC_PIE_ARCH_SUPPORTS
793 # Microblaze glibc toolchains don't work with PIC/PIE enabled
794 depends on !BR2_microblaze
795 # Nios2 toolchains produce non working binaries with -fPIC
796 depends on !BR2_nios2
799 bool "Build code with PIC/PIE"
801 depends on BR2_PIC_PIE_ARCH_SUPPORTS
802 depends on BR2_SHARED_LIBS
803 depends on BR2_TOOLCHAIN_SUPPORTS_PIE
805 Generate Position-Independent Code (PIC) and link
806 Position-Independent Executables (PIE).
808 comment "PIC/PIE needs a toolchain w/ PIE"
809 depends on BR2_PIC_PIE_ARCH_SUPPORTS
810 depends on BR2_SHARED_LIBS
811 depends on !BR2_TOOLCHAIN_SUPPORTS_PIE
814 bool "Stack Smashing Protection"
815 default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
816 default BR2_SSP_STRONG if BR2_TOOLCHAIN_HAS_SSP_STRONG
817 default BR2_SSP_REGULAR
818 depends on BR2_TOOLCHAIN_HAS_SSP
820 Enable stack smashing protection support using GCC's
821 -fstack-protector option family.
824 http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
827 Note that this requires the toolchain to have SSP support.
828 This is always the case for glibc and eglibc toolchain, but is
829 optional in uClibc toolchains.
834 Disable stack-smashing protection.
836 config BR2_SSP_REGULAR
837 bool "-fstack-protector"
839 Emit extra code to check for buffer overflows, such as stack
840 smashing attacks. This is done by adding a guard variable to
841 functions with vulnerable objects. This includes functions
842 that call alloca, and functions with buffers larger than 8
843 bytes. The guards are initialized when a function is entered
844 and then checked when the function exits. If a guard check
845 fails, an error message is printed and the program exits.
847 config BR2_SSP_STRONG
848 bool "-fstack-protector-strong"
849 depends on BR2_TOOLCHAIN_HAS_SSP_STRONG
851 Like -fstack-protector but includes additional functions to be
852 protected - those that have local array definitions, or have
853 references to local frame addresses.
855 -fstack-protector-strong officially appeared in gcc 4.9, but
856 some vendors have backported -fstack-protector-strong to older
860 bool "-fstack-protector-all"
862 Like -fstack-protector except that all functions are
863 protected. This option might have a significant performance
864 impact on the compiled binaries.
868 config BR2_SSP_OPTION
870 default "-fstack-protector" if BR2_SSP_REGULAR
871 default "-fstack-protector-strong" if BR2_SSP_STRONG
872 default "-fstack-protector-all" if BR2_SSP_ALL
874 comment "Stack Smashing Protection needs a toolchain w/ SSP"
875 depends on !BR2_TOOLCHAIN_HAS_SSP
878 bool "RELRO Protection"
879 default BR2_RELRO_FULL if BR2_TOOLCHAIN_SUPPORTS_PIE
880 default BR2_RELRO_PARTIAL
881 depends on BR2_SHARED_LIBS
883 Enable a link-time protection know as RELRO (RELocation Read
884 Only) which helps to protect from certain type of exploitation
885 techniques altering the content of some ELF sections.
887 config BR2_RELRO_NONE
890 Disables Relocation link-time protections.
892 config BR2_RELRO_PARTIAL
895 This option makes the dynamic section not writeable after
896 initialization (with almost no performance penalty).
898 config BR2_RELRO_FULL
900 depends on BR2_PIC_PIE_ARCH_SUPPORTS
901 depends on BR2_TOOLCHAIN_SUPPORTS_PIE
904 This option includes the partial configuration, but also marks
905 the GOT as read-only at the cost of initialization time during
906 program loading, i.e every time an executable is started.
908 comment "RELRO Full needs a toolchain w/ PIE"
909 depends on BR2_PIC_PIE_ARCH_SUPPORTS
910 depends on !BR2_TOOLCHAIN_SUPPORTS_PIE
914 comment "RELocation Read Only (RELRO) needs shared libraries"
915 depends on !BR2_SHARED_LIBS
917 config BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
920 # Microblaze glibc toolchains don't work with Fortify Source enabled
921 depends on !BR2_microblaze
924 bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
925 default BR2_FORTIFY_SOURCE_1
926 depends on BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
927 depends on BR2_TOOLCHAIN_USES_GLIBC
928 depends on !BR2_OPTIMIZE_0
930 Enable the _FORTIFY_SOURCE macro which introduces additional
931 checks to detect buffer-overflows in the following standard
932 library functions: memcpy, mempcpy, memmove, memset, strcpy,
933 stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf,
936 NOTE: This feature requires an optimization level of s/1/2/3/g
938 Support for this feature has been present since GCC 4.x.
940 config BR2_FORTIFY_SOURCE_NONE
943 Disables additional checks to detect buffer-overflows.
945 config BR2_FORTIFY_SOURCE_1
947 # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
948 depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6
950 This option sets _FORTIFY_SOURCE to 1 and only introduces
951 checks that shouldn't change the behavior of conforming
952 programs. Adds checks at compile-time only.
954 config BR2_FORTIFY_SOURCE_2
956 # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164
957 depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6
959 This option sets _FORTIFY_SOURCES to 2 and some more
960 checking is added, but some conforming programs might fail.
961 Also adds checks at run-time (detected buffer overflow
962 terminates the program)
964 config BR2_FORTIFY_SOURCE_3
966 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_12
968 This option sets _FORTIFY_SOURCES to 3 and even more
969 checking is added compared to level 2. Extends checks at
970 run-time that can introduce an additional performance
975 comment "Fortify Source needs a glibc toolchain and optimization"
976 depends on BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
977 depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0)
980 source "system/Config.in"
982 source "linux/Config.in"
984 source "package/Config.in"
986 source "fs/Config.in"
988 source "boot/Config.in"
990 source "package/Config.in.host"
992 source "Config.in.legacy"
994 # br2-external menus definitions
995 source "$BR2_BASE_DIR/.br2-external.in.menus"
projects / buildroot-mgba.git / blob