Why is that so complicated?

Nothing ... that's how both proposed patch sets validate the code.. The complexity of light skeletons is that they consist of two sets of bpf instructions: a loader and a program the loader relocates. Once the loader has run, the program is fully relocated and can be executed. Both patches produce separate hashes of the loader and program and then sign that combined hash. The only difference, and the crux of the argument is what information the security_bpf_prog_load, which is called before any bpf code executes, LSM hook receives to make the policy determination. In KP's scheme the signature is over the loader which contains the hash of the program and which verifies that hash at loader run time, so the security hook knows if the loader signature verifies but not if the program hash matches. With the other patch set both hashes are checked before the hook is called.