From: Chuck Lever <[email protected]>
Geert reports that:
> On v6.2, "make ARCH=m68k defconfig" gives you
> CONFIG_RPCSEC_GSS_KRB5=m
> On v6.3, it became builtin, due to dropping the dependencies on
> the individual crypto modules.
>
> $ grep -E "CRYPTO_(MD5|DES|CBC|CTS|ECB|HMAC|SHA1|AES)" .config
> CONFIG_CRYPTO_AES=y
> CONFIG_CRYPTO_AES_TI=m
> CONFIG_CRYPTO_DES=m
> CONFIG_CRYPTO_CBC=m
> CONFIG_CRYPTO_CTS=m
> CONFIG_CRYPTO_ECB=m
> CONFIG_CRYPTO_HMAC=m
> CONFIG_CRYPTO_MD5=m
> CONFIG_CRYPTO_SHA1=m
This behavior is triggered by the "default y" in the definition of
RPCSEC_GSS.
The "default y" was added in 2010 by commit df486a25900f ("NFS: Fix
the selection of security flavours in Kconfig"). However,
svc_gss_principal was removed in 2012 by commit 03a4e1f6ddf2
("nfsd4: move principal name into svc_cred"), so the 2010 fix is
no longer necessary. We can safely change the NFS_V4 and NFSD_V4
dependencies back to RPCSEC_GSS_KRB5 to get the nicer v6.2
behavior back.
Selecting KRB5 symbolically represents the true requirement here:
that all spec-compliant NFSv4 implementations must have Kerberos
available to use.
Reported-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Chuck Lever <[email protected]>
---
fs/nfs/Kconfig | 2 +-
fs/nfsd/Kconfig | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
index 14a72224b657..450d6c3bc05e 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -75,7 +75,7 @@ config NFS_V3_ACL
config NFS_V4
tristate "NFS client support for NFS version 4"
depends on NFS_FS
- select SUNRPC_GSS
+ select RPCSEC_GSS_KRB5
select KEYS
help
This option enables support for version 4 of the NFS protocol
diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
index 7c441f2bd444..43b88eaf0673 100644
--- a/fs/nfsd/Kconfig
+++ b/fs/nfsd/Kconfig
@@ -73,7 +73,7 @@ config NFSD_V4
bool "NFS server support for NFS version 4"
depends on NFSD && PROC_FS
select FS_POSIX_ACL
- select SUNRPC_GSS
+ select RPCSEC_GSS_KRB5
select CRYPTO
select CRYPTO_MD5
select CRYPTO_SHA256
Hi Chuck,
This commits seems to have been picked up already, but FWIW it produces
two new warnings with shmobile_defconfig.
WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
Selected by [y]:
- NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
Selected by [y]:
- NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
On 2023-03-08 09:45:09 -0500, Chuck Lever wrote:
> From: Chuck Lever <[email protected]>
>
> Geert reports that:
> > On v6.2, "make ARCH=m68k defconfig" gives you
> > CONFIG_RPCSEC_GSS_KRB5=m
> > On v6.3, it became builtin, due to dropping the dependencies on
> > the individual crypto modules.
> >
> > $ grep -E "CRYPTO_(MD5|DES|CBC|CTS|ECB|HMAC|SHA1|AES)" .config
> > CONFIG_CRYPTO_AES=y
> > CONFIG_CRYPTO_AES_TI=m
> > CONFIG_CRYPTO_DES=m
> > CONFIG_CRYPTO_CBC=m
> > CONFIG_CRYPTO_CTS=m
> > CONFIG_CRYPTO_ECB=m
> > CONFIG_CRYPTO_HMAC=m
> > CONFIG_CRYPTO_MD5=m
> > CONFIG_CRYPTO_SHA1=m
>
> This behavior is triggered by the "default y" in the definition of
> RPCSEC_GSS.
>
> The "default y" was added in 2010 by commit df486a25900f ("NFS: Fix
> the selection of security flavours in Kconfig"). However,
> svc_gss_principal was removed in 2012 by commit 03a4e1f6ddf2
> ("nfsd4: move principal name into svc_cred"), so the 2010 fix is
> no longer necessary. We can safely change the NFS_V4 and NFSD_V4
> dependencies back to RPCSEC_GSS_KRB5 to get the nicer v6.2
> behavior back.
>
> Selecting KRB5 symbolically represents the true requirement here:
> that all spec-compliant NFSv4 implementations must have Kerberos
> available to use.
>
> Reported-by: Geert Uytterhoeven <[email protected]>
> Signed-off-by: Chuck Lever <[email protected]>
> ---
> fs/nfs/Kconfig | 2 +-
> fs/nfsd/Kconfig | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
> index 14a72224b657..450d6c3bc05e 100644
> --- a/fs/nfs/Kconfig
> +++ b/fs/nfs/Kconfig
> @@ -75,7 +75,7 @@ config NFS_V3_ACL
> config NFS_V4
> tristate "NFS client support for NFS version 4"
> depends on NFS_FS
> - select SUNRPC_GSS
> + select RPCSEC_GSS_KRB5
> select KEYS
> help
> This option enables support for version 4 of the NFS protocol
> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
> index 7c441f2bd444..43b88eaf0673 100644
> --- a/fs/nfsd/Kconfig
> +++ b/fs/nfsd/Kconfig
> @@ -73,7 +73,7 @@ config NFSD_V4
> bool "NFS server support for NFS version 4"
> depends on NFSD && PROC_FS
> select FS_POSIX_ACL
> - select SUNRPC_GSS
> + select RPCSEC_GSS_KRB5
> select CRYPTO
> select CRYPTO_MD5
> select CRYPTO_SHA256
>
>
--
Kind Regards,
Niklas Söderlund
> On Mar 27, 2023, at 11:48 AM, Niklas Söderlund <[email protected]> wrote:
>
> Hi Chuck,
>
> This commits seems to have been picked up already, but FWIW it produces
> two new warnings with shmobile_defconfig.
>
> WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
> Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
> Selected by [y]:
> - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
>
> WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
> Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
> Selected by [y]:
> - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
I received a bot warning about this a few days ago, but it did not
appear that it was a priority.
The easiest thing to do would be to revert it, but I'm not clear
on what the impact of this new issue is.
> On 2023-03-08 09:45:09 -0500, Chuck Lever wrote:
>> From: Chuck Lever <[email protected]>
>>
>> Geert reports that:
>>> On v6.2, "make ARCH=m68k defconfig" gives you
>>> CONFIG_RPCSEC_GSS_KRB5=m
>>> On v6.3, it became builtin, due to dropping the dependencies on
>>> the individual crypto modules.
>>>
>>> $ grep -E "CRYPTO_(MD5|DES|CBC|CTS|ECB|HMAC|SHA1|AES)" .config
>>> CONFIG_CRYPTO_AES=y
>>> CONFIG_CRYPTO_AES_TI=m
>>> CONFIG_CRYPTO_DES=m
>>> CONFIG_CRYPTO_CBC=m
>>> CONFIG_CRYPTO_CTS=m
>>> CONFIG_CRYPTO_ECB=m
>>> CONFIG_CRYPTO_HMAC=m
>>> CONFIG_CRYPTO_MD5=m
>>> CONFIG_CRYPTO_SHA1=m
>>
>> This behavior is triggered by the "default y" in the definition of
>> RPCSEC_GSS.
>>
>> The "default y" was added in 2010 by commit df486a25900f ("NFS: Fix
>> the selection of security flavours in Kconfig"). However,
>> svc_gss_principal was removed in 2012 by commit 03a4e1f6ddf2
>> ("nfsd4: move principal name into svc_cred"), so the 2010 fix is
>> no longer necessary. We can safely change the NFS_V4 and NFSD_V4
>> dependencies back to RPCSEC_GSS_KRB5 to get the nicer v6.2
>> behavior back.
>>
>> Selecting KRB5 symbolically represents the true requirement here:
>> that all spec-compliant NFSv4 implementations must have Kerberos
>> available to use.
>>
>> Reported-by: Geert Uytterhoeven <[email protected]>
>> Signed-off-by: Chuck Lever <[email protected]>
>> ---
>> fs/nfs/Kconfig | 2 +-
>> fs/nfsd/Kconfig | 2 +-
>> 2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
>> index 14a72224b657..450d6c3bc05e 100644
>> --- a/fs/nfs/Kconfig
>> +++ b/fs/nfs/Kconfig
>> @@ -75,7 +75,7 @@ config NFS_V3_ACL
>> config NFS_V4
>> tristate "NFS client support for NFS version 4"
>> depends on NFS_FS
>> - select SUNRPC_GSS
>> + select RPCSEC_GSS_KRB5
>> select KEYS
>> help
>> This option enables support for version 4 of the NFS protocol
>> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
>> index 7c441f2bd444..43b88eaf0673 100644
>> --- a/fs/nfsd/Kconfig
>> +++ b/fs/nfsd/Kconfig
>> @@ -73,7 +73,7 @@ config NFSD_V4
>> bool "NFS server support for NFS version 4"
>> depends on NFSD && PROC_FS
>> select FS_POSIX_ACL
>> - select SUNRPC_GSS
>> + select RPCSEC_GSS_KRB5
>> select CRYPTO
>> select CRYPTO_MD5
>> select CRYPTO_SHA256
>>
>>
>
> --
> Kind Regards,
> Niklas Söderlund
--
Chuck Lever
Hi Chuck,
On Mon, Mar 27, 2023 at 6:28 PM Chuck Lever III <[email protected]> wrote:
> > On Mar 27, 2023, at 11:48 AM, Niklas Söderlund <[email protected]> wrote:
> > This commits seems to have been picked up already, but FWIW it produces
> > two new warnings with shmobile_defconfig.
> >
> > WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
> > Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
> > Selected by [y]:
> > - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
> >
> > WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
> > Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
> > Selected by [y]:
> > - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
>
> I received a bot warning about this a few days ago, but it did not
> appear that it was a priority.
>
> The easiest thing to do would be to revert it, but I'm not clear
> on what the impact of this new issue is.
>
> > On 2023-03-08 09:45:09 -0500, Chuck Lever wrote:
> >> --- a/fs/nfs/Kconfig
> >> +++ b/fs/nfs/Kconfig
> >> @@ -75,7 +75,7 @@ config NFS_V3_ACL
> >> config NFS_V4
> >> tristate "NFS client support for NFS version 4"
> >> depends on NFS_FS
> >> - select SUNRPC_GSS
> >> + select RPCSEC_GSS_KRB5
RPCSEC_GSS_KRB5 depends on CRYPTO, causing the warning.
However, NFSv4 nfsroot works fine without CRYPTO, so the select can
be conditional. I have sent a patch to do that:
https://lore.kernel.org/r/42751e1fef65485a5441618bc39735f8b62b3a46.1679988298.git.geert+renesas@glider.be
> >> select KEYS
> >> help
> >> This option enables support for version 4 of the NFS protocol
> >> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
> >> index 7c441f2bd444..43b88eaf0673 100644
> >> --- a/fs/nfsd/Kconfig
> >> +++ b/fs/nfsd/Kconfig
> >> @@ -73,7 +73,7 @@ config NFSD_V4
> >> bool "NFS server support for NFS version 4"
> >> depends on NFSD && PROC_FS
> >> select FS_POSIX_ACL
> >> - select SUNRPC_GSS
> >> + select RPCSEC_GSS_KRB5
> >> select CRYPTO
NFSD_V4 selects CRYPTO, so there is no such issue here.
> >> select CRYPTO_MD5
> >> select CRYPTO_SHA256
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- [email protected]
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds