[PATCH v2 0/4] Firmware LSM hook
Leon Romanovsky
leon at kernel.org
Thu Apr 9 12:45:53 UTC 2026
On Thu, Apr 09, 2026 at 02:27:43PM +0200, Roberto Sassu wrote:
> On Thu, 2026-04-09 at 15:12 +0300, Leon Romanovsky wrote:
> > On Tue, Mar 31, 2026 at 08:56:32AM +0300, Leon Romanovsky wrote:
> > > From Chiara:
> > >
> > > This patch set introduces a new BPF LSM hook to validate firmware commands
> > > triggered by userspace before they are submitted to the device. The hook
> > > runs after the command buffer is constructed, right before it is sent
> > > to firmware.
> >
> > <...>
> >
> > > ---
> > > Chiara Meiohas (4):
> > > bpf: add firmware command validation hook
> > > selftests/bpf: add test cases for fw_validate_cmd hook
> > > RDMA/mlx5: Externally validate FW commands supplied in DEVX interface
> > > fwctl/mlx5: Externally validate FW commands supplied in fwctl
> >
> > Hi,
> >
> > Can we get Ack from BPF/LSM side?
>
> + Paul, linux-security-module ML
>
> Hi
>
> probably you also want to get an Ack from the LSM maintainer (added in
> CC with the list). Most likely, he will also ask you to create the
> security_*() functions counterparts of the BPF hooks.
We implemented this approach in v1:
https://patch.msgid.link/20260309-fw-lsm-hook-v1-0-4a6422e63725@nvidia.com
and were advised to pursue a different direction.
Thanks
>
> Roberto
>
> > Thanks
> >
> > >
> > > drivers/fwctl/mlx5/main.c | 12 +++++-
> > > drivers/infiniband/hw/mlx5/devx.c | 49 ++++++++++++++++++------
> > > include/linux/bpf_lsm.h | 41 ++++++++++++++++++++
> > > kernel/bpf/bpf_lsm.c | 11 ++++++
> > > tools/testing/selftests/bpf/progs/verifier_lsm.c | 23 +++++++++++
> > > 5 files changed, 122 insertions(+), 14 deletions(-)
> > > ---
> > > base-commit: 11439c4635edd669ae435eec308f4ab8a0804808
> > > change-id: 20260309-fw-lsm-hook-7c094f909ffc
> > >
> > > Best regards,
> > > --
> > > Leon Romanovsky <leonro at nvidia.com>
> > >
>
>
More information about the Linux-security-module-archive
mailing list