Re: [PATCH 1/3] lsm: add hook for firmware command validation

[Leon Romanovsky]

On Mon, Mar 09, 2026 at 03:02:53PM +0000, Jonathan Cameron wrote:
> On Mon,  9 Mar 2026 13:15:18 +0200
> Leon Romanovsky <leon@xxxxxxxxxx> wrote:
> 
> > From: Chiara Meiohas <cmeiohas@xxxxxxxxxx>
> > 
> > Drivers typically communicate with device firmware either via
> > register-based commands (writing parameters into device registers)
> > or by passing a command buffer using shared-memory mechanisms.
> > 
> > This hook targets the command buffer mechanism, which is commonly
> > used on modern, complex devices.
> > 
> > Add the LSM hook fw_validate_cmd. This hook allows inspecting
> > firmware command buffers before they are sent to the device.
> > The hook receives the command buffer, device, command class, and a
> > class-specific id:
> >   - class_id (enum fw_cmd_class) allows security modules to
> >     differentiate between classes of firmware commands.
> >     In this series, class_id distinguishes between commands from the
> >     RDMA uverbs interface and from fwctl.
> >   - id is a class-specific device identifier. For uverbs, id is the
> >     RDMA driver identifier (enum rdma_driver_id). For fwctl, id is the
> >     device type (enum fwctl_device_type).
> > 
> > Signed-off-by: Chiara Meiohas <cmeiohas@xxxxxxxxxx>
> > Reviewed-by: Maher Sanalla <msanalla@xxxxxxxxxx>
> > Signed-off-by: Edward Srouji <edwards@xxxxxxxxxx>
> > Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxx>
> Hi Leon,
> 
> To me this seems sensible, but LSM isn't an area I know that much about.
> 
> With that in mind:
> Reviewed-by: Jonathan Cameron <jonathan.cameron@xxxxxxxxxx>
> 
> A few formatting related comments inline.

Thanks for the feedback. I’ve addressed all comments and will send a new
revision within the next few days.

Thanks