Thread (4 messages) 4 messages, 4 authors, 2023-03-28

Re: [PATCH RFC] NFS & NFSD: Update GSS dependencies

From: Chuck Lever III <hidden>
Date: 2023-03-27 16:28:30 

On Mar 27, 2023, at 11:48 AM, Niklas Söderlund [off-list ref] wrote:

Hi Chuck,

This commits seems to have been picked up already, but FWIW it produces 
two new warnings with shmobile_defconfig.

WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
 Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
 Selected by [y]:
 - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]

WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
 Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
 Selected by [y]:
 - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
I received a bot warning about this a few days ago, but it did not
appear that it was a priority.

The easiest thing to do would be to revert it, but I'm not clear
on what the impact of this new issue is.


On 2023-03-08 09:45:09 -0500, Chuck Lever wrote:
quoted
From: Chuck Lever <redacted>

Geert reports that:
quoted
On v6.2, "make ARCH=m68k defconfig" gives you
CONFIG_RPCSEC_GSS_KRB5=m
On v6.3, it became builtin, due to dropping the dependencies on
the individual crypto modules.

$ grep -E "CRYPTO_(MD5|DES|CBC|CTS|ECB|HMAC|SHA1|AES)" .config
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_AES_TI=m
CONFIG_CRYPTO_DES=m
CONFIG_CRYPTO_CBC=m
CONFIG_CRYPTO_CTS=m
CONFIG_CRYPTO_ECB=m
CONFIG_CRYPTO_HMAC=m
CONFIG_CRYPTO_MD5=m
CONFIG_CRYPTO_SHA1=m
This behavior is triggered by the "default y" in the definition of
RPCSEC_GSS.

The "default y" was added in 2010 by commit df486a25900f ("NFS: Fix
the selection of security flavours in Kconfig"). However,
svc_gss_principal was removed in 2012 by commit 03a4e1f6ddf2
("nfsd4: move principal name into svc_cred"), so the 2010 fix is
no longer necessary. We can safely change the NFS_V4 and NFSD_V4
dependencies back to RPCSEC_GSS_KRB5 to get the nicer v6.2
behavior back.

Selecting KRB5 symbolically represents the true requirement here:
that all spec-compliant NFSv4 implementations must have Kerberos
available to use.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Chuck Lever <redacted>
---
fs/nfs/Kconfig  |    2 +-
fs/nfsd/Kconfig |    2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
index 14a72224b657..450d6c3bc05e 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -75,7 +75,7 @@ config NFS_V3_ACL
config NFS_V4
	tristate "NFS client support for NFS version 4"
	depends on NFS_FS
-	select SUNRPC_GSS
+	select RPCSEC_GSS_KRB5
	select KEYS
	help
	  This option enables support for version 4 of the NFS protocol
diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
index 7c441f2bd444..43b88eaf0673 100644
--- a/fs/nfsd/Kconfig
+++ b/fs/nfsd/Kconfig
@@ -73,7 +73,7 @@ config NFSD_V4
	bool "NFS server support for NFS version 4"
	depends on NFSD && PROC_FS
	select FS_POSIX_ACL
-	select SUNRPC_GSS
+	select RPCSEC_GSS_KRB5
	select CRYPTO
	select CRYPTO_MD5
	select CRYPTO_SHA256

-- 
Kind Regards,
Niklas Söderlund
--
Chuck Lever


  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help