From: Leon Romanovsky <leon@kernel.org>
To: Paul Moore <paul@paul-moore.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>,
Roberto Sassu <roberto.sassu@huaweicloud.com>,
KP Singh <kpsingh@kernel.org>,
Matt Bobrowski <mattbobrowski@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, Shuah Khan <shuah@kernel.org>,
Saeed Mahameed <saeedm@nvidia.com>,
Itay Avraham <itayavr@nvidia.com>,
Dave Jiang <dave.jiang@intel.com>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-rdma@vger.kernel.org,
Chiara Meiohas <cmeiohas@nvidia.com>,
Maher Sanalla <msanalla@nvidia.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2 0/4] Firmware LSM hook
Date: Tue, 12 May 2026 11:51:18 +0300 [thread overview]
Message-ID: <20260512085118.GP15586@unreal> (raw)
In-Reply-To: <CAHC9VhTsx6cpKMP8nVgK4F=drXTFJtK3_D9k9pmKr56+ZFUu9w@mail.gmail.com>
On Mon, May 04, 2026 at 06:33:45PM -0400, Paul Moore wrote:
> On Fri, Apr 24, 2026 at 6:13 PM Jason Gunthorpe <jgg@ziepe.ca> wrote:
> >
> > ... I wonder if we are even speaking the same language.
>
> Let's reset the conversation.
>
> As I understand it, based on our discussion in this thread and Leon's
> previous patchsets, the basic idea is to enable LSMs to enforce access
> control over fwctl requests/commands sent from userspace. I'm going
> to start with that as a basis.
Yes, we proposed two users: FWCTL and RDMA DevX. Both are relevant, but
FWCTL is the higher priority.
>
> Using the kernel's docs on fwctl, the userspace API appears to consist
> mostly of ioctls with some basic sysfs interfaces. It looks like we
> can mostly ignore the sysfs interface and focus on the ioctl side of
> the API, do you agree?
Yes, all FW commands are routed through ioctls.
>
> https://docs.kernel.org/userspace-api/fwctl/fwctl.html
>
> While normally I would suggest simply using the existing
> security_file_ioctl() hook, Leon previously mentioned that the hook is
> too early for fwctl as the userspace copy happens much later.
I talked about general verbs interface in RDMA.
Thanks
next prev parent reply other threads:[~2026-05-12 8:51 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-31 5:56 [PATCH v2 0/4] Firmware LSM hook Leon Romanovsky
2026-03-31 5:56 ` [PATCH v2 1/4] bpf: add firmware command validation hook Leon Romanovsky
2026-04-16 8:43 ` Matt Bobrowski
2026-03-31 5:56 ` [PATCH v2 2/4] selftests/bpf: add test cases for fw_validate_cmd hook Leon Romanovsky
2026-03-31 5:56 ` [PATCH v2 3/4] RDMA/mlx5: Externally validate FW commands supplied in DEVX interface Leon Romanovsky
2026-03-31 5:56 ` [PATCH v2 4/4] fwctl/mlx5: Externally validate FW commands supplied in fwctl Leon Romanovsky
2026-04-09 12:12 ` [PATCH v2 0/4] Firmware LSM hook Leon Romanovsky
2026-04-09 12:27 ` Roberto Sassu
2026-04-09 12:45 ` Leon Romanovsky
2026-04-09 21:04 ` Paul Moore
2026-04-12 9:00 ` Leon Romanovsky
2026-04-13 1:38 ` Paul Moore
2026-04-13 15:53 ` Leon Romanovsky
2026-04-13 16:42 ` Jason Gunthorpe
2026-04-13 17:36 ` Casey Schaufler
2026-04-13 19:09 ` Casey Schaufler
2026-04-13 22:36 ` Paul Moore
2026-04-13 23:19 ` Jason Gunthorpe
2026-04-14 17:05 ` Casey Schaufler
2026-04-14 19:09 ` Paul Moore
2026-04-14 20:09 ` Casey Schaufler
2026-04-14 20:44 ` Paul Moore
2026-04-14 22:42 ` Casey Schaufler
2026-04-15 21:03 ` Paul Moore
2026-04-15 21:21 ` Casey Schaufler
2026-04-14 20:27 ` Paul Moore
2026-04-15 13:47 ` Jason Gunthorpe
2026-04-15 21:40 ` Paul Moore
2026-04-17 19:17 ` Jason Gunthorpe
2026-04-21 0:58 ` Paul Moore
2026-04-24 14:36 ` Jason Gunthorpe
2026-04-24 20:59 ` Paul Moore
2026-04-24 22:13 ` Jason Gunthorpe
2026-05-04 22:33 ` Paul Moore
2026-05-12 8:51 ` Leon Romanovsky [this message]
2026-04-23 14:09 ` Leon Romanovsky
2026-04-24 14:19 ` Jason Gunthorpe
2026-04-26 10:39 ` Leon Romanovsky
2026-04-26 13:42 ` Jason Gunthorpe
2026-04-27 19:09 ` Leon Romanovsky
2026-04-23 13:05 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512085118.GP15586@unreal \
--to=leon@kernel.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=cmeiohas@nvidia.com \
--cc=daniel@iogearbox.net \
--cc=dave.jiang@intel.com \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=itayavr@nvidia.com \
--cc=jgg@ziepe.ca \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=msanalla@nvidia.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=saeedm@nvidia.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.