> On Mar 27, 2023, at 11:48 AM, Niklas Söderlund <niklas.soderlund@xxxxxxxxxxxx> wrote:
>
> Hi Chuck,
>
> This commits seems to have been picked up already, but FWIW it produces
> two new warnings with shmobile_defconfig.
>
> WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
> Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
> Selected by [y]:
> - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
>
> WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
> Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
> Selected by [y]:
> - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
I received a bot warning about this a few days ago, but it did not
appear that it was a priority.
The easiest thing to do would be to revert it, but I'm not clear
on what the impact of this new issue is.
> On 2023-03-08 09:45:09 -0500, Chuck Lever wrote:
>> From: Chuck Lever <chuck.lever@xxxxxxxxxx>
>>
>> Geert reports that:
>>> On v6.2, "make ARCH=m68k defconfig" gives you
>>> CONFIG_RPCSEC_GSS_KRB5=m
>>> On v6.3, it became builtin, due to dropping the dependencies on
>>> the individual crypto modules.
>>>
>>> $ grep -E "CRYPTO_(MD5|DES|CBC|CTS|ECB|HMAC|SHA1|AES)" .config
>>> CONFIG_CRYPTO_AES=y
>>> CONFIG_CRYPTO_AES_TI=m
>>> CONFIG_CRYPTO_DES=m
>>> CONFIG_CRYPTO_CBC=m
>>> CONFIG_CRYPTO_CTS=m
>>> CONFIG_CRYPTO_ECB=m
>>> CONFIG_CRYPTO_HMAC=m
>>> CONFIG_CRYPTO_MD5=m
>>> CONFIG_CRYPTO_SHA1=m
>>
>> This behavior is triggered by the "default y" in the definition of
>> RPCSEC_GSS.
>>
>> The "default y" was added in 2010 by commit df486a25900f ("NFS: Fix
>> the selection of security flavours in Kconfig"). However,
>> svc_gss_principal was removed in 2012 by commit 03a4e1f6ddf2
>> ("nfsd4: move principal name into svc_cred"), so the 2010 fix is
>> no longer necessary. We can safely change the NFS_V4 and NFSD_V4
>> dependencies back to RPCSEC_GSS_KRB5 to get the nicer v6.2
>> behavior back.
>>
>> Selecting KRB5 symbolically represents the true requirement here:
>> that all spec-compliant NFSv4 implementations must have Kerberos
>> available to use.
>>
>> Reported-by: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>
>> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
>> ---
>> fs/nfs/Kconfig | 2 +-
>> fs/nfsd/Kconfig | 2 +-
>> 2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
>> index 14a72224b657..450d6c3bc05e 100644
>> --- a/fs/nfs/Kconfig
>> +++ b/fs/nfs/Kconfig
>> @@ -75,7 +75,7 @@ config NFS_V3_ACL
>> config NFS_V4
>> tristate "NFS client support for NFS version 4"
>> depends on NFS_FS
>> - select SUNRPC_GSS
>> + select RPCSEC_GSS_KRB5
>> select KEYS
>> help
>> This option enables support for version 4 of the NFS protocol
>> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
>> index 7c441f2bd444..43b88eaf0673 100644
>> --- a/fs/nfsd/Kconfig
>> +++ b/fs/nfsd/Kconfig
>> @@ -73,7 +73,7 @@ config NFSD_V4
>> bool "NFS server support for NFS version 4"
>> depends on NFSD && PROC_FS
>> select FS_POSIX_ACL
>> - select SUNRPC_GSS
>> + select RPCSEC_GSS_KRB5
>> select CRYPTO
>> select CRYPTO_MD5
>> select CRYPTO_SHA256
>>
>>
>
> --
> Kind Regards,
> Niklas Söderlund
--
Chuck Lever
