config/Config-build.in

# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2006-2013 OpenWrt.org
# Copyright (C) 2016 LEDE Project

config EXPERIMENTAL
	bool "Enable experimental features by default"
	help
	  Set this option to build with latest bleeding edge features
	  which may or may not work as expected.
	  If you would like to help the development of OpenWrt, you are
	  encouraged to set this option and provide feedback (both
	  positive and negative). But do so only if you know how to
	  recover your device in case of flashing potentially non-working
	  firmware.

	  If you plan to use this build in production, say NO!

menu "Global build settings"

	config MPIPE_SHARE_NETWORK
		bool "Config support internal access to the internet in pipe mode"
		help
		  Not support large packets, i.e. fragment packet, need to control the packet
		  length to be less than MTU(default 1500).
		default n

	config IPV6_POLICY_ROUTING
		bool "Support configure IPv6 policy routes in dnsmasq"
		help
		  Only works in MIFI mode and supports multiple PDN.
		default n

	config SPI_LCD
		bool "Config SPI interface driver for LCD"
		default n
		select KERNEL_FB
		select KERNEL_FB_SPI_LCD

	config LCDC_SPI
		bool "Config LCDC SPI interface driver for ASR 190x/1806"
		depends on TARGET_mmp_asr1901 || TARGET_mmp_asr1903 || TARGET_mmp_asr1906 || TARGET_mmp_asr1806
		default n
		select KERNEL_FB
		select KERNEL_FB_ASR
		select KERNEL_FB_ASR_SPI

	config LCDC_MCU
		bool "Config LCDC MCU interface driver for ASR 190x/1806"
		depends on TARGET_mmp_asr1901 || TARGET_mmp_asr1903 || TARGET_mmp_asr1906 || TARGET_mmp_asr1806
		default n
		select KERNEL_FB
		select KERNEL_FB_ASR
		select KERNEL_FB_ASR_MCU

	config LCDC_MIPI
		bool "Config LCDC MIPI interface driver for ASR 1806/1903"
		depends on TARGET_mmp_asr1806 || TARGET_mmp_asr1903
		default n
		select KERNEL_FB
		select KERNEL_FB_ASR
		select KERNEL_FB_ASR_MIPI

	config POSE
		bool "Config support for POS-E"
		depends on TARGET_mmp_asr1806_FACT301
		default n
		select PACKAGE_camera
		select PACKAGE_evtest
		select PACKAGE_tslib
		select KERNEL_POSE
		select LCDC_MIPI
		select KERNEL_PWM
		select KERNEL_PWM_PXA
		select KERNEL_PWM_SYSFS
		select KERNEL_BACKLIGHT_CLASS_DEVICE
		select KERNEL_BACKLIGHT_PWM
		select KERNEL_INPUT_TOUCHSCREEN
		select KERNEL_TOUCHSCREEN_PROPERTIES
		select KERNEL_TOUCHSCREEN_EDT_FT5X06
		select CAMERA
		help
		  This includes LCD and CAMERA functions, in addition to wifi and eth are
		  also support.

	config POSL
		bool "Config support for POS-L"
		depends on TARGET_mmp_asr1806_FACT301
		default n
		select PACKAGE_camera
		select PACKAGE_evtest
		select PACKAGE_tslib
		select KERNEL_POSL
		select LCDC_SPI
		select KERNEL_PWM
		select KERNEL_PWM_PXA
		select KERNEL_PWM_SYSFS
		select KERNEL_BACKLIGHT_CLASS_DEVICE
		select KERNEL_BACKLIGHT_PWM
		select KERNEL_INPUT_TOUCHSCREEN
		select KERNEL_TOUCHSCREEN_PROPERTIES
		select KERNEL_TOUCHSCREEN_ASR_TSC
		select CAMERA
		help
		  This includes LCD and camera functions, in addition to wifi support.

	config AB_SYSTEM
		bool "Config support for A/B system"
		default n
		select KERNEL_AB_SYSTEM

	config ASR_SDTIM
		bool "Config support for Single DTIM"
		default n
		select KERNEL_ASR_SDTIM

	config SEC
		bool "All-in-one config support for security features"
		default n
		select TEE_OS
		select SELINUX
		select SECURE_DM

	config TEE_OS
		bool "Config support for TEE OS"
		default n
		select KERNEL_TEE
		select KERNEL_OPTEE
		select KERNEL_ASR_OPTEE_VIRTUAL_UART
		select KERNEL_ASR_OPTEE_LOG_LEVEL
		select PACKAGE_optee_client
		select PACKAGE_optee_app
		select HWRANDOM	
		select CIPHER_TEST
		select SECURE_STORAGE
		select ACIPHER_TEST
		select KEY_TEST

	config LIB_ATPS
		bool "Config support libatps(asr trust platform services lib)"
		default n
		select KERNEL_CRYPTO
		select KERNEL_CRYPTO_USER_API
		select KERNEL_CRYPTO_USER_API_SKCIPHER
		select KERNEL_CRYPTO_USER_API_HASH
		select KERNEL_CONFIG_CRYPTO_RSA
		select HARDWARE_AES_ENGINE

	config HARDWARE_AES_ENGINE
		bool "Config support hardware AES engine"
		default n

	config SECURE_DM
		bool "Config support for dm device and select dm-verity by default"
		select KERNEL_MD
		select KERNEL_BLK_DEV_DM
		select KERNEL_DM_VERITY
		select KERNEL_DM_INIT
		select KERNEL_DM_USER
		depends on TARGET_ROOTFS_SQUASHFS

	config SECURE_DM_CRYPT
		bool "Config support for dm-crypt"
		depends on SECURE_DM
		default n
		select KERNEL_DM_CRYPT

	config SECURE_IMA
		bool "Config support for IMA enable"
		default n
		select KERNEL_SECURITY
		select KERNEL_UBIFS_FS_SECURITY
		select KERNEL_INTEGRITY
		select KERNEL_IMA
		select KERNEL_IMA_APPRAISE
		select KERNEL_IMA_APPRAISE_BOOTPARAM
		select TARGET_ROOTFS_INITRAMFS
		select KERNEL_SIGNATURE
		select KERNEL_INTEGRITY_SIGNATURE
		select PACKAGE_libkeyutils
		select PACKAGE_keyctl
		select PACKAGE_libopenssl
		select PACKAGE_ima-evm-utils
		select KERNEL_EVM
		select KERNEL_INTEGRITY_ASYMMETRIC_KEYS
		select KERNEL_EVM_LOAD_X509
		select KERNEL_CRYPTO_RNG
		select KERNEL_ENCRYPTED_KEYS
		select KERNEL_TRUSTED_KEYS
		select PACKAGE_attr
		select KERNEL_AUDIT
		select KERNEL_INTEGRITY_AUDIT
		select KERNEL_STRICT_KERNEL_RWX

	config QSPINAND_64M
		bool
		prompt "Enable QSPI NAND 64M support"
		default n
		select KERNEL_QSPINAND_64M
		help
		  Enable QSPI NAND 64M support.

	config MODULE_BUILDIN
		bool
		prompt "Enable Kernel modules buildin"
		default n
		help
		  Enable Enable Kernel modules buildin.

	config CAMERA
		bool "Config Camera interface driver for ASR platform"
		depends on TARGET_mmp_asr1806 || TARGET_mmp_asr1903
		default n
		select KERNEL_ASR_CAMERA
		select KERNEL_MEDIA_CAMERA_SUPPORT

	config UART_921600
		bool "Config support uart baudrate 921600"
		default n

	config DAILY
		bool "Enable experimental features for automatic daily builds"
		default n

	config DSDS
		bool "Config support for Dual SIM Dual Standby"
		default n
		select KERNEL_ASR_DSDS

	config JSON_OVERVIEW_IMAGE_INFO
		bool "Create JSON info file overview per target"
		default y
		help
		  Create a JSON info file called profiles.json in the target
		  directory containing machine readable list of built profiles
		  and resulting images.

	config JSON_CYCLONEDX_SBOM
		bool "Create CycloneDX SBOM JSON"
		default BUILDBOT
		help
		  Create a JSON files *.bom.cdx.json in the build
		  directory containing Software Bill Of Materials in CycloneDX
		  format.

	config ALL_NONSHARED
		bool "Select all target specific packages by default"
		select ALL_KMODS
		default BUILDBOT

	config ALL_KMODS
		bool "Select all kernel module packages by default"

	config ALL
		bool "Select all userspace packages by default"
		select ALL_KMODS
		select ALL_NONSHARED

	config BUILDBOT
		bool "Set build defaults for automatic builds (e.g. via buildbot)"
		help
		  This option changes several defaults to be more suitable for
		  automatic builds. This includes the following changes:
		  - Deleting build directories after compiling (to save space)
		  - Enabling per-device rootfs support
		  ...

	config SIGNED_PACKAGES
		bool "Cryptographically signed package lists"
		default y

	config SIGNATURE_CHECK
		bool "Enable signature checking in opkg"
		default SIGNED_PACKAGES

	config DOWNLOAD_CHECK_CERTIFICATE
		bool "Enable TLS certificate verification during package download"
		default y

	config USE_APK
		imply PACKAGE_apk-mbedtls
		bool "Use APK instead of OPKG to build distribution (BROKEN)"
		depends on BROKEN

	comment "General build options"

	config TESTING_KERNEL
		bool "Use the testing kernel version"
		depends on HAS_TESTING_KERNEL
		default EXPERIMENTAL
		help
		  If the target supports a newer kernel version than the default,
		  you can use this config option to enable it


	config DISPLAY_SUPPORT
		bool "Show packages that require graphics support (local or remote)"

	config BUILD_PATENTED
		bool "Compile with support for patented functionality"
		help
		  When this option is disabled, software which provides patented functionality
		  will not be built.  In case software provides optional support for patented
		  functionality, this optional support will get disabled for this package.

	config BUILD_NLS
		bool "Compile with full language support"
		help
		  When this option is enabled, packages are built with the full versions of
		  iconv and GNU gettext instead of the default OpenWrt stubs. If uClibc is
		  used, it is also built with locale support.

	config SHADOW_PASSWORDS
		bool
		default y

	config CLEAN_IPKG
		bool
		prompt "Remove ipkg/opkg status data files in final images"
		help
		  This removes all ipkg/opkg status data files from the target directory
		  before building the root filesystem.

	config IPK_FILES_CHECKSUMS
		bool
		prompt "Record files checksums in package metadata"
		depends on !USE_APK
		help
		  This makes file checksums part of package metadata. It increases size
		  but provides you with pkg_check command to check for flash corruptions.

	config INCLUDE_CONFIG
		bool "Include build configuration in firmware" if DEVEL
		help
		  If enabled, buildinfo files will be stored in /etc/build.* of firmware.

	config REPRODUCIBLE_DEBUG_INFO
		bool "Make debug information reproducible"
		default BUILDBOT
		help
		  This strips the local build path out of debug information. This has the
		  advantage of making it reproducible, but the disadvantage of making local
		  debugging using ./scripts/remote-gdb harder, since the debug data will
		  no longer point to the full path on the build host.

	config COLLECT_KERNEL_DEBUG
		bool
		prompt "Collect kernel debug information"
		select KERNEL_DEBUG_INFO
		default BUILDBOT
		help
		  This collects debugging symbols from the kernel and all compiled modules.
		  Useful for release builds, so that kernel issues can be debugged offline
		  later.

	menu "Kernel build options"

	source "config/Config-kernel.in"

	endmenu

	comment "Package build options"

	config DEBUG
		bool
		prompt "Compile packages with debugging info"
		help
		  Adds -g3 to the CFLAGS.

	config USE_GC_SECTIONS
		bool
		prompt "Dead code and data elimination for all packages (EXPERIMENTAL)"
		help
		  Places functions and data items into its own sections to use the linker's
		  garbage collection capabilites.
		  Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-gc-sections

	config USE_LTO
		bool
		prompt "Use the link-time optimizer for all packages (EXPERIMENTAL)"
		help
		  Adds LTO flags to the CFLAGS and LDFLAGS.
		  Packages can choose to opt-out via setting PKG_BUILD_FLAGS:=no-lto

	config MOLD
		depends on (aarch64 || arm || i386 || i686 || m68k || powerpc || powerpc64 || sh4 || x86_64)
		depends on !GCC_USE_VERSION_11
		def_bool $(shell, ./config/check-hostcxx.sh 10 2 12)

	config USE_MOLD
		bool
		prompt "Use the mold linker for all packages"
		depends on MOLD
		help
		  Link packages with mold, a modern linker
		  Packages can opt-out via setting PKG_BUILD_FLAGS:=no-mold

	config IPV6
		def_bool y

	comment "Stripping options"

	choice
		prompt "Binary stripping method"
		default USE_STRIP   if USE_GLIBC
		default USE_SSTRIP
		help
		  Select the binary stripping method you wish to use.

		config NO_STRIP
			bool "none"
			help
			  This will install unstripped binaries (useful for native
			  compiling/debugging).

		config USE_STRIP
			bool "strip"
			help
			  This will install binaries stripped using strip from binutils.

		config USE_SSTRIP
			bool "sstrip"
			depends on !USE_GLIBC
			help
			  This will install binaries stripped using sstrip.
	endchoice

	config STRIP_ARGS
		string
		prompt "Strip arguments"
		depends on USE_STRIP
		default "--strip-unneeded --remove-section=.comment --remove-section=.note" if DEBUG
		default "--strip-all"
		help
		  Specifies arguments passed to the strip command when stripping binaries.

	config SSTRIP_DISCARD_TRAILING_ZEROES
		bool "Strip trailing zero bytes"
		depends on USE_SSTRIP && !USE_MOLD
		default y
		help
		  Use sstrip's -z option to discard trailing zero bytes

	config STRIP_KERNEL_EXPORTS
		bool "Strip unnecessary exports from the kernel image"
		depends on !LINUX_6_6
		help
		  Reduces kernel size by stripping unused kernel exports from the kernel
		  image.  Note that this might make the kernel incompatible with any kernel
		  modules that were not selected at the time the kernel image was created.

	config USE_MKLIBS
		bool "Strip unnecessary functions from libraries"
		help
		  Reduces libraries to only those functions that are necessary for using all
		  selected packages (including those selected as <M>).  Note that this will
		  make the system libraries incompatible with most of the packages that are
		  not selected during the build process.

	choice
		prompt "Preferred standard C++ library"
		default USE_LIBSTDCXX if USE_GLIBC
		default USE_UCLIBCXX
		help
		  Select the preferred standard C++ library for all packages that support this.

		config USE_UCLIBCXX
			bool "uClibc++"

		config USE_LIBSTDCXX
			bool "libstdc++"
	endchoice

	comment "Hardening build options"

	config PKG_CHECK_FORMAT_SECURITY
		bool
		prompt "Enable gcc format-security"
		default y
		help
		  Add -Wformat -Werror=format-security to the CFLAGS.  You can disable
		  this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
		  Makefile.

	choice
		prompt "User space ASLR PIE compilation"
		default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
		default PKG_ASLR_PIE_REGULAR
		help
		  Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
		  This enables package build as Position Independent Executables (PIE)
		  to protect against "return-to-text" attacks. This belongs to the
		  feature of Address Space Layout Randomisation (ASLR), which is
		  implemented by the kernel and the ELF loader by randomising the
		  location of memory allocations. This makes memory addresses harder
		  to predict when an attacker is attempting a memory-corruption exploit.
		  You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
		  Makefile.
		  Be ware that ASLR increases the binary size.
		config PKG_ASLR_PIE_NONE
			bool "None"
			help
			  PIE is deactivated for all applications
		config PKG_ASLR_PIE_REGULAR
			bool "Regular"
			help
			  PIE is activated for some binaries, mostly network exposed applications
		config PKG_ASLR_PIE_ALL
			bool "All"
			select BUSYBOX_DEFAULT_PIE
			help
			  PIE is activated for all applications
	endchoice

	choice
		prompt "User space Stack-Smashing Protection"
		default PKG_CC_STACKPROTECTOR_REGULAR
		help
		  Enable GCC Stack Smashing Protection (SSP) for userspace applications
		config PKG_CC_STACKPROTECTOR_NONE
			bool "None"
			help
				No stack smashing protection.
		config PKG_CC_STACKPROTECTOR_REGULAR
			bool "Regular"
			help
				Protects functions with vulnerable objects.
				This includes functions with buffers larger than 8 bytes or calls to alloca.
		config PKG_CC_STACKPROTECTOR_STRONG
			bool "Strong"
			help
				Like Regular, but also protects functions with
				local arrays or references to local frame addresses.
		config PKG_CC_STACKPROTECTOR_ALL
			bool "All"
			help
				Protects all functions.
	endchoice

	choice
		prompt "Kernel space Stack-Smashing Protection"
		default KERNEL_CC_STACKPROTECTOR_REGULAR
		help
		  Enable GCC Stack-Smashing Protection (SSP) for the kernel
		config KERNEL_CC_STACKPROTECTOR_NONE
			bool "None"
			help
				No stack smashing protection.
		config KERNEL_CC_STACKPROTECTOR_REGULAR
			bool "Regular"
			help
				Protects functions with vulnerable objects.
				This includes functions with buffers larger than 8 bytes or calls to alloca.
		config KERNEL_CC_STACKPROTECTOR_STRONG
			bool "Strong"
			help
				Like Regular, but also protects functions with
				local arrays or references to local frame addresses.
	endchoice

	config KERNEL_STACKPROTECTOR
		bool
		default KERNEL_CC_STACKPROTECTOR_REGULAR || KERNEL_CC_STACKPROTECTOR_STRONG

	config KERNEL_STACKPROTECTOR_STRONG
		bool
		default KERNEL_CC_STACKPROTECTOR_STRONG

	choice
		prompt "Enable buffer-overflows detection (FORTIFY_SOURCE)"
		default PKG_FORTIFY_SOURCE_1
		help
		  Enable the _FORTIFY_SOURCE macro which introduces additional
		  checks to detect buffer-overflows in the following standard library
		  functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
		  strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
		  gets.  "Conservative" (_FORTIFY_SOURCE set to 1) only introduces
		  checks that shouldn't change the behavior of conforming programs,
		  while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is
		  added, but some conforming programs might fail.
		config PKG_FORTIFY_SOURCE_NONE
			bool "None"
		config PKG_FORTIFY_SOURCE_1
			bool "Conservative"
		config PKG_FORTIFY_SOURCE_2
			bool "Aggressive"
	endchoice

	choice
		prompt "Enable RELRO protection"
		default PKG_RELRO_FULL
		help
		  Enable a link-time protection known as RELRO (Relocation Read Only)
		  which helps to protect from certain type of exploitation techniques
		  altering the content of some ELF sections. "Partial" RELRO makes the
		  .dynamic section not writeable after initialization, introducing
		  almost no performance penalty, while "full" RELRO also marks the GOT
		  as read-only at the cost of initializing all of it at startup.
		config PKG_RELRO_NONE
			bool "None"
		config PKG_RELRO_PARTIAL
			bool "Partial"
		config PKG_RELRO_FULL
			bool "Full"
	endchoice

	config TARGET_ROOTFS_SECURITY_LABELS
		bool
		select KERNEL_SQUASHFS_XATTR
		select KERNEL_EXT4_FS_SECURITY
		select KERNEL_F2FS_FS_SECURITY
		select KERNEL_UBIFS_FS_SECURITY
		select KERNEL_JFFS2_FS_SECURITY

	config SELINUX
		bool "Enable SELinux"
		select KERNEL_SECURITY_SELINUX
		select TARGET_ROOTFS_SECURITY_LABELS
		select PACKAGE_procd-selinux
		select PACKAGE_busybox-selinux
		help
		  This option enables SELinux kernel features, applies security labels
		  in squashfs rootfs and selects the selinux-variants of busybox and procd.

		  Selecting this option results in about 0.5MiB of additional flash space
		  usage accounting for increased kernel and rootfs size.

	choice
		prompt "default SELinux type"
		depends on TARGET_ROOTFS_SECURITY_LABELS
		default SELINUXTYPE_dssp
		help
		  Select SELinux policy to be installed and used for applying rootfs labels.

		config SELINUXTYPE_targeted
			bool "targeted"
			select PACKAGE_refpolicy
			help
			  SELinux Reference Policy (refpolicy)

		config SELINUXTYPE_dssp
			bool "dssp"
			select PACKAGE_selinux-policy-local
			help
			  Defensec SELinux Security Policy -- OpenWrt edition

	endchoice

	config USE_SECCOMP
		bool "Enable SECCOMP"
		select KERNEL_SECCOMP
		select PACKAGE_procd-seccomp
		depends on (aarch64 || arm || armeb || mips || mipsel || mips64 || mips64el || i386 || powerpc || x86_64)
		depends on !TARGET_uml
		default y
		help
		  This option enables seccomp kernel features to safely
		  execute untrusted bytecode and selects the seccomp-variants
		  of procd

endmenu