Add gcc config option for fanalyzer. As a result of this option, a static
analysis of the program flow is conducted, allowing interprocedural paths
to be identified and warnings to be issued if problems are identified.
Link: https://github.com/openwrt/openwrt/pull/12576
Signed-off-by: Nick Hainke <vincent@systemli.org>
This adds the -Wl,-z,pack-relative-relocs linking options.
This reduces the size of some binaries.
This is only supported on i386, x86_64, aarch64 and loongarch64 in
binutils. This feature is not support for MIPS.
musl libc supports it since version 1.2.4 .
glibc supports it since vesion 2.36.
binutils ld supports it since version 2.38 for x86 and since version
2.43 for LoongArch.
This reduces the size of the armsr default root file system from
5,262,198 bytes to 5,200,950 bytes by 61,248 bytes.
Link: https://github.com/openwrt/openwrt/pull/20679
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add support for _FORTIFY_SOURCE level 3.
This is supported with glibc and with musl libc.
Link: https://github.com/openwrt/openwrt/pull/20313
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
There is no practical value in keeping GCC11 around, as even OpenWrt 23.05
uses GCC12 as the default one, so drop it.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Mold does not really work on MacOS, when attempting to use it for example
for ubus:
mold: get_self_path is not supportedcollect2: error: ld returned 1 exit status
Which was introduced by [1] so it seems that MacOS is not supported, so
lets make it non selectable when MacOS is the host.
[1] f9a37e9dd4
Link: https://github.com/openwrt/openwrt/pull/18575
Signed-off-by: Robert Marko <robimarko@gmail.com>
Mold supports 32 and 64 bit RISC-V, but since we only support the 64 bit
version allow using mold on it.
Link: https://github.com/openwrt/openwrt/pull/18575
Signed-off-by: Robert Marko <robimarko@gmail.com>
Mold supports 32 and 64 bit LoongArch, but since we only support the 64 bit
version allow using mold on it.
Link: https://github.com/openwrt/openwrt/pull/18575
Signed-off-by: Robert Marko <robimarko@gmail.com>
apk package manager is default for some time, so lets remove the
EXPERIMENTAL warning from the related option.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
base-files is including procd-secccomp as a dependency when USE_SECCOMP
is selected, so there is no point in selecting the package directly here
as well.
Link: https://github.com/openwrt/openwrt/pull/17048
Signed-off-by: Robert Marko <robimarko@gmail.com>
It seems that we have some kind of a symbol name conflict which causes
CONFIG_SECCOMP to always be read as y.
Unfortunatelly, I could not figure out what is causing this, but simply
renaming SECCOMP to USE_SECCOMP seems to properly work and leaves the
symbol unset unless arch dependencies are satisfied.
This fixes qoriq and others that dont support seccomp from failing due
to procd-seccomp package being selected to get included but it cannot be
built for them:
ERROR: unable to select packages:
procd-seccomp (no such package):
required by: base-files-1637~52b6c92479[procd-seccomp]
Fixes: 4c65359af4 ("build: fix including busybox, procd and apk/opkg in imagebuilder")
Link: https://github.com/openwrt/openwrt/pull/17048
Signed-off-by: Robert Marko <robimarko@gmail.com>
This commit comes after a long period of hard work, starting back in
early 2021 as a proof of concept.
Thanks to the Alpine Linux project for creating such a nice package
manager. Thanks to everyone involved; this is going to be great!
Signed-off-by: Paul Spooren <mail@aparcar.org>
STRIP_KERNEL_EXPORTS is currently broken on kernel 6.6 and since this
is the only kernel currently supported, we should rather make it depend
on BROKEN instead of a kernel version until its fixed.
Link: https://github.com/openwrt/openwrt/pull/16440
Signed-off-by: Robert Marko <robimarko@gmail.com>
Limit CONFIG_IPK_FILES_CHECKSUMS config to OPKG as APK have different
way to validate package integrity (apk audit)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This reverts commit 25bbefcdd9.
Only the Config-build.in change needed to be merged and this contains
leftover from previous revision of the feature.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
On top of the fixup to select apk-mbedtls when USE_APK is enabled from a
new config, also imply the package when enabling the config to catch
.config that are already init.
(Having both opkg and apk installed in a system is not a problem but if
USE_APK is used, APK presence in the system is mandatory)
Link: https://github.com/openwrt/openwrt/pull/15543
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Limit CONFIG_IPK_FILES_CHECKSUMS config to OPKG as APK have different
way to validate package integrity (apk audit)
Link: https://github.com/openwrt/openwrt/pull/15543
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
A new option called `USE_APK` is added which generated APK packages
(.apk) instead of OPKG packages (.ipk).
Some features like fstools `snapshot` command are not yet ported
Signed-off-by: Paul Spooren <mail@aparcar.org>
STRIP_KERNEL_EXPORTS is currently not working on kernel 6.6 as there
have been major changes in the upstream kernel.
I have looked at it, and I dont think we can adapt the current patch to
work so until this is fixed lets prevent STRIP_KERNEL_EXPORTS from
being selected on 6.6.
Link: https://github.com/openwrt/openwrt/pull/15498
Signed-off-by: Robert Marko <robimarko@gmail.com>
The GCC option -fstack-protector-all is a security feature used to protect against stack-smashing attacks.
This option enhances the stack-smashing protection provided by -fstack-protector-strong.
-fstack-protector-all option applies stack protection to all functions, regardless of their characteristics.
While this offers the most comprehensive protection against stack-smashing attacks, it can significantly impact
the performance of the program because every function call includes additional checks for stack integrity.
This option can incur a performance penalty because of the extra checks added to every function call,
but it significantly enhances security, making it harder for attackers to exploit buffer overflows to execute arbitrary code.
It's particularly useful in scenarios where security is paramount and performance trade-offs are acceptable.
Signed-off-by: Cedric DOURLENT <cedric.dourlent@softathome.com>
CycloneDX is an open source standard developed by the OWASP foundation.
It supports a wide range of development ecosystems, a comprehensive set
of use cases, and focuses on automation, ease of adoption, and
progressive enhancement of SBOMs (Software Bill Of Materials) throughout
build pipelines.
So lets add support for CycloneDX SBOM for packages and images
manifests.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Building it requires gcc >= 10.2 or clang >= 12.
Using sstrip with its -z argument can produce non-working binaries, like
a segfaulting `getrandom`, so don't allow that combination.
Signed-off-by: Andre Heider <a.heider@gmail.com>
sstrip only has one functional arg. Make that a bool option, which can
easily depend on other knobs then.
This is required to be disabled for the mold linker.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Kconfig docs say:
> The default value deliberately defaults to 'n' in order to avoid
> bloating the build.
Apply this rule everywhere, to avoid more cloning of bad examples
Signed-off-by: Tony Butler <spudz76@gmail.com>
When we use the internal toolchain USE_SSTRIP will be selected by
default for musl libc and USE_STRIP when glibc is used. Do the same when
an external toolchain is used. USE_GLIBC will also be set for external
toolchain builds based on the EXTERNAL_TOOLCHAIN_LIBC_USE_GLIBC setting.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Remove flags from wget and curl instructing them to ignore bad server
certificates. Although other mechanisms can protect against malicious
modifications of downloads, other vectors of attack may be available
to an adversary.
TLS certificate verification can be disabled by turning oof the
"Enable TLS certificate verification during package download" option
enabled by default in the "Global build settings" in "make menuconfig"
Signed-off-by: Josh Roys <roysjosh@gmail.com>
[ add additional info on how to disable this option ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Disabling this build tunable breaks build and seems unrealistically
likely to be fixed.
This patch sets the related CONFIG to always true and removes the
config prompt, keeping the change minimal, and, should !CONFIG_IPV6 ever
be fixed, easy to revert.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Paul Spooren <mail@aparcar.org>
Acked-by: Josef.Schlehofer <pepe.schlehofer@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Fix typos in comment and user-facing help text.
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
[split out config changes, adjust commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
No package here depends on it. Furthermore, uClibc++ is a fairly buggy
C++ library and seems to be relatively inactive upstream.
It also lacks proper support for modern C++11 features.
The main benefit of it is size: 66.6 KB vs 287.3 KB on mips24kc. Static
linking and LTO can help bring the size down of packages that need it.
Added warning message to uclibc++.mk
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Until now, this feature was switched on via the kernel configuration
option KERNEL_SECCOMP.
The follwing change a7f794cd2a now requires that
the package procd-seccomp must also enabled for buildinmg.
However, this is not the case we have no dependency and the imagebuilder
cannot build the image, because of the implicit package selection.
This change adds a new configuration option CONFIG_SECCOMP.
The new option has the same behaviour as the configuration
option CONFIG_SELINUX.
If the CONFIG_SECCOMP is selected then the package procd-seccomp and
KERNEL_SECCOMP is enabled for this build.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The file is a info file just like config.buildinfo, feeds.buildinfo and
version.buildinfo. It bundles these and more information in a machine
readable way.
This commit enables the creation of profiles.json by default and not
only for buildbots. By doing so it follow the behaviour of the
ImageBuilder which always creates the file, lastly this increases the
files visibility for downstream projects.
Signed-off-by: Paul Spooren <mail@aparcar.org>
The license folder is a core part of OpenWrt and all GPL-2.0 licensed.
Use SPDX license tags to allow machines to check licenses.
Signed-off-by: Paul Spooren <mail@aparcar.org>
[rebase, keep some Copyright lines, sharpen commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
As discussed in the today's (2020-12-10) meeting, add a new option to
menuconfig to group the selection of all experimental features to be
selected by default.
Developers are recommended to make use of this new symbol to guard
new features.
Other developers and community members should feel encouraged to
build with this flag enabled to help testing and provide feedback.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This is a neat project, but offers no benefit to OpenWrt. The initial
reason for it was to be a replacement for libstdcpp as it is smaller
and lacks compatibility for C++98. Unfortunately, compiling several
packages with it results in larger ipk sizes.
While not a member of the packages feed, this will be moved to
packages-abandoned to keep it somewhere.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
