[$] Possible paths for signing BPF programs

BPF programs are loaded directly into the kernel.
Even though the verifier protects the kernel from certain kinds of
misbehavior in BPF programs, some people are still justifiably concerned about
adding unsigned code to their kernel. A fully correct BPF program can still be
used to expose sensitive data, for example.
To remedy this, Blaise Boscaccy and KP Singh
have both shared patch sets that add ways to verify cryptographic
signatures of BPF programs, allowing users to configure their kernels to load
only pre-approved BPF programs. This work follows on from the

discussion at the
Linux Storage, Filesystem, Memory-Management, and BPF Summit (LSFMM+BPF)
in April and Boscaccy's

earlier proposal of a Linux Security Module (LSM) to accomplish the same goal.
There are
still some fundamental disagreements over the best approach to signing BPF
programs, however.