Re: [PATCH 3/3] fwctl/mlx5: Invoke fw_validate_cmd LSM hook for fwctl commands

Next message: Brian Masney: "Re: [PATCH] clk: Simplify clk_is_match()"
Previous message: Rafael J. Wysocki: "Re: Subject: x86/msr + lockdown: allow access to **documented** RAPL/TCC controls under Secure Boot"
In reply to: Leon Romanovsky: "[PATCH 3/3] fwctl/mlx5: Invoke fw_validate_cmd LSM hook for fwctl commands"
Next in thread: Dave Jiang: "Re: [PATCH 3/3] fwctl/mlx5: Invoke fw_validate_cmd LSM hook for fwctl commands"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jonathan Cameron

Date: Mon Mar 09 2026 - 11:18:45 EST

On Mon, 9 Mar 2026 13:15:20 +0200
Leon Romanovsky <leon@xxxxxxxxxx> wrote:

> From: Chiara Meiohas <cmeiohas@xxxxxxxxxx>
>
> fwctl is subsystem which exposes a firmware interface directly to
> userspace: it allows userspace to send device specific command
> buffers to firmware.
>
> Call security_fw_validate_cmd() before dispatching the user-provided
> firmware command.
>
> This allows security modules to implement custom policies and
> enforce per-command security policy on user-triggered firmware
> commands. For example, a BPF LSM program could filter firmware
> commands based on their opcode.
>
> Signed-off-by: Chiara Meiohas <cmeiohas@xxxxxxxxxx>
> Reviewed-by: Maher Sanalla <msanalla@xxxxxxxxxx>
> Signed-off-by: Edward Srouji <edwards@xxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxx>
LGTM
Reviewed-by: Jonathan Cameron <jonathan.cameron@xxxxxxxxxx>