Update kernel-uvm config to support extended attributes with CIFS

[Camelron]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

Context from customer who hit this issue:

"The Storage Mover team supports migration of SMB shares from on-premises environments and public clouds such as AWS (FSx). The service runs the Mover datapath inside a Linux container that performs SMB mounts. Since mounting is a privileged operation requiring root access, the service uses Kata containers. Kata provides the required privileges while maintaining strong isolation, which is critical because Storage Mover is a multi-tenant service and must not allow cross-customer data exposure.

However, the default Kata kernel configuration does not enable ACL support. This limitation prevents access to file ACLs, which are required to support full-fidelity migration of SMB permissions."

... paraphrasing, they are unable to access the extended attributes (CIFS_XATTR) on files they are migrating, so they have no way to migrate the file permissions across platforms. Furthermore, they need to be able to mount NFS volumes inside the Kata VMs.

Change Log

For kernel-uvm x86 only:

• Enable CONFIG_CIFS_UPCALL
• Enable CONFIG_CIFS_XATTR
• Enable CONFIG_CIFS_DFS_UPCALL
• Enable CONFIG_NFS_FS
• Enable CONFIG_NFS_COMMON
• Enable CONFIG_SUNRPC
• Enable CONFIG_SUNRPC_GSS
• Enable CONFIG_SUNRPC_BACKCHANNEL
• Enable CONFIG_NFS_V3
• Enable CONFIG_NFS_V3_ACL
• Enable CONFIG_LOCKD
• Enable CONFIG_NFS_V4
• Enable CONFIG_NFS_V4_1
• Enable CONFIG_NFS_V4_2
• Enable CONFIG_FS_POSIX_ACL
• Enable CONFIG_NFS_ACL_SUPPORT
• Enable CONFIG_NFS_USE_KERNEL_DNS
• Enable CONFIG_NFS_DISABLE_UDP_SUPPORT
• Enable CONFIG_NFS_FSCACHE

Does this affect the toolchain?

NO

Test Methodology

• Manually built and installed this kernel on an AKS kata image. See that the issue with CIFS is gone.
• fresh buddy build https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1038963&view=results
• fresh AKS image build https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1039063&view=results

[romoh]

Looks good to me.