[RFC] disable NFS support by default

Peter Robinson pbrobinson at gmail.com
Wed Jun 14 09:35:38 CEST 2023 

On Wed, Jun 14, 2023 at 12:34 AM Bin Meng <bmeng.cn at gmail.com> wrote:
>
> On Wed, Jun 14, 2023 at 2:41 AM Tom Rini <trini at konsulko.com> wrote:
> >
> > On Tue, Jun 13, 2023 at 11:52:16AM +0100, Peter Robinson wrote:
> >
> > > While NFS is widely used in data centres, and private
> > > networks it's quite a nuanced usecase for device firmware.
> > > A lot of devices already disable it.
> > >
> > > Various network protocols should really be opt in, not opt
> > > out, because they add extra size and are potential attack
> > > vectors from a security PoV. In the NFS case it doesn't
> > > really make sense for a lot of devices like tables, SBCs etc.
> > > It's also something we don't really want for SystemReady-IR
> > > due to security concerns.
> > >
> > > Signed-off-by: Peter Robinson <pbrobinson at gmail.com>
> > > ---
> > >
> > > This is a RFC to start a discussion around things like NFS,
> > > with the addistion of old protocols like NFSv1 that were never
> > > publicly released [1] we really shouldn't be enabling this by
> > > default.
> > >
> > > I am aware it will likely break the functionality for users
> > > that do use the various versions of NFS but it's straight forward
> > > to add CMD_NFS as an explicit config. It's for this reason I
> > > label the patch as RFC.
> > >
> > > There was about a 5Kb saving here when I tested a build with
> > > pinebook-pro-rk3399.
> > >
> > > Peter
> > >
> > > [1] https://en.wikipedia.org/wiki/Network_File_System
> > [snip]
> >
> > This is probably fine, honestly. I don't see any environments that
> > default to making use of NFS within U-Boot (which is not the same as
> > nfsroot for Linux, which a number of platforms have options for by
> > default).
> >
>
> How about changing
>
> config CMD_NFS
>         bool "nfs"
>         default y
>         help
>           Boot image via network using NFS protocol.
>
> To
>
> default n ?

The defaut is n so just removing it has the same effect, and that's
what most, but not all, things do. See CMD_RARP in the same list.

Peter

More information about the U-Boot mailing list