From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9BE0379971 for ; Mon, 13 Apr 2026 17:46:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.38 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776102398; cv=none; b=FMrlXLbA11o0vfiBUYP8IQFRmsasN+xaAgRthtPZKrTs2aR15gqO5BXrE+s8Eqt2LEMmk8yKHi1MZbq4Nt3+ZjGtf4ls0Fdg8P2U4WbSVGlWmOyR52qzLfbuaJVcN6y61k1vd/QAMkLZVPt0Bb04uc+UHD9C8sd2m7YbCInqhMA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776102398; c=relaxed/simple; bh=rmBTtrz9chI/mbl/+nEwMS5pf2+6uFRDUaAG1DPa390=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=lU92nHdWE+MP3/qg8uuIeEn3wnY3NNXKeGKnnvCR/B96+YifuxX9r1oSp5tF4vv1dGNPVD/PmUh6XqVy1G7PAx6RmHeKVLbZ4YrT/ZH2TWwtmXyyrtp0v+rWxaSVSaO2BWLuYA0x/xi/zCIQ7Ln+epJ7uXs+0ba2jwfClaPIz90= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=lyjkwRRL; arc=none smtp.client-ip=66.163.187.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="lyjkwRRL" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1776102396; bh=rmBTtrz9chI/mbl/+nEwMS5pf2+6uFRDUaAG1DPa390=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=lyjkwRRLWm6bKujY5sNsC+I4Cgen2GpWxTI69/rRxZrZ9P6BH6KwUbg6+cnWm1cdg82XUJphmN4HrHH4ABDsKr8/hB+ENOvhCnk5+S5le0HzfYAsni+KGf0hYrXT1umqvnl3geRGcWltjdrafyf50osju2VmYX70dwFl4BvuSXEKPSTIGDL79KHab+UDyP56l/RJlgO3GBnWku1pwy20IEVqCZo1OnFuA+Nh9NFB9esPDJ/q60uhbFic4+K9waDlYNI2b8WfeEElKk3A30PGivtCwo+4YN0sga9MK1tcSBorLqBCkHcLVXm8tw337wGNWOIFHsCY+ketBPX29KBm/Q== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1776102396; bh=pB14Lnq0h2xtmquxE/ZqPCsHFaYKcDVRRNlSvRvRIVj=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=ls+IBuZbH49/l8la7Aq/ADqf/g9wTk5Vy5Y3OJTfBh9K/1vp2lL14JfWt7AbII0hWC8kxsq8ZUERPd020XFKANvp5FDj6mvevkWBmsv5XhbQXfHNRB25Rp8qkmjip5JSV4hw1VZ0WKaMOoeNd4Yg4f4kXAjDNxz/W6zaG4FUD/okrjKKl7iiIvIk+20XrAreI+Mj/fT+MnevqSlBAHQIj3IXkSGimGAUT5+B9XsH1+uVz94lHRHXZXUZ1TKDAE9l3XpsKYbqtEc1xIz85vjP0ucklSrPSyWVi8fVq1yd91//APhDF7gMVOSfL18NXl4l1MoqIhqTIhW+JioZOCFyRA== X-YMail-OSG: Q4M_pPwVM1nv6EaRII.6WBpG_K6KUDVr67FR5BPMefwsjqkpMk8uT2qG1idDE5E WGB206otxTuQeEcQkfJ6LjBtbeTxskR4DcDkeRrQaD5SGY58qk0m5O0ay_sOdmsFbkOaIvhuXnVO 2AkCqsJ3j7uCctBZhAW9qQROi.JhGIs7i.Iq9DGLSGOQlSKM.EufFlshOBDG01cndr.NfJXHf9y_ mcTJFoO1xYphgMDavQxgcOJSfrvQRNdSkewWKUdx1O_G56r_ofyrT.gk4eom9Poz6_lNPCm_btaL KPpvJWGeYBLRnEYivpB7_dxxZ60ybXzpwPz14hRCev2C5YDSI2yhy2ZgbuaokPp1PQxZoZuCds6y ov4n4i2gpKwO3zDJjTVi.az8LC9EmYhT4F6e_0ix8kLXDHVoMbFVdC0eGi.HPdlhZDMP_IirLODz LPggQd9qjsTbw6WueiIGwWc8sABqYvAbGvoYUd3Rr9NqJ55M7D30fny2DNIINYV3KbLMeT.68P24 JE7dqzQ9O2X4lDyruvlIJIHl_XOOBbrzaqDlGKxakWedeDRfSZBQXKgEzh6v1iXGfQf8o87.wBQc BPJaqmRdlBWbgPcXtNliyMB7ZB_mUtkoPAzpDbh5QUEZKdLEmywtMYuKUATO3z9px1wYgPkIxHaM wkiwKijOwja9_pZRFSHHDMtmY7mJEFkLsJNVkHVELaiRGbm4RPDWQ7J5vcjVPaOgSBT6PN4ajTKp z0v8RIeXfUg4eAGoADDVu35ejkp4nqfjfDpjbDOBOXal00zz6aFNCu3faeiv2BqXx363SW8Z29rt NiYC8a.dA2pYdKbzbc9OUOPJA88u7HuIO4gcKeDDBVOkMkyr00lPUNsXFvC3JXAExLLFiwT4rbZU V_JKdnGHBT7SywCTgy.8aKCAMRLhjHVBJeLryIVlCEboQyG53Eub8EAOiF6QBC5yfbFXOht8KclA hbQ8QUS6UJ_ZG4eYiPH01bZaV0R5DUV05cDBUcB4s0WXmfWkvu__x6T5i78j.cni9FDF461QTw0o Omqf.b4SW6ICh6Zq5DyJJ5FU4W4SquW80UJhREm9jK3prNFkyVEu.nfAe76dI4rL3LmiTUCVeSyj iznTrTdyc8vFQ4g648sZy6m31G77s9zikPPlIh2ZKW0RXLTjaS0T8GKFVflsHNuE0RlhQt8gmi.e 9Jrg2jq2DhTd9h3SQVimW4sxo5rxmshzjVlvdegqs3Pu0HhxWHogdW2_xS6cvGE.ft3xjwOWTug0 0vtNthaB2b0UDvDugk3JYV8JTekNIUMsH.bBFrzDUJHlx6jpEjOPPrUkJSmfwJlYqtjTZMJaY3Wf dJpViVcwtKuxadUjKMuNnzzIPntrblLnFEqd50yXCvc4o88z.EypVkYRhkhXgV0wY_1gLtE9yc_y ZM4LzXx8W2PlfdXTQ0kvvVtkQjKHCWFwH1CourWrAnkuJQgsNOtIaNRUxAreDXEVqHjgF9qm64Cf cTicxV5jCycINI78oaPUssir8_stEcOHp8LVmjG6LH0n_vsJlMJBxr0QQKNt8PrtBxNW2B53Usik _0DBKCBgXl3tjd_6SL.Ebgb1VxOVepX54NC.v2lltWTsU8hQFlyQgFl5KMDMGv6ieU9JZZ1UCpoQ FDvysIYDpMLZAsMl2vVFZlL3b4iRYUyrIhYWfay2VC8eokjgWLw_fCjKPEZQUszhdzfeNa.2_BBm vp6J9jVyHA1NcD_pcLGQRqDfn92I70NgwrdZg9u9pSVqr40ku.FGv1qUra5c6fQecup9yTTDepOh dSDLNkUDZEzP3DjxshO4vCWlZi7P_jIZI1FFqdakPnSTNF47SO0sFvUhfafrtXk8.2b.tURmUmrA Zl7GX2XvDugs6_bTIoYfgXPlzKw1wZO5K9c82wcu8okp5X.Ap8Mf8FnlhjwqPvwQecGGBELaF9tM lDGZHQePfW2np0PWeOBojfWWQ6ogNyzPdvnqiH1DIoL0wyFX4E98ly5Iesn0x5ZPXipcSFe7PFY_ kn_LDkIoWSNifQQXCJkLRS0aTDfXvruUf2zuPCUs87g.ugeBA9d8_vPCJoEuqSVuGPrhi0gi.DZI oxnR5oz8mN2t9QhuHIGToJ3pYY45vl2fJdswtUWC7OPr_WvEDEvZibZkgC3LvNo7wnYl5omt4D8F M4o2TwkUTel_fgTZJLnpQIm3CEVlm2i3BeQvwdGiRpH5ddnCeJwgqG9vyXSpFCGSVWXwOpBhveKi RCLPxwd51bhRwbqrX69hKqMH0ZZUocGg5vMInedDXzK9JaDwK_giFBIKOnDCS X-Sonic-MF: X-Sonic-ID: 955de430-2ace-48ee-8b4f-2fc6e9871f3b Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Apr 2026 17:46:36 +0000 Received: by hermes--production-gq1-6dfcf9f8b-xs62w (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID b13f36faa7b702ca1ab4e41c810c08a5; Mon, 13 Apr 2026 17:36:25 +0000 (UTC) Message-ID: Date: Mon, 13 Apr 2026 10:36:22 -0700 Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2 0/4] Firmware LSM hook To: Jason Gunthorpe , Paul Moore Cc: Leon Romanovsky , Roberto Sassu , KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Saeed Mahameed , Itay Avraham , Dave Jiang , Jonathan Cameron , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-rdma@vger.kernel.org, Chiara Meiohas , Maher Sanalla , linux-security-module@vger.kernel.org, Casey Schaufler References: <20260331-fw-lsm-hook-v2-0-78504703df1f@nvidia.com> <20260409121230.GA720371@unreal> <2dd138a2ae87f90c55dbc3178d9c798294fd4450.camel@huaweicloud.com> <20260409124553.GB720371@unreal> <20260412090006.GA21470@unreal> <20260413164220.GP3694781@ziepe.ca> Content-Language: en-US From: Casey Schaufler In-Reply-To: <20260413164220.GP3694781@ziepe.ca> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailer: WebService/1.1.25495 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo On 4/13/2026 9:42 AM, Jason Gunthorpe wrote: > On Sun, Apr 12, 2026 at 09:38:35PM -0400, Paul Moore wrote: >>> We are not limited to LSM solution, the goal is to intercept commands >>> which are submitted to the FW and "security" bucket sounded right to us. >> Yes, it does sound "security relevant", but without a well defined >> interface/format it is going to be difficult to write a generic LSM to >> have any level of granularity beyond a basic "load firmware" >> permission. > I think to step back a bit, what this is trying to achieve is very > similar to the iptables fwmark/secmark scheme. > > secmark allows the user to specify programmable rules via iptables > which results in each packet being tagged with a SELinux context and > then the userspace policy can consume that and make security decision > based on that. If you want to pursue something like this DO NOT USE A u32 TO REPRESENT THE SECURITY CONTEXT! Use a struct lsm_context pointer. The limitations imposed by a "secid" don't show up in SELinux, which introduced them, but they sure do in Smack, and they really gum up the works for general LSM stacking.