Toward signed BPF programs

You could, for instance, have a version of `bpftool` that checks signatures on the BPF-program elves, and in turn is signed itself, and then (if you want the kernel to enforce the signature requirement) the kernel checks the signature on `bpftool` before accepting its bpf() calls.

eBPF has gone down a road of over-abstraction, over-indirection and over-complexification in the last couple of years. I wish I'd pushed back more, but I've been too busy with other things to argue with each piece on the ML. The fact that putting the BPF loader into the kernel proved too difficult is not an argument for BPF_PROG_TYPE_SYSCALL; rather, it's an indictment of the BPF loader.