* The metadata map is created with as an exclusive map (with an
excl_prog_hash) This restricts map access exclusively to the signed
loader program, preventing tampering by other processes.

* The map is then frozen, making it read-only from userspace.

* BPF_OBJ_GET_INFO_BY_ID instructs the kernel to compute the hash of the
  metadata map (H') and store it in bpf_map->sha.

* The loader is then loaded with the signature which is then verified by
  the kernel.

The sekeleton currently uses the session keyring
(KEY_SPEC_SESSION_KEYRING) by default but this can
be overridden by the user of the skeleton.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 tools/lib/bpf/skel_internal.h | 57 +++++++++++++++++++++++++++++++++--
 1 file changed, 54 insertions(+), 3 deletions(-)

diff --git a/tools/lib/bpf/skel_internal.h b/tools/lib/bpf/skel_internal.h
index 4d5fa079b5d6..25502925ff36 100644
--- a/tools/lib/bpf/skel_internal.h
+++ b/tools/lib/bpf/skel_internal.h

@@ -13,6 +13,7 @@
 #include <unistd.h>
 #include <sys/syscall.h>
 #include <sys/mman.h>
+#include <linux/keyctl.h>
 #include <stdlib.h>
 #include "bpf.h"
 #endif

@@ -64,6 +65,11 @@ struct bpf_load_and_run_opts {
        __u32 data_sz;
        __u32 insns_sz;
        const char *errstr;
+       void *signature;
+       __u32 signature_sz;
+       __u32 keyring_id;
+       void * excl_prog_hash;
+       __u32 excl_prog_hash_sz;
 };

 long kern_sys_bpf(__u32 cmd, void *attr, __u32 attr_size);

@@ -218,16 +224,21 @@ static inline int skel_closenz(int fd)

 static inline int skel_map_create(enum bpf_map_type map_type,
                                  const char *map_name,
+                                 const void *excl_prog_hash,
+                               __u32 excl_prog_hash_sz,
                                  __u32 key_size,
                                  __u32 value_size,
                                  __u32 max_entries)