| Message ID | 167828670993.16253.6476667874038066881.stgit@bazille.1015granger.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [RFC] NFS & NFSD: Update GSS dependencies | expand |
Hi Chuck, This commits seems to have been picked up already, but FWIW it produces two new warnings with shmobile_defconfig. WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5 Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n] Selected by [y]: - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y] WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5 Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n] Selected by [y]: - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y] On 2023-03-08 09:45:09 -0500, Chuck Lever wrote: > From: Chuck Lever <chuck.lever@oracle.com> > > Geert reports that: > > On v6.2, "make ARCH=m68k defconfig" gives you > > CONFIG_RPCSEC_GSS_KRB5=m > > On v6.3, it became builtin, due to dropping the dependencies on > > the individual crypto modules. > > > > $ grep -E "CRYPTO_(MD5|DES|CBC|CTS|ECB|HMAC|SHA1|AES)" .config > > CONFIG_CRYPTO_AES=y > > CONFIG_CRYPTO_AES_TI=m > > CONFIG_CRYPTO_DES=m > > CONFIG_CRYPTO_CBC=m > > CONFIG_CRYPTO_CTS=m > > CONFIG_CRYPTO_ECB=m > > CONFIG_CRYPTO_HMAC=m > > CONFIG_CRYPTO_MD5=m > > CONFIG_CRYPTO_SHA1=m > > This behavior is triggered by the "default y" in the definition of > RPCSEC_GSS. > > The "default y" was added in 2010 by commit df486a25900f ("NFS: Fix > the selection of security flavours in Kconfig"). However, > svc_gss_principal was removed in 2012 by commit 03a4e1f6ddf2 > ("nfsd4: move principal name into svc_cred"), so the 2010 fix is > no longer necessary. We can safely change the NFS_V4 and NFSD_V4 > dependencies back to RPCSEC_GSS_KRB5 to get the nicer v6.2 > behavior back. > > Selecting KRB5 symbolically represents the true requirement here: > that all spec-compliant NFSv4 implementations must have Kerberos > available to use. > > Reported-by: Geert Uytterhoeven <geert@linux-m68k.org> > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> > --- > fs/nfs/Kconfig | 2 +- > fs/nfsd/Kconfig | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig > index 14a72224b657..450d6c3bc05e 100644 > --- a/fs/nfs/Kconfig > +++ b/fs/nfs/Kconfig > @@ -75,7 +75,7 @@ config NFS_V3_ACL > config NFS_V4 > tristate "NFS client support for NFS version 4" > depends on NFS_FS > - select SUNRPC_GSS > + select RPCSEC_GSS_KRB5 > select KEYS > help > This option enables support for version 4 of the NFS protocol > diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig > index 7c441f2bd444..43b88eaf0673 100644 > --- a/fs/nfsd/Kconfig > +++ b/fs/nfsd/Kconfig > @@ -73,7 +73,7 @@ config NFSD_V4 > bool "NFS server support for NFS version 4" > depends on NFSD && PROC_FS > select FS_POSIX_ACL > - select SUNRPC_GSS > + select RPCSEC_GSS_KRB5 > select CRYPTO > select CRYPTO_MD5 > select CRYPTO_SHA256 > >
> On Mar 27, 2023, at 11:48 AM, Niklas Söderlund <niklas.soderlund@ragnatech.se> wrote: > > Hi Chuck, > > This commits seems to have been picked up already, but FWIW it produces > two new warnings with shmobile_defconfig. > > WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5 > Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n] > Selected by [y]: > - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y] > > WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5 > Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n] > Selected by [y]: > - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y] I received a bot warning about this a few days ago, but it did not appear that it was a priority. The easiest thing to do would be to revert it, but I'm not clear on what the impact of this new issue is. > On 2023-03-08 09:45:09 -0500, Chuck Lever wrote: >> From: Chuck Lever <chuck.lever@oracle.com> >> >> Geert reports that: >>> On v6.2, "make ARCH=m68k defconfig" gives you >>> CONFIG_RPCSEC_GSS_KRB5=m >>> On v6.3, it became builtin, due to dropping the dependencies on >>> the individual crypto modules. >>> >>> $ grep -E "CRYPTO_(MD5|DES|CBC|CTS|ECB|HMAC|SHA1|AES)" .config >>> CONFIG_CRYPTO_AES=y >>> CONFIG_CRYPTO_AES_TI=m >>> CONFIG_CRYPTO_DES=m >>> CONFIG_CRYPTO_CBC=m >>> CONFIG_CRYPTO_CTS=m >>> CONFIG_CRYPTO_ECB=m >>> CONFIG_CRYPTO_HMAC=m >>> CONFIG_CRYPTO_MD5=m >>> CONFIG_CRYPTO_SHA1=m >> >> This behavior is triggered by the "default y" in the definition of >> RPCSEC_GSS. >> >> The "default y" was added in 2010 by commit df486a25900f ("NFS: Fix >> the selection of security flavours in Kconfig"). However, >> svc_gss_principal was removed in 2012 by commit 03a4e1f6ddf2 >> ("nfsd4: move principal name into svc_cred"), so the 2010 fix is >> no longer necessary. We can safely change the NFS_V4 and NFSD_V4 >> dependencies back to RPCSEC_GSS_KRB5 to get the nicer v6.2 >> behavior back. >> >> Selecting KRB5 symbolically represents the true requirement here: >> that all spec-compliant NFSv4 implementations must have Kerberos >> available to use. >> >> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org> >> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> >> --- >> fs/nfs/Kconfig | 2 +- >> fs/nfsd/Kconfig | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig >> index 14a72224b657..450d6c3bc05e 100644 >> --- a/fs/nfs/Kconfig >> +++ b/fs/nfs/Kconfig >> @@ -75,7 +75,7 @@ config NFS_V3_ACL >> config NFS_V4 >> tristate "NFS client support for NFS version 4" >> depends on NFS_FS >> - select SUNRPC_GSS >> + select RPCSEC_GSS_KRB5 >> select KEYS >> help >> This option enables support for version 4 of the NFS protocol >> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig >> index 7c441f2bd444..43b88eaf0673 100644 >> --- a/fs/nfsd/Kconfig >> +++ b/fs/nfsd/Kconfig >> @@ -73,7 +73,7 @@ config NFSD_V4 >> bool "NFS server support for NFS version 4" >> depends on NFSD && PROC_FS >> select FS_POSIX_ACL >> - select SUNRPC_GSS >> + select RPCSEC_GSS_KRB5 >> select CRYPTO >> select CRYPTO_MD5 >> select CRYPTO_SHA256 >> >> > > -- > Kind Regards, > Niklas Söderlund -- Chuck Lever
Hi Chuck, On Mon, Mar 27, 2023 at 6:28 PM Chuck Lever III <chuck.lever@oracle.com> wrote: > > On Mar 27, 2023, at 11:48 AM, Niklas Söderlund <niklas.soderlund@ragnatech.se> wrote: > > This commits seems to have been picked up already, but FWIW it produces > > two new warnings with shmobile_defconfig. > > > > WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5 > > Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n] > > Selected by [y]: > > - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y] > > > > WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5 > > Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n] > > Selected by [y]: > > - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y] > > I received a bot warning about this a few days ago, but it did not > appear that it was a priority. > > The easiest thing to do would be to revert it, but I'm not clear > on what the impact of this new issue is. > > > On 2023-03-08 09:45:09 -0500, Chuck Lever wrote: > >> --- a/fs/nfs/Kconfig > >> +++ b/fs/nfs/Kconfig > >> @@ -75,7 +75,7 @@ config NFS_V3_ACL > >> config NFS_V4 > >> tristate "NFS client support for NFS version 4" > >> depends on NFS_FS > >> - select SUNRPC_GSS > >> + select RPCSEC_GSS_KRB5 RPCSEC_GSS_KRB5 depends on CRYPTO, causing the warning. However, NFSv4 nfsroot works fine without CRYPTO, so the select can be conditional. I have sent a patch to do that: https://lore.kernel.org/r/42751e1fef65485a5441618bc39735f8b62b3a46.1679988298.git.geert+renesas@glider.be > >> select KEYS > >> help > >> This option enables support for version 4 of the NFS protocol > >> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig > >> index 7c441f2bd444..43b88eaf0673 100644 > >> --- a/fs/nfsd/Kconfig > >> +++ b/fs/nfsd/Kconfig > >> @@ -73,7 +73,7 @@ config NFSD_V4 > >> bool "NFS server support for NFS version 4" > >> depends on NFSD && PROC_FS > >> select FS_POSIX_ACL > >> - select SUNRPC_GSS > >> + select RPCSEC_GSS_KRB5 > >> select CRYPTO NFSD_V4 selects CRYPTO, so there is no such issue here. > >> select CRYPTO_MD5 > >> select CRYPTO_SHA256 Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig index 14a72224b657..450d6c3bc05e 100644 --- a/fs/nfs/Kconfig +++ b/fs/nfs/Kconfig @@ -75,7 +75,7 @@ config NFS_V3_ACL config NFS_V4 tristate "NFS client support for NFS version 4" depends on NFS_FS - select SUNRPC_GSS + select RPCSEC_GSS_KRB5 select KEYS help This option enables support for version 4 of the NFS protocol diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig index 7c441f2bd444..43b88eaf0673 100644 --- a/fs/nfsd/Kconfig +++ b/fs/nfsd/Kconfig @@ -73,7 +73,7 @@ config NFSD_V4 bool "NFS server support for NFS version 4" depends on NFSD && PROC_FS select FS_POSIX_ACL - select SUNRPC_GSS + select RPCSEC_GSS_KRB5 select CRYPTO select CRYPTO_MD5 select CRYPTO_SHA256