On Thu, Aug 14, 2025 at 8:46 PM Andrii Nakryiko
<andrii.nakryiko@xxxxxxxxx> wrote:
>
> On Wed, Aug 13, 2025 at 1:55 PM KP Singh <kpsingh@xxxxxxxxxx> wrote:
> >
> > * The metadata map is created with as an exclusive map (with an
> > excl_prog_hash) This restricts map access exclusively to the signed
> > loader program, preventing tampering by other processes.
> >
> > * The map is then frozen, making it read-only from userspace.
> >
> > * BPF_OBJ_GET_INFO_BY_ID instructs the kernel to compute the hash of the
> > metadata map (H') and store it in bpf_map->sha.
> >
> > * The loader is then loaded with the signature which is then verified by
> > the kernel.
> >
> > The sekeleton currently uses the session keyring
> > (KEY_SPEC_SESSION_KEYRING) by default but this can
> > be overridden by the user of the skeleton.
> >
> > loading signed programs prebuilt into the kernel are not currently
> > supported. These can supported by enabling BPF_OBJ_GET_INFO_BY_ID to be
> > called from the kernel.
> >
> > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx>
> > ---
> > tools/lib/bpf/skel_internal.h | 75 +++++++++++++++++++++++++++++++++--
> > 1 file changed, 71 insertions(+), 4 deletions(-)
> >
>
> [...]
>
> > +static inline int skel_obj_get_info_by_fd(int fd)
> > +{
> > + const size_t attr_sz = offsetofend(union bpf_attr, info);
> > + __u8 sha[SHA256_DIGEST_LENGTH];
> > + struct bpf_map_info info = {};
>
> memset(0) this instead of relying on = {}
done.
