From nobody Wed Apr 1 14:14:56 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 26307371888; Tue, 31 Mar 2026 05:56:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774936618; cv=none; b=f+P9b2hsVmMA/nfCdjp43vNPwczC7UpV9piATV+k55sDV6Gnmg37YnVV14YqLR0XQCfTIQAryKzVxBHCy0wntrW0HHVnpqzK9BV9xv3Nk6vYye8otd5rbGKLMdM5+h4scyNWMzksBuGv5foG8R0B/82aHHJFDUxwVtgCPwCLSLw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774936618; c=relaxed/simple; bh=5k4T59VFMXQz4OG6JuaoBzpu2XM/Crd28cH9bMwomqg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=KofVrVJ3RmeAAKDdBXqT7/bdgyaEXvQzpOz3ZA5oZ7VByaSPj5ocJRYs8Lla3gCNIkyFlwRukV/5eagX7VxLF9btmGnW3uP2wQhoB9vieBMSgdRnw99bNoruE3tTkUF0aAFANFMk2ujro9n0YMVPwtfNlEj9+ZoAbqvf3UrDBi4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=mQB++NZ7; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mQB++NZ7" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 09719C19423; Tue, 31 Mar 2026 05:56:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774936617; bh=5k4T59VFMXQz4OG6JuaoBzpu2XM/Crd28cH9bMwomqg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mQB++NZ7favTt7zBJAmAee27yfICYaVMXGS3znVvRwI+zSm4HOdxscrw/IoIqHWfR PjkZXfY2urp0+wtffL5e8OgaHdqH+we7dT73ogipnwzkUs4im9hG/8gEDDX5T7fcoC Tq9F8lVpgMJlwW5LuUatq1ZPi7MBY9XUOU5UGklFGMogahi61m1X4XLlq7w1BuA/eo cc0xKcYlHgzMOS/8c25bHpjhDqu2wHNOZQbHYcVqsEQkeqZpbzOBrJ+7ZYdAu87opO vadPPXXxliFaLMBwqwVDrSbkT78BbcKtL+NrpaojzcxTucsctkZtzTdQf48jOK8WDZ ffBnqz9lggytQ== From: Leon Romanovsky To: KP Singh , Matt Bobrowski , Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Leon Romanovsky , Jason Gunthorpe , Saeed Mahameed , Itay Avraham , Dave Jiang , Jonathan Cameron Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-rdma@vger.kernel.org, Chiara Meiohas , Maher Sanalla , Jonathan Cameron Subject: [PATCH v2 4/4] fwctl/mlx5: Externally validate FW commands supplied in fwctl Date: Tue, 31 Mar 2026 08:56:36 +0300 Message-ID: <20260331-fw-lsm-hook-v2-4-78504703df1f@nvidia.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260331-fw-lsm-hook-v2-0-78504703df1f@nvidia.com> References: <20260331-fw-lsm-hook-v2-0-78504703df1f@nvidia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-Mailer: b4 0.15-dev-18f8f Content-Transfer-Encoding: quoted-printable From: Chiara Meiohas fwctl is subsystem which exposes a firmware interface directly to userspace: it allows userspace to send device specific command buffers to firmware. fwctl is focused on debugging, configuration and provisioning of the device. Call bpf_lsm_fw_validate_cmd() before dispatching the user-provided firmware command. This allows BPF programs to implement custom policies and enforce per-command security policy on user-triggered firmware commands. For example, a BPF program could filter firmware commands based on their opcode. Signed-off-by: Chiara Meiohas Reviewed-by: Maher Sanalla Reviewed-by: Jonathan Cameron Reviewed-by: Dave Jiang Signed-off-by: Leon Romanovsky --- drivers/fwctl/mlx5/main.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/fwctl/mlx5/main.c b/drivers/fwctl/mlx5/main.c index e86ab703c767a..c49dfa1d172d9 100644 --- a/drivers/fwctl/mlx5/main.c +++ b/drivers/fwctl/mlx5/main.c @@ -7,6 +7,7 @@ #include #include #include +#include =20 #define mlx5ctl_err(mcdev, format, ...) \ dev_err(&mcdev->fwctl.dev, format, ##__VA_ARGS__) @@ -324,6 +325,15 @@ static void *mlx5ctl_fw_rpc(struct fwctl_uctx *uctx, e= num fwctl_rpc_scope scope, if (!mlx5ctl_validate_rpc(rpc_in, scope)) return ERR_PTR(-EBADMSG); =20 + /* Enforce the user context for the command */ + MLX5_SET(mbox_in_hdr, rpc_in, uid, mfd->uctx_uid); + + ret =3D bpf_lsm_fw_validate_cmd(rpc_in, in_len, &mcdev->fwctl.dev, + FW_CMD_CLASS_FWCTL, + FWCTL_DEVICE_TYPE_MLX5); + if (ret) + return ERR_PTR(ret); + /* * mlx5_cmd_do() copies the input message to its own buffer before * executing it, so we can reuse the allocation for the output. @@ -336,8 +346,6 @@ static void *mlx5ctl_fw_rpc(struct fwctl_uctx *uctx, en= um fwctl_rpc_scope scope, return ERR_PTR(-ENOMEM); } =20 - /* Enforce the user context for the command */ - MLX5_SET(mbox_in_hdr, rpc_in, uid, mfd->uctx_uid); ret =3D mlx5_cmd_do(mcdev->mdev, rpc_in, in_len, rpc_out, *out_len); =20 mlx5ctl_dbg(mcdev, --=20 2.53.0