1# SPDX-License-Identifier: GPL-2.0-only
2config CIFS
3	tristate "SMB3 and CIFS support (advanced network filesystem)"
4	depends on INET
5	select NLS
6	select CRYPTO
7	select CRYPTO_MD4
8	select CRYPTO_MD5
9	select CRYPTO_SHA256
10	select CRYPTO_SHA512
11	select CRYPTO_CMAC
12	select CRYPTO_HMAC
13	select CRYPTO_LIB_ARC4
14	select CRYPTO_AEAD2
15	select CRYPTO_CCM
16	select CRYPTO_GCM
17	select CRYPTO_ECB
18	select CRYPTO_AES
19	select CRYPTO_LIB_DES
20	select KEYS
21	select DNS_RESOLVER
22	help
23	  This is the client VFS module for the SMB3 family of NAS protocols,
24	  (including support for the most recent, most secure dialect SMB3.1.1)
25	  as well as for earlier dialects such as SMB2.1, SMB2 and the older
26	  Common Internet File System (CIFS) protocol.  CIFS was the successor
27	  to the original dialect, the Server Message Block (SMB) protocol, the
28	  native file sharing mechanism for most early PC operating systems.
29
30	  The SMB3 protocol is supported by most modern operating systems
31	  and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016,
32	  MacOS) and even in the cloud (e.g. Microsoft Azure).
33	  The older CIFS protocol was included in Windows NT4, 2000 and XP (and
34	  later) as well by Samba (which provides excellent CIFS and SMB3
35	  server support for Linux and many other operating systems). Use of
36	  dialects older than SMB2.1 is often discouraged on public networks.
37	  This module also provides limited support for OS/2 and Windows ME
38	  and similar very old servers.
39
40	  This module provides an advanced network file system client
41	  for mounting to SMB3 (and CIFS) compliant servers.  It includes
42	  support for DFS (hierarchical name space), secure per-user
43	  session establishment via Kerberos or NTLM or NTLMv2, RDMA
44	  (smbdirect), advanced security features, per-share encryption,
45	  directory leases, safe distributed caching (oplock), optional packet
46	  signing, Unicode and other internationalization improvements.
47
48	  In general, the default dialects, SMB3 and later, enable better
49	  performance, security and features, than would be possible with CIFS.
50	  Note that when mounting to Samba, due to the CIFS POSIX extensions,
51	  CIFS mounts can provide slightly better POSIX compatibility
52	  than SMB3 mounts. SMB2/SMB3 mount options are also
53	  slightly simpler (compared to CIFS) due to protocol improvements.
54
55	  If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y.
56
57config CIFS_STATS2
58	bool "Extended statistics"
59	depends on CIFS
60	help
61	  Enabling this option will allow more detailed statistics on SMB
62	  request timing to be displayed in /proc/fs/cifs/DebugData and also
63	  allow optional logging of slow responses to dmesg (depending on the
64	  value of /proc/fs/cifs/cifsFYI). See Documentation/admin-guide/cifs/usage.rst
65	  for more details. These additional statistics may have a minor effect
66	  on performance and memory utilization.
67
68	  Unless you are a developer or are doing network performance analysis
69	  or tuning, say N.
70
71config CIFS_ALLOW_INSECURE_LEGACY
72	bool "Support legacy servers which use less secure dialects"
73	depends on CIFS
74	default y
75	help
76	  Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
77	  additional security features, including protection against
78	  man-in-the-middle attacks and stronger crypto hashes, so the use
79	  of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
80
81	  Disabling this option prevents users from using vers=1.0 or vers=2.0
82	  on mounts with cifs.ko
83
84	  If unsure, say Y.
85
86config CIFS_WEAK_PW_HASH
87	bool "Support legacy servers which use weaker LANMAN security"
88	depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
89	help
90	  Modern CIFS servers including Samba and most Windows versions
91	  (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
92	  security mechanisms. These hash the password more securely
93	  than the mechanisms used in the older LANMAN version of the
94	  SMB protocol but LANMAN based authentication is needed to
95	  establish sessions with some old SMB servers.
96
97	  Enabling this option allows the cifs module to mount to older
98	  LANMAN based servers such as OS/2 and Windows 95, but such
99	  mounts may be less secure than mounts using NTLM or more recent
100	  security mechanisms if you are on a public network.  Unless you
101	  have a need to access old SMB servers (and are on a private
102	  network) you probably want to say N.  Even if this support
103	  is enabled in the kernel build, LANMAN authentication will not be
104	  used automatically. At runtime LANMAN mounts are disabled but
105	  can be set to required (or optional) either in
106	  /proc/fs/cifs (see Documentation/admin-guide/cifs/usage.rst for
107	  more detail) or via an option on the mount command. This support
108	  is disabled by default in order to reduce the possibility of a
109	  downgrade attack.
110
111	  If unsure, say N.
112
113config CIFS_UPCALL
114	bool "Kerberos/SPNEGO advanced session setup"
115	depends on CIFS
116	help
117	  Enables an upcall mechanism for CIFS which accesses userspace helper
118	  utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
119	  which are needed to mount to certain secure servers (for which more
120	  secure Kerberos authentication is required). If unsure, say Y.
121
122config CIFS_XATTR
123	bool "CIFS extended attributes"
124	depends on CIFS
125	help
126	  Extended attributes are name:value pairs associated with inodes by
127	  the kernel or by users (see the attr(5) manual page for details).
128	  CIFS maps the name of extended attributes beginning with the user
129	  namespace prefix to SMB/CIFS EAs.  EAs are stored on Windows
130	  servers without the user namespace prefix, but their names are
131	  seen by Linux cifs clients prefaced by the user namespace prefix.
132	  The system namespace (used by some filesystems to store ACLs) is
133	  not supported at this time.
134
135	  If unsure, say Y.
136
137config CIFS_POSIX
138	bool "CIFS POSIX Extensions"
139	depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
140	help
141	  Enabling this option will cause the cifs client to attempt to
142	  negotiate a newer dialect with servers, such as Samba 3.0.5
143	  or later, that optionally can handle more POSIX like (rather
144	  than Windows like) file behavior.  It also enables
145	  support for POSIX ACLs (getfacl and setfacl) to servers
146	  (such as Samba 3.10 and later) which can negotiate
147	  CIFS POSIX ACL support.  If unsure, say N.
148
149config CIFS_DEBUG
150	bool "Enable CIFS debugging routines"
151	default y
152	depends on CIFS
153	help
154	  Enabling this option adds helpful debugging messages to
155	  the cifs code which increases the size of the cifs module.
156	  If unsure, say Y.
157
158config CIFS_DEBUG2
159	bool "Enable additional CIFS debugging routines"
160	depends on CIFS_DEBUG
161	help
162	  Enabling this option adds a few more debugging routines
163	  to the cifs code which slightly increases the size of
164	  the cifs module and can cause additional logging of debug
165	  messages in some error paths, slowing performance. This
166	  option can be turned off unless you are debugging
167	  cifs problems.  If unsure, say N.
168
169config CIFS_DEBUG_DUMP_KEYS
170	bool "Dump encryption keys for offline decryption (Unsafe)"
171	depends on CIFS_DEBUG
172	help
173	  Enabling this will dump the encryption and decryption keys
174	  used to communicate on an encrypted share connection on the
175	  console. This allows Wireshark to decrypt and dissect
176	  encrypted network captures. Enable this carefully.
177	  If unsure, say N.
178
179config CIFS_DFS_UPCALL
180	bool "DFS feature support"
181	depends on CIFS
182	help
183	  Distributed File System (DFS) support is used to access shares
184	  transparently in an enterprise name space, even if the share
185	  moves to a different server.  This feature also enables
186	  an upcall mechanism for CIFS which contacts userspace helper
187	  utilities to provide server name resolution (host names to
188	  IP addresses) which is needed in order to reconnect to
189	  servers if their addresses change or for implicit mounts of
190	  DFS junction points. If unsure, say Y.
191
192config CIFS_SWN_UPCALL
193	bool "SWN feature support"
194	depends on CIFS
195	help
196	  The Service Witness Protocol (SWN) is used to get notifications
197	  from a highly available server of resource state changes. This
198	  feature enables an upcall mechanism for CIFS which contacts a
199	  userspace daemon to establish the DCE/RPC connection to retrieve
200	  the cluster available interfaces and resource change notifications.
201	  If unsure, say Y.
202
203config CIFS_NFSD_EXPORT
204	bool "Allow nfsd to export CIFS file system"
205	depends on CIFS && BROKEN
206	help
207	  Allows NFS server to export a CIFS mounted share (nfsd over cifs)
208
209config CIFS_SMB_DIRECT
210	bool "SMB Direct support"
211	depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y
212	help
213	  Enables SMB Direct support for SMB 3.0, 3.02 and 3.1.1.
214	  SMB Direct allows transferring SMB packets over RDMA. If unsure,
215	  say Y.
216
217config CIFS_FSCACHE
218	bool "Provide CIFS client caching support"
219	depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y
220	help
221	  Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
222	  to be cached locally on disk through the general filesystem cache
223	  manager. If unsure, say N.
224
225config CIFS_ROOT
226	bool "SMB root file system (Experimental)"
227	depends on CIFS=y && IP_PNP
228	help
229	  Enables root file system support over SMB protocol.
230
231	  Most people say N here.
232