[PATCH 1/3] lsm: add hook for firmware command validation
Leon Romanovsky
leon at kernel.org
Mon Mar 9 15:25:34 UTC 2026
On Mon, Mar 09, 2026 at 03:02:53PM +0000, Jonathan Cameron wrote:
> On Mon, 9 Mar 2026 13:15:18 +0200
> Leon Romanovsky <leon at kernel.org> wrote:
>
> > From: Chiara Meiohas <cmeiohas at nvidia.com>
> >
> > Drivers typically communicate with device firmware either via
> > register-based commands (writing parameters into device registers)
> > or by passing a command buffer using shared-memory mechanisms.
> >
> > This hook targets the command buffer mechanism, which is commonly
> > used on modern, complex devices.
> >
> > Add the LSM hook fw_validate_cmd. This hook allows inspecting
> > firmware command buffers before they are sent to the device.
> > The hook receives the command buffer, device, command class, and a
> > class-specific id:
> > - class_id (enum fw_cmd_class) allows security modules to
> > differentiate between classes of firmware commands.
> > In this series, class_id distinguishes between commands from the
> > RDMA uverbs interface and from fwctl.
> > - id is a class-specific device identifier. For uverbs, id is the
> > RDMA driver identifier (enum rdma_driver_id). For fwctl, id is the
> > device type (enum fwctl_device_type).
> >
> > Signed-off-by: Chiara Meiohas <cmeiohas at nvidia.com>
> > Reviewed-by: Maher Sanalla <msanalla at nvidia.com>
> > Signed-off-by: Edward Srouji <edwards at nvidia.com>
> > Signed-off-by: Leon Romanovsky <leonro at nvidia.com>
> Hi Leon,
>
> To me this seems sensible, but LSM isn't an area I know that much about.
>
> With that in mind:
> Reviewed-by: Jonathan Cameron <jonathan.cameron at huawei.com>
>
> A few formatting related comments inline.
Thanks for the feedback. I’ve addressed all comments and will send a new
revision within the next few days.
Thanks
More information about the Linux-security-module-archive
mailing list