# mainmenu "Buildroot $BR2_VERSION Configuration" config BR2_HAVE_DOT_CONFIG bool default y config BR2_VERSION string option env="BR2_VERSION_FULL" config BR2_HOSTARCH string option env="HOSTARCH" config BR2_BASE_DIR string option env="BASE_DIR" # br2-external paths definitions source "$BR2_BASE_DIR/.br2-external.in.paths" # Hidden config symbols for packages to check system gcc version config BR2_HOST_GCC_VERSION string option env="HOST_GCC_VERSION" config BR2_HOST_GCC_AT_LEAST_4_9 bool default y if BR2_HOST_GCC_VERSION = "4 9" config BR2_HOST_GCC_AT_LEAST_5 bool default y if BR2_HOST_GCC_VERSION = "5" select BR2_HOST_GCC_AT_LEAST_4_9 config BR2_HOST_GCC_AT_LEAST_6 bool default y if BR2_HOST_GCC_VERSION = "6" select BR2_HOST_GCC_AT_LEAST_5 config BR2_HOST_GCC_AT_LEAST_7 bool default y if BR2_HOST_GCC_VERSION = "7" select BR2_HOST_GCC_AT_LEAST_6 config BR2_HOST_GCC_AT_LEAST_8 bool default y if BR2_HOST_GCC_VERSION = "8" select BR2_HOST_GCC_AT_LEAST_7 config BR2_HOST_GCC_AT_LEAST_9 bool default y if BR2_HOST_GCC_VERSION = "9" select BR2_HOST_GCC_AT_LEAST_8 config BR2_HOST_GCC_AT_LEAST_10 bool default y if BR2_HOST_GCC_VERSION = "10" select BR2_HOST_GCC_AT_LEAST_9 config BR2_HOST_GCC_AT_LEAST_11 bool default y if BR2_HOST_GCC_VERSION = "11" select BR2_HOST_GCC_AT_LEAST_10 # When adding new entries above, be sure to update # the HOSTCC_MAX_VERSION variable in the Makefile. # Hidden boolean selected by packages in need of Java in order to build # (example: kodi) config BR2_NEEDS_HOST_JAVA bool # Hidden boolean selected by pre-built packages for x86, when they # need to run on x86-64 machines (example: pre-built external # toolchains, binary tools, etc.). config BR2_HOSTARCH_NEEDS_IA32_LIBS bool # Hidden boolean selected by packages that need to build 32 bits # binaries with the host compiler, even on 64 bits build machines (e.g # bootloaders). config BR2_HOSTARCH_NEEDS_IA32_COMPILER bool # Hidden boolean selected by packages that need the host to have an # UTF8 locale. config BR2_NEEDS_HOST_UTF8_LOCALE bool # Hidden boolean selected by packages that need the host to have # support for building gcc plugins config BR2_NEEDS_HOST_GCC_PLUGIN_SUPPORT bool source "arch/Config.in" source "toolchain/Config.in" menu "Build options" menu "Commands" config BR2_WGET string "Wget command" default "wget --passive-ftp -nd -t 3" config BR2_SVN string "Subversion (svn) command" default "svn --non-interactive" config BR2_BZR string "Bazaar (bzr) command" default "bzr" config BR2_GIT string "Git command" default "git" config BR2_CVS string "CVS command" default "cvs" config BR2_LOCALFILES string "Local files retrieval command" default "cp" config BR2_SCP string "Secure copy (scp) command" default "scp" config BR2_SFTP string "Secure file transfer (sftp) command" default "sftp" config BR2_HG string "Mercurial (hg) command" default "hg" config BR2_ZCAT string "zcat command" default "gzip -d -c" help Command to be used to extract a gzip'ed file to stdout. zcat is identical to gunzip -c except that the former may not be available on your system. Default is "gzip -d -c" Other possible values include "gunzip -c" or "zcat". config BR2_BZCAT string "bzcat command" default "bzcat" help Command to be used to extract a bzip2'ed file to stdout. bzcat is identical to bunzip2 -c except that the former may not be available on your system. Default is "bzcat" Other possible values include "bunzip2 -c" or "bzip2 -d -c". config BR2_XZCAT string "xzcat command" default "xzcat" help Command to be used to extract a xz'ed file to stdout. Default is "xzcat" config BR2_LZCAT string "lzcat command" default "lzip -d -c" help Command to be used to extract a lzip'ed file to stdout. Default is "lzip -d -c" config BR2_TAR_OPTIONS string "Tar options" default "" help Options to pass to tar when extracting the sources. E.g. " -v --exclude='*.svn*'" to exclude all .svn internal files and to be verbose. endmenu config BR2_DEFCONFIG_FROM_ENV string option env="BR2_DEFCONFIG" config BR2_DEFCONFIG string "Location to save buildroot config" default BR2_DEFCONFIG_FROM_ENV if BR2_DEFCONFIG_FROM_ENV != "" default "$(CONFIG_DIR)/defconfig" help When running 'make savedefconfig', the defconfig file will be saved in this location. config BR2_DL_DIR string "Download dir" default "$(TOPDIR)/dl" help Directory to store all the source files that we need to fetch. If the Linux shell environment has defined the BR2_DL_DIR environment variable, then this overrides this configuration item. The directory is organized with a subdirectory for each package. Each package has its own $(LIBFOO_DL_DIR) variable that can be used to find the correct path. The default is $(TOPDIR)/dl config BR2_HOST_DIR string "Host dir" default "$(BASE_DIR)/host" help Directory to store all the binary files that are built for the host. This includes the cross compilation toolchain when building the internal buildroot toolchain. The default is $(BASE_DIR)/host menu "Mirrors and Download locations" config BR2_PRIMARY_SITE string "Primary download site" default "" help Primary site to download from. If this option is set then buildroot will try to download package source first from this site and try the default if the file is not found. Valid URIs are: - URIs recognized by $(WGET) - local URIs of the form file://absolutepath - scp URIs of the form scp://[user@]host:path. config BR2_PRIMARY_SITE_ONLY bool "Only allow downloads from primary download site" depends on BR2_PRIMARY_SITE != "" help If this option is enabled, downloads will only be attempted from the primary download site. Other locations, like the package's official download location or the backup download site, will not be considered. Therefore, if the package is not present on the primary site, the download fails. This is useful for project developers who want to ensure that the project can be built even if the upstream tarball locations disappear. if !BR2_PRIMARY_SITE_ONLY config BR2_BACKUP_SITE string "Backup download site" default "https://sources.buildroot.net" help Backup site to download from. If this option is set then buildroot will fall back to download package sources from here if the normal location fails. config BR2_KERNEL_MIRROR string "Kernel.org mirror" default "https://cdn.kernel.org/pub" help kernel.org is mirrored on a number of servers around the world. The following allows you to select your preferred mirror. By default, a CDN is used, which automatically redirects to a mirror geographically close to you. Have a look on the kernel.org site for a list of mirrors, then enter the URL to the base directory. Examples: http://www.XX.kernel.org/pub (XX = country code) http://mirror.aarnet.edu.au/pub/ftp.kernel.org config BR2_GNU_MIRROR string "GNU Software mirror" default "http://ftpmirror.gnu.org" help GNU has multiple software mirrors scattered around the world. The following allows you to select your preferred mirror. By default, a generic address is used, which automatically selects an up-to-date and local mirror. Have a look on the gnu.org site for a list of mirrors, then enter the URL to the base directory. Examples: http://ftp.gnu.org/pub/gnu http://mirror.aarnet.edu.au/pub/gnu config BR2_LUAROCKS_MIRROR string "LuaRocks mirror" default "http://rocks.moonscript.org" help LuaRocks repository. See http://luarocks.org config BR2_CPAN_MIRROR string "CPAN mirror (Perl packages)" default "https://cpan.metacpan.org" help CPAN (Comprehensive Perl Archive Network) is a repository of Perl packages. It has multiple software mirrors scattered around the world. This option allows you to select a mirror. The list of mirrors is available at: http://mirrors.cpan.org/ (tabular) http://mirrors.cpan.org/map.html (clickable world map) endif endmenu config BR2_JLEVEL int "Number of jobs to run simultaneously (0 for auto)" default "0" help Number of jobs to run simultaneously. If 0, determine automatically according to number of CPUs on the host system. comment "ccache needs a host gcc >= 8" depends on !BR2_HOST_GCC_AT_LEAST_8 config BR2_CCACHE bool "Enable compiler cache" depends on BR2_HOST_GCC_AT_LEAST_8 help This option will enable the use of ccache, a compiler cache. It will cache the result of previous builds to speed up future builds. By default, the cache is stored in $HOME/.buildroot-ccache. Note that Buildroot does not try to invalidate the cache contents when the compiler changes in an incompatible way. Therefore, if you make a change to the compiler version and/or configuration, you are responsible for purging the ccache cache by removing the $HOME/.buildroot-ccache directory. if BR2_CCACHE config BR2_CCACHE_DIR string "Compiler cache location" default "$(HOME)/.buildroot-ccache" help Where ccache should store cached files. If the Linux shell environment has defined the BR2_CCACHE_DIR environment variable, then this overrides this configuration item. config BR2_CCACHE_INITIAL_SETUP string "Compiler cache initial setup" help Initial ccache settings to apply, such as --max-files or --max-size. For example, if your project is known to require more space than the default max cache size, then you might want to increase the cache size to a suitable amount using the -M (--max-size) option. The string you specify here is passed verbatim to ccache. Refer to ccache documentation for more details. These initial settings are applied after ccache has been compiled. config BR2_CCACHE_USE_BASEDIR bool "Use relative paths" default y help Allow ccache to convert absolute paths within the output directory into relative paths. During the build, many -I include directives are given with an absolute path. These absolute paths end up in the hashes that are computed by ccache. Therefore, when you build from a different directory, the hash will be different and the cached object will not be used. To improve cache performance, set this option to y. This allows ccache to rewrite absolute paths within the output directory into relative paths. Note that only paths within the output directory will be rewritten; therefore, if you change BR2_HOST_DIR to point outside the output directory and subsequently move it to a different location, this will lead to cache misses. This option has as a result that the debug information in the object files also has only relative paths. Therefore, make sure you cd to the build directory before starting gdb. See the section "COMPILING IN DIFFERENT DIRECTORIES" in the ccache manual for more information. endif config BR2_ENABLE_DEBUG bool "build packages with debugging symbols" help Build packages with debugging symbols enabled. All libraries and binaries in the 'staging' directory will have debugging symbols, which allows remote debugging even if libraries and binaries are stripped on the target. Whether libraries and binaries are stripped on the target is controlled by the BR2_STRIP_* options below. if BR2_ENABLE_DEBUG choice prompt "gcc debug level" default BR2_DEBUG_2 help Set the debug level for gcc config BR2_DEBUG_1 bool "debug level 1" help Debug level 1 produces minimal information, enough for making backtraces in parts of the program that you don't plan to debug. This includes descriptions of functions and external variables, but no information about local variables and no line numbers. config BR2_DEBUG_2 bool "debug level 2" help The default gcc debug level is 2 config BR2_DEBUG_3 bool "debug level 3" help Level 3 includes extra information, such as all the macro definitions present in the program. Some debuggers support macro expansion when you use -g3. endchoice endif config BR2_ENABLE_RUNTIME_DEBUG bool "build packages with runtime debugging info" help Some packages may have runtime assertions, extra traces, and similar runtime elements that can help debugging. However, these elements may negatively influence performance so should normally not be enabled on production systems. Enable this option to enable such runtime debugging. Note: disabling this option is not a guarantee that all packages effectively removed these runtime debugging elements. config BR2_STRIP_strip bool "strip target binaries" default y depends on BR2_BINFMT_ELF help Binaries and libraries in the target filesystem will be stripped using the normal 'strip' command. This allows to save space, mainly by removing debugging symbols. Debugging symbols on the target are needed for native debugging, but not when remote debugging is used. config BR2_STRIP_EXCLUDE_FILES string "executables that should not be stripped" default "" depends on BR2_STRIP_strip help You may specify a space-separated list of binaries and libraries here that should not be stripped on the target. config BR2_STRIP_EXCLUDE_DIRS string "directories that should be skipped when stripping" default "" depends on BR2_STRIP_strip help You may specify a space-separated list of directories that should be skipped when stripping. Binaries and libraries in these directories will not be touched. The directories should be specified relative to the target directory, without leading slash. choice prompt "gcc optimization level" default BR2_OPTIMIZE_2 help Set the optimization level for gcc config BR2_OPTIMIZE_0 bool "optimization level 0" help Do not optimize. config BR2_OPTIMIZE_1 bool "optimization level 1" help Optimize. Optimizing compilation takes somewhat more time, and a lot more memory for a large function. With -O, the compiler tries to reduce code size and execution time, without performing any optimizations that take a great deal of compilation time. -O turns on the following optimization flags: -fdefer-pop -fdelayed-branch -fguess-branch-probability -fcprop-registers -floop-optimize -fif-conversion -fif-conversion2 -ftree-ccp -ftree-dce -ftree-dominator-opts -ftree-dse -ftree-ter -ftree-lrs -ftree-sra -ftree-copyrename -ftree-fre -ftree-ch -funit-at-a-time -fmerge-constants. -O also turns on -fomit-frame-pointer on machines where doing so does not interfere with debugging. config BR2_OPTIMIZE_2 bool "optimization level 2" help Optimize even more. GCC performs nearly all supported optimizations that do not involve a space-speed tradeoff. The compiler does not perform loop unrolling or function inlining when you specify -O2. As compared to -O, this option increases both compilation time and the performance of the generated code. -O2 turns on all optimization flags specified by -O. It also turns on the following optimization flags: -fthread-jumps -fcrossjumping -foptimize-sibling-calls -fcse-follow-jumps -fcse-skip-blocks -fgcse -fgcse-lm -fexpensive-optimizations -fstrength-reduce -frerun-cse-after-loop -frerun-loop-opt -fcaller-saves -fpeephole2 -fschedule-insns -fschedule-insns2 -fsched-interblock -fsched-spec -fregmove -fstrict-aliasing -fdelete-null-pointer-checks -freorder-blocks -freorder-functions -falign-functions -falign-jumps -falign-loops -falign-labels -ftree-vrp -ftree-pre. Please note the warning under -fgcse about invoking -O2 on programs that use computed gotos. This is the default. config BR2_OPTIMIZE_3 bool "optimization level 3" help Optimize yet more. -O3 turns on all optimizations specified by -O2 and also turns on the -finline-functions, -funswitch-loops and -fgcse-after-reload options. config BR2_OPTIMIZE_G bool "optimize for debugging" depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 help Optimize for debugging. This enables optimizations that do not interfere with debugging. It should be the optimization level of choice for the standard edit-compile-debug cycle, offering a reasonable level of optimization while maintaining fast compilation and a good debugging experience. config BR2_OPTIMIZE_S bool "optimize for size" help Optimize for size. -Os enables all -O2 optimizations that do not typically increase code size. It also performs further optimizations designed to reduce code size. -Os disables the following optimization flags: -falign-functions -falign-jumps -falign-loops -falign-labels -freorder-blocks -freorder-blocks-and-partition -fprefetch-loop-arrays -ftree-vect-loop-version config BR2_OPTIMIZE_FAST bool "optimize for fast (may break packages!)" depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_6 help Optimize for fast. Disregard strict standards compliance. -Ofast enables all -O3 optimizations. It also enables optimizations that are not valid for all standard-compliant programs, so be careful, as it may break some packages. It turns on -ffast-math and the Fortran-specific -fstack-arrays, unless -fmax-stack-var-size is specified, and -fno-protect-parens. endchoice config BR2_ENABLE_LTO bool "build packages with link-time optimisation" help Enable the link-time optimisation (LTO) option when building packages. Link-time optimisation re-runs optimisations at link time, which allows the compiler to do interprocedural analysis across compilation units and thus come with better results: smaller size and better performance. Note that this analysis is limited to statically linked object files and libraries. This option may significantly increase build times, sometimes 5 times longer, with only limited gains. At this time, this option only enables LTO in packages that have an explicit configuration option for it. Other packages always enable LTO, but most packages never enable LTO. config BR2_GOOGLE_BREAKPAD_ENABLE bool "Enable google-breakpad support" depends on BR2_INSTALL_LIBSTDCPP depends on BR2_TOOLCHAIN_GCC_AT_LEAST_7 # C++17 depends on BR2_USE_WCHAR depends on BR2_TOOLCHAIN_HAS_THREADS depends on BR2_TOOLCHAIN_USES_GLIBC depends on BR2_PACKAGE_GOOGLE_BREAKPAD_ARCH_SUPPORTS depends on BR2_PACKAGE_HOST_GOOGLE_BREAKPAD_ARCH_SUPPORTS select BR2_PACKAGE_GOOGLE_BREAKPAD help This option will enable the use of google breakpad, a library and tool suite that allows you to distribute an application to users with compiler-provided debugging information removed, record crashes in compact "minidump" files, send them back to your server and produce C and C++ stack traces from these minidumps. Breakpad can also write minidumps on request for programs that have not crashed. if BR2_GOOGLE_BREAKPAD_ENABLE config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES string "List of executables and libraries to extract symbols from" default "" help You may specify a space-separated list of binaries and libraries with full paths relative to $(TARGET_DIR) of which debug symbols will be dumped for further use with google breakpad. A directory structure that can be used by minidump-stackwalk will be created at: $(STAGING_DIR)/usr/share/google-breakpad-symbols endif choice bool "libraries" default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED help Select the type of libraries you want to use on the target. The default is to build dynamic libraries and use those on the target filesystem, except when the architecture and/or the selected binary format does not support shared libraries. config BR2_STATIC_LIBS bool "static only" depends on !BR2_TOOLCHAIN_USES_GLIBC help Build and use only static libraries. No shared libraries will be installed on the target. This potentially increases your code size and should only be used if you know what you are doing. Note that some packages may not be available when this option is enabled, due to their need for dynamic library support. comment "static only needs a toolchain w/ uclibc or musl" depends on BR2_TOOLCHAIN_USES_GLIBC config BR2_SHARED_LIBS bool "shared only" depends on BR2_BINFMT_SUPPORTS_SHARED help Build and use only shared libraries. This is the recommended solution as it saves space and build time. config BR2_SHARED_STATIC_LIBS bool "both static and shared" depends on BR2_BINFMT_SUPPORTS_SHARED help Build both shared and static libraries, but link executables dynamically. While building both shared and static libraries take more time and more disk space, having static libraries may be useful to link some of the applications statically. endchoice config BR2_PACKAGE_OVERRIDE_FILE string "location of a package override file" default "$(CONFIG_DIR)/local.mk" help A package override file is a short makefile that contains variable definitions of the form _OVERRIDE_SRCDIR, which allows to tell Buildroot to use an existing directory as the source directory for a particular package. See the Buildroot documentation for more details on this feature. config BR2_GLOBAL_PATCH_DIR string "global patch and hash directories" help You may specify a space separated list of one or more directories containing global package patches and/or hashes. For a specific version of a specific package , patches are looked up as follows: First, the default Buildroot patch set for the package is applied from the package's directory in Buildroot. Then for every directory - - that exists in BR2_GLOBAL_PATCH_DIR, if the directory /// exists, then all *.patch files in this directory will be applied. Otherwise, if the directory / exists, then all *.patch files in the directory will be applied. The hash files are looked up similarly to the patches. menu "Advanced" config BR2_FORCE_HOST_BUILD bool "Force the building of host dependencies" help Build all available host dependencies, even if they are already installed on the system. This option can be used to ensure that the download cache of source archives for packages remain consistent between different build hosts. This option will increase build time. config BR2_DOWNLOAD_FORCE_CHECK_HASHES bool "Force all downloads to have a valid hash" help Say 'y' here to enforce downloads to have at least one valid hash (and of course, that all hashes be valid). By default, Buildroot checks hashes of all packages downloaded, except those for which a custom version is used. With this option turned on, Buildroot will check hashes of all packages, including those that use a custom version. In order to provide hashes for such packages, place additional hash files in BR2_GLOBAL_PATCH_DIR directories. config BR2_REPRODUCIBLE bool "Make the build reproducible (experimental)" # SOURCE_DATE_EPOCH support in toolchain-wrapper requires GCC 4.4 depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_4 help This option will remove all sources of non-reproducibility from the build process. For a given Buildroot configuration, this allows to generate exactly identical binaries from one build to the other, including on different machines. The current implementation is restricted to builds with the same output directory. Many (absolute) paths are recorded in intermediary files, and it is very likely that some of these paths leak into the target rootfs. If you build with the same O=... path, however, the result is identical. This is labeled as an experimental feature, as not all packages behave properly to ensure reproducibility. config BR2_PER_PACKAGE_DIRECTORIES bool "Use per-package directories (experimental)" help This option will change the build process of Buildroot package to use per-package target and host directories. This is useful for two related purposes: - Cleanly isolate the build of each package, so that a given package only "sees" the dependencies it has explicitly expressed, and not other packages that may have by chance been built before. - Enable top-level parallel build. This is labeled as an experimental feature, as not all packages behave properly with per-package directories. endmenu config BR2_TIME_BITS_64 bool "Build Y2038-ready code" depends on BR2_TOOLCHAIN_USES_GLIBC && !BR2_ARCH_IS_64 help This option will pass -D_TIME_BITS=64 in the compiler flags to ensure the glibc C library uses a 64-bit representation for time_t and other time types, which ensures that programs/libraries will correctly handle time past year 2038. This option only has an effect with glibc >= 2.34, as earlier glibc versions did not have support for 64-bit time_t. comment "Security Hardening Options" config BR2_PIC_PIE_ARCH_SUPPORTS bool default y # Microblaze glibc toolchains don't work with PIC/PIE enabled depends on !BR2_microblaze # Nios2 toolchains produce non working binaries with -fPIC depends on !BR2_nios2 config BR2_PIC_PIE bool "Build code with PIC/PIE" default y depends on BR2_PIC_PIE_ARCH_SUPPORTS depends on BR2_SHARED_LIBS depends on BR2_TOOLCHAIN_SUPPORTS_PIE help Generate Position-Independent Code (PIC) and link Position-Independent Executables (PIE). comment "PIC/PIE needs a toolchain w/ PIE" depends on BR2_PIC_PIE_ARCH_SUPPORTS depends on BR2_SHARED_LIBS depends on !BR2_TOOLCHAIN_SUPPORTS_PIE choice bool "Stack Smashing Protection" default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy default BR2_SSP_STRONG if BR2_TOOLCHAIN_HAS_SSP_STRONG default BR2_SSP_REGULAR depends on BR2_TOOLCHAIN_HAS_SSP help Enable stack smashing protection support using GCC's -fstack-protector option family. See http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt for details. Note that this requires the toolchain to have SSP support. This is always the case for glibc and eglibc toolchain, but is optional in uClibc toolchains. config BR2_SSP_NONE bool "None" help Disable stack-smashing protection. config BR2_SSP_REGULAR bool "-fstack-protector" help Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits. config BR2_SSP_STRONG bool "-fstack-protector-strong" depends on BR2_TOOLCHAIN_HAS_SSP_STRONG help Like -fstack-protector but includes additional functions to be protected - those that have local array definitions, or have references to local frame addresses. -fstack-protector-strong officially appeared in gcc 4.9, but some vendors have backported -fstack-protector-strong to older versions of gcc. config BR2_SSP_ALL bool "-fstack-protector-all" help Like -fstack-protector except that all functions are protected. This option might have a significant performance impact on the compiled binaries. endchoice config BR2_SSP_OPTION string default "-fstack-protector" if BR2_SSP_REGULAR default "-fstack-protector-strong" if BR2_SSP_STRONG default "-fstack-protector-all" if BR2_SSP_ALL comment "Stack Smashing Protection needs a toolchain w/ SSP" depends on !BR2_TOOLCHAIN_HAS_SSP choice bool "RELRO Protection" default BR2_RELRO_FULL if BR2_TOOLCHAIN_SUPPORTS_PIE default BR2_RELRO_PARTIAL depends on BR2_SHARED_LIBS help Enable a link-time protection know as RELRO (RELocation Read Only) which helps to protect from certain type of exploitation techniques altering the content of some ELF sections. config BR2_RELRO_NONE bool "None" help Disables Relocation link-time protections. config BR2_RELRO_PARTIAL bool "Partial" help This option makes the dynamic section not writeable after initialization (with almost no performance penalty). config BR2_RELRO_FULL bool "Full" depends on BR2_PIC_PIE_ARCH_SUPPORTS depends on BR2_TOOLCHAIN_SUPPORTS_PIE select BR2_PIC_PIE help This option includes the partial configuration, but also marks the GOT as read-only at the cost of initialization time during program loading, i.e every time an executable is started. comment "RELRO Full needs a toolchain w/ PIE" depends on BR2_PIC_PIE_ARCH_SUPPORTS depends on !BR2_TOOLCHAIN_SUPPORTS_PIE endchoice comment "RELocation Read Only (RELRO) needs shared libraries" depends on !BR2_SHARED_LIBS config BR2_FORTIFY_SOURCE_ARCH_SUPPORTS bool default y # Microblaze glibc toolchains don't work with Fortify Source enabled depends on !BR2_microblaze choice bool "Buffer-overflow Detection (FORTIFY_SOURCE)" default BR2_FORTIFY_SOURCE_1 depends on BR2_FORTIFY_SOURCE_ARCH_SUPPORTS depends on BR2_TOOLCHAIN_USES_GLIBC depends on !BR2_OPTIMIZE_0 help Enable the _FORTIFY_SOURCE macro which introduces additional checks to detect buffer-overflows in the following standard library functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, gets. NOTE: This feature requires an optimization level of s/1/2/3/g Support for this feature has been present since GCC 4.x. config BR2_FORTIFY_SOURCE_NONE bool "None" help Disables additional checks to detect buffer-overflows. config BR2_FORTIFY_SOURCE_1 bool "Conservative" # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164 depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6 help This option sets _FORTIFY_SOURCE to 1 and only introduces checks that shouldn't change the behavior of conforming programs. Adds checks at compile-time only. config BR2_FORTIFY_SOURCE_2 bool "Aggressive" # gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61164 depends on !BR2_TOOLCHAIN_BUILDROOT || BR2_TOOLCHAIN_GCC_AT_LEAST_6 help This option sets _FORTIFY_SOURCES to 2 and some more checking is added, but some conforming programs might fail. Also adds checks at run-time (detected buffer overflow terminates the program) config BR2_FORTIFY_SOURCE_3 bool "Extended" depends on BR2_TOOLCHAIN_GCC_AT_LEAST_12 help This option sets _FORTIFY_SOURCES to 3 and even more checking is added compared to level 2. Extends checks at run-time that can introduce an additional performance overhead. endchoice comment "Fortify Source needs a glibc toolchain and optimization" depends on BR2_FORTIFY_SOURCE_ARCH_SUPPORTS depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0) endmenu source "system/Config.in" source "linux/Config.in" source "package/Config.in" source "fs/Config.in" source "boot/Config.in" source "package/Config.in.host" source "Config.in.legacy" # br2-external menus definitions source "$BR2_BASE_DIR/.br2-external.in.menus"