[$] Toward signed BPF programs

The kernel's BPF virtual machine is versatile;it is possible to load BPF programs into the kernel to carry outa large (and growing) set of tasks. The growing body of BPF code canreasonably bethought of as kernel code in its own right. But, while the kernel cancheck signatures on loadable modules and prevent the loading of modulesthat are not properly signed, there is no such mechanism for BPF programs;any sufficiently privileged process can load any program that will pass theverifier. One might think that adding this checking for BPF would bestraightforward, but that subsystem has some unique characteristics thatmake things more challenging than one might expect. There may be asolution in the works, though; fittingly, it works by loading yet another BPFprogram.