[PATCH 0/3] Firmware LSM hook

Leon Romanovsky leon at kernel.org
Mon Mar 9 11:15:17 UTC 2026 

>From Chiara:

This patch set introduces a new LSM hook to validate firmware commands
triggered by userspace before they are submitted to the device. The hook
runs after the command buffer is constructed, right before it is sent
to firmware.

The goal is to allow a security module to allow or deny a given command
before it is submitted to firmware. BPF LSM can attach to this hook
to implement such policies. This allows fine-grained policies for different
firmware commands. 

In this series, the new hook is called from RDMA uverbs and from the fwctl
subsystem. Both the uverbs and fwctl interfaces use ioctl, so an obvious
candidate would seem to be the file_ioctl hook. However, the userspace
attributes used to build the firmware command buffer are copied from
userspace (copy_from_user()) deep in the driver, depending on various
conditions. As a result, file_ioctl does not have the information required
to make a policy decision.

This newly introduced hook provides the command buffer together with relevant
metadata (device, command class, and a class-specific device identifier), so
security modules can distinguish between different command classes and devices.

The hook can be used by other drivers that submit firmware commands via a command
buffer.

Thanks

Signed-off-by: Leon Romanovsky <leonro at nvidia.com>
---
Chiara Meiohas (3):
      lsm: add hook for firmware command validation
      RDMA/mlx5: Invoke fw_validate_cmd LSM hook for DEVX commands
      fwctl/mlx5: Invoke fw_validate_cmd LSM hook for fwctl commands

 drivers/fwctl/mlx5/main.c         | 12 +++++++--
 drivers/infiniband/hw/mlx5/devx.c | 52 ++++++++++++++++++++++++++++++---------
 include/linux/lsm_hook_defs.h     |  2 ++
 include/linux/security.h          | 25 +++++++++++++++++++
 security/security.c               | 26 ++++++++++++++++++++
 5 files changed, 103 insertions(+), 14 deletions(-)
---
base-commit: 11439c4635edd669ae435eec308f4ab8a0804808
change-id: 20260309-fw-lsm-hook-7c094f909ffc

Best regards,
--  
Leon Romanovsky <leonro at nvidia.com>

More information about the Linux-security-module-archive mailing list