[PATCH 3/3] fwctl/mlx5: Invoke fw_validate_cmd LSM hook for fwctl commands
Jonathan Cameron
jonathan.cameron at huawei.com
Mon Mar 9 15:12:44 UTC 2026
On Mon, 9 Mar 2026 13:15:20 +0200
Leon Romanovsky <leon at kernel.org> wrote:
> From: Chiara Meiohas <cmeiohas at nvidia.com>
>
> fwctl is subsystem which exposes a firmware interface directly to
> userspace: it allows userspace to send device specific command
> buffers to firmware.
>
> Call security_fw_validate_cmd() before dispatching the user-provided
> firmware command.
>
> This allows security modules to implement custom policies and
> enforce per-command security policy on user-triggered firmware
> commands. For example, a BPF LSM program could filter firmware
> commands based on their opcode.
>
> Signed-off-by: Chiara Meiohas <cmeiohas at nvidia.com>
> Reviewed-by: Maher Sanalla <msanalla at nvidia.com>
> Signed-off-by: Edward Srouji <edwards at nvidia.com>
> Signed-off-by: Leon Romanovsky <leonro at nvidia.com>
LGTM
Reviewed-by: Jonathan Cameron <jonathan.cameron at huawei.com>
More information about the Linux-security-module-archive
mailing list