On Thu, Apr 09, 2026 at 02:27:43PM +0200, Roberto Sassu wrote: > On Thu, 2026-04-09 at 15:12 +0300, Leon Romanovsky wrote: > > On Tue, Mar 31, 2026 at 08:56:32AM +0300, Leon Romanovsky wrote: > > > From Chiara: > > > > > > This patch set introduces a new BPF LSM hook to validate firmware commands > > > triggered by userspace before they are submitted to the device. The hook > > > runs after the command buffer is constructed, right before it is sent > > > to firmware. > > > > <...> > > > > > --- > > > Chiara Meiohas (4): > > > bpf: add firmware command validation hook > > > selftests/bpf: add test cases for fw_validate_cmd hook > > > RDMA/mlx5: Externally validate FW commands supplied in DEVX > > > interface > > > fwctl/mlx5: Externally validate FW commands supplied in fwctl > > > > Hi, > > > > Can we get Ack from BPF/LSM side? > > + Paul, linux-security-module ML > > Hi > > probably you also want to get an Ack from the LSM maintainer (added in > CC with the list). Most likely, he will also ask you to create the > security_*() functions counterparts of the BPF hooks.
We implemented this approach in v1: https://patch.msgid.link/[email protected] and were advised to pursue a different direction. Thanks > > Roberto > > > Thanks > > > > > > > > drivers/fwctl/mlx5/main.c | 12 +++++- > > > drivers/infiniband/hw/mlx5/devx.c | 49 > > > ++++++++++++++++++------ > > > include/linux/bpf_lsm.h | 41 > > > ++++++++++++++++++++ > > > kernel/bpf/bpf_lsm.c | 11 ++++++ > > > tools/testing/selftests/bpf/progs/verifier_lsm.c | 23 +++++++++++ > > > 5 files changed, 122 insertions(+), 14 deletions(-) > > > --- > > > base-commit: 11439c4635edd669ae435eec308f4ab8a0804808 > > > change-id: 20260309-fw-lsm-hook-7c094f909ffc > > > > > > Best regards, > > > -- > > > Leon Romanovsky <[email protected]> > > > > >
