On Wed, Aug 13, 2025 at 1:55 PM KP Singh [off-list ref] wrote:

* The metadata map is created with as an exclusive map (with an
excl_prog_hash) This restricts map access exclusively to the signed
loader program, preventing tampering by other processes.

* The map is then frozen, making it read-only from userspace.

* BPF_OBJ_GET_INFO_BY_ID instructs the kernel to compute the hash of the
  metadata map (H') and store it in bpf_map->sha.

* The loader is then loaded with the signature which is then verified by
  the kernel.

The sekeleton currently uses the session keyring
(KEY_SPEC_SESSION_KEYRING) by default but this can
be overridden by the user of the skeleton.

loading signed programs prebuilt into the kernel are not currently
supported. These can supported by enabling BPF_OBJ_GET_INFO_BY_ID to be
called from the kernel.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 tools/lib/bpf/skel_internal.h | 75 +++++++++++++++++++++++++++++++++--
 1 file changed, 71 insertions(+), 4 deletions(-)

[...]

+static inline int skel_obj_get_info_by_fd(int fd)
+{
+       const size_t attr_sz = offsetofend(union bpf_attr, info);
+       __u8 sha[SHA256_DIGEST_LENGTH];
+       struct bpf_map_info info = {};

memset(0) this instead of relying on = {}

+       __u32 info_len = sizeof(info);
+       union bpf_attr attr;
+
+       info.hash = (long) &sha;
+       info.hash_size = SHA256_DIGEST_LENGTH;
+
+       memset(&attr, 0, attr_sz);
+       attr.info.bpf_fd = fd;
+       attr.info.info = (long) &info;
+       attr.info.info_len = info_len;
+       return skel_sys_bpf(BPF_OBJ_GET_INFO_BY_FD, &attr, attr_sz);
+}

[...]