# SPDX-License-Identifier: GPL-2.0-only
config CONFIG_CIFS
	tristate "SMB3 and CIFS support (advanced network filesystem)"
	depends on CONFIG_INET
	select CONFIG_NLS
	select CONFIG_CRYPTO
	select CONFIG_CRYPTO_MD4
	select CONFIG_CRYPTO_MD5
	select CONFIG_CRYPTO_SHA256
	select CONFIG_CRYPTO_SHA512
	select CONFIG_CRYPTO_CMAC
	select CONFIG_CRYPTO_HMAC
	select CONFIG_CRYPTO_LIB_ARC4
	select CONFIG_CRYPTO_AEAD2
	select CONFIG_CRYPTO_CCM
	select CONFIG_CRYPTO_GCM
	select CONFIG_CRYPTO_ECB
	select CONFIG_CRYPTO_AES
	select CONFIG_CRYPTO_LIB_DES
	select CONFIG_KEYS
	help
	  This is the client VFS module for the SMB3 family of NAS protocols,
	  (including support for the most recent, most secure dialect SMB3.1.1)
	  as well as for earlier dialects such as SMB2.1, SMB2 and the older
	  Common Internet File System (CONFIG_CIFS) protocol.  CONFIG_CIFS was the successor
	  to the original dialect, the Server Message Block (SMB) protocol, the
	  native file sharing mechanism for most early PC operating systems.

	  The SMB3 protocol is supported by most modern operating systems
	  and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016,
	  MacOS) and even in the cloud (e.g. Microsoft Azure).
	  The older CONFIG_CIFS protocol was included in Windows NT4, 2000 and XP (and
	  later) as well by Samba (which provides excellent CONFIG_CIFS and SMB3
	  server support for Linux and many other operating systems). Use of
	  dialects older than SMB2.1 is often discouraged on public networks.
	  This module also provides limited support for OS/2 and Windows ME
	  and similar very old servers.

	  This module provides an advanced network file system client
	  for mounting to SMB3 (and CONFIG_CIFS) compliant servers.  It includes
	  support for DFS (hierarchical name space), secure per-user
	  session establishment via Kerberos or NTLM or NTLMv2, RDMA
	  (smbdirect), advanced security features, per-share encryption,
	  directory leases, safe distributed caching (oplock), optional packet
	  signing, Unicode and other internationalization improvements.

	  In general, the default dialects, SMB3 and later, enable better
	  performance, security and features, than would be possible with CONFIG_CIFS.
	  Note that when mounting to Samba, due to the CONFIG_CIFS POSIX extensions,
	  CONFIG_CIFS mounts can provide slightly better POSIX compatibility
	  than SMB3 mounts. SMB2/SMB3 mount options are also
	  slightly simpler (compared to CONFIG_CIFS) due to protocol improvements.

	  If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y.

config CONFIG_CIFS_STATS2
	bool "Extended statistics"
	depends on CONFIG_CIFS
	help
	  Enabling this option will allow more detailed statistics on SMB
	  request timing to be displayed in /proc/fs/cifs/DebugData and also
	  allow optional logging of slow responses to dmesg (depending on the
	  value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details).
	  These additional statistics may have a minor effect on performance
	  and memory utilization.

	  Unless you are a developer or are doing network performance analysis
	  or tuning, say N.

config CONFIG_CIFS_ALLOW_INSECURE_LEGACY
	bool "Support legacy servers which use less secure dialects"
	depends on CONFIG_CIFS
	default y
	help
	  Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
	  additional security features, including protection against
	  man-in-the-middle attacks and stronger crypto hashes, so the use
	  of legacy dialects (SMB1/CONFIG_CIFS and SMB2.0) is discouraged.

	  Disabling this option prevents users from using vers=1.0 or vers=2.0
	  on mounts with cifs.ko

	  If unsure, say Y.

config CONFIG_CIFS_WEAK_PW_HASH
	bool "Support legacy servers which use weaker LANMAN security"
	depends on CONFIG_CIFS && CONFIG_CIFS_ALLOW_INSECURE_LEGACY
	help
	  Modern CONFIG_CIFS servers including Samba and most Windows versions
	  (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
	  security mechanisms. These hash the password more securely
	  than the mechanisms used in the older LANMAN version of the
	  SMB protocol but LANMAN based authentication is needed to
	  establish sessions with some old SMB servers.

	  Enabling this option allows the cifs module to mount to older
	  LANMAN based servers such as OS/2 and Windows 95, but such
	  mounts may be less secure than mounts using NTLM or more recent
	  security mechanisms if you are on a public network.  Unless you
	  have a need to access old SMB servers (and are on a private
	  network) you probably want to say N.  Even if this support
	  is enabled in the kernel build, LANMAN authentication will not be
	  used automatically. At runtime LANMAN mounts are disabled but
	  can be set to required (or optional) either in
	  /proc/fs/cifs (see fs/cifs/README for more detail) or via an
	  option on the mount command. This support is disabled by
	  default in order to reduce the possibility of a downgrade
	  attack.

	  If unsure, say N.

config CONFIG_CIFS_UPCALL
	bool "Kerberos/SPNEGO advanced session setup"
	depends on CONFIG_CIFS
	select CONFIG_DNS_RESOLVER
	help
	  Enables an upcall mechanism for CONFIG_CIFS which accesses userspace helper
	  utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
	  which are needed to mount to certain secure servers (for which more
	  secure Kerberos authentication is required). If unsure, say Y.

config CONFIG_CIFS_XATTR
	bool "CIFS extended attributes"
	depends on CONFIG_CIFS
	help
	  Extended attributes are name:value pairs associated with inodes by
	  the kernel or by users (see the attr(5) manual page for details).
	  CONFIG_CIFS maps the name of extended attributes beginning with the user
	  namespace prefix to SMB/CONFIG_CIFS EAs.  EAs are stored on Windows
	  servers without the user namespace prefix, but their names are
	  seen by Linux cifs clients prefaced by the user namespace prefix.
	  The system namespace (used by some filesystems to store ACLs) is
	  not supported at this time.

	  If unsure, say Y.

config CONFIG_CIFS_POSIX
	bool "CIFS POSIX Extensions"
	depends on CONFIG_CIFS && CONFIG_CIFS_ALLOW_INSECURE_LEGACY && CONFIG_CIFS_XATTR
	help
	  Enabling this option will cause the cifs client to attempt to
	  negotiate a newer dialect with servers, such as Samba 3.0.5
	  or later, that optionally can handle more POSIX like (rather
	  than Windows like) file behavior.  It also enables
	  support for POSIX ACLs (getfacl and setfacl) to servers
	  (such as Samba 3.10 and later) which can negotiate
	  CONFIG_CIFS POSIX ACL support.  If unsure, say N.

config CONFIG_CIFS_DEBUG
	bool "Enable CIFS debugging routines"
	default y
	depends on CONFIG_CIFS
	help
	  Enabling this option adds helpful debugging messages to
	  the cifs code which increases the size of the cifs module.
	  If unsure, say Y.

config CONFIG_CIFS_DEBUG2
	bool "Enable additional CIFS debugging routines"
	depends on CONFIG_CIFS_DEBUG
	help
	  Enabling this option adds a few more debugging routines
	  to the cifs code which slightly increases the size of
	  the cifs module and can cause additional logging of debug
	  messages in some error paths, slowing performance. This
	  option can be turned off unless you are debugging
	  cifs problems.  If unsure, say N.

config CONFIG_CIFS_DEBUG_DUMP_KEYS
	bool "Dump encryption keys for offline decryption (Unsafe)"
	depends on CONFIG_CIFS_DEBUG
	help
	  Enabling this will dump the encryption and decryption keys
	  used to communicate on an encrypted share connection on the
	  console. This allows Wireshark to decrypt and dissect
	  encrypted network captures. Enable this carefully.
	  If unsure, say N.

config CONFIG_CIFS_DFS_UPCALL
	bool "DFS feature support"
	depends on CONFIG_CIFS
	select CONFIG_DNS_RESOLVER
	help
	  Distributed File System (DFS) support is used to access shares
	  transparently in an enterprise name space, even if the share
	  moves to a different server.  This feature also enables
	  an upcall mechanism for CONFIG_CIFS which contacts userspace helper
	  utilities to provide server name resolution (host names to
	  IP addresses) which is needed in order to reconnect to
	  servers if their addresses change or for implicit mounts of
	  DFS junction points. If unsure, say Y.

config CONFIG_CIFS_NFSD_EXPORT
	bool "Allow nfsd to export CIFS file system"
	depends on CONFIG_CIFS && CONFIG_BROKEN
	help
	  Allows NFS server to export a CONFIG_CIFS mounted share (nfsd over cifs)

config CONFIG_CIFS_SMB_DIRECT
	bool "SMB Direct support"
	depends on CONFIG_CIFS=m && CONFIG_INFINIBAND && CONFIG_INFINIBAND_ADDR_TRANS || CONFIG_CIFS=y && CONFIG_INFINIBAND=y && CONFIG_INFINIBAND_ADDR_TRANS=y
	help
	  Enables SMB Direct support for SMB 3.0, 3.02 and 3.1.1.
	  SMB Direct allows transferring SMB packets over RDMA. If unsure,
	  say N.

config CONFIG_CIFS_FSCACHE
	bool "Provide CIFS client caching support"
	depends on CONFIG_CIFS=m && CONFIG_FSCACHE || CONFIG_CIFS=y && CONFIG_FSCACHE=y
	help
	  Makes CONFIG_CIFS FS-Cache capable. Say Y here if you want your CONFIG_CIFS data
	  to be cached locally on disk through the general filesystem cache
	  manager. If unsure, say N.

config CONFIG_CIFS_ROOT
	bool "SMB root file system (Experimental)"
	depends on CONFIG_CIFS=y && CONFIG_IP_PNP
	help
	  Enables root file system support over SMB protocol.

	  Most people say N here.