Introduce one, central manifest, zero-config children and constant MRENCLAVE

This is the next part of the great loader rework, with a lot of breaking changes:

- Complete removal of the "trusted children" thing - now children
  processes can be spawned arbitrarily and from arbitrary mountpoint
  types, without any additional configuration needed.

- There's a new, required option in the manifest: `libos.entrypoint` - it
  specifies the URI to the entry binary in the first process. There's no
  need anymore to name the manifest and the first binary identically.

- On SGX, the main binary is not measured in MRENCLAVE anymore - only
  PAL, LibOS and the manifest are measured. This is enough to bind
  MRENCLAVE to a specific entrypoint user executable if wanted - it
  just has to be mounted as a trusted file.

- All Graphene SGX enclaves have now exactly the same MRENCLAVE. This is
  a hash of a "Graphene stub", which can "fork" into one of two states
  in runtime: initial process or child. The initial process creates a
  new "Graphene namespace" with a clean state, it can also be attested
  remotely (contrary to child processes). The initial process can spawn
  children processes by spawning a Graphene stub and directing it to
  start in the child mode. It then attests it locally, and if
  successful, establishes an encrypted pipe, "connects" to its own
  namespace and treats as trusted (including sending protected files
  key).

- Now, there's only one, central manifest describing the initial state
  of a Graphene instance which can be spawned from it (previously, each
  process required a separate manifest which could have different
  configuration - which wasn't actually supported and didn't make sense
  design-wise). One downside of central manifests is that all processes
  require the same enclave configuration (e.g. size), but that was
  already the case so far because of broken checkpointing code. Also,
  this is only a temporary problem, which will cease to exist after the
  introduction of EDMM.

- `sgx.static_address` was renamed to `sgx.nonpie_binary` and now has to
  be inserted manually by users (`sgx_sign` tools doesn't know about the
  binaries run inside, which can be even provided or generated in
  runtime by the user's workload).

- Caveat: the memory gap for non-PIE executables was removed because it
  requires adding a new option to the manifest to be cleanly
  implemented. This is left for some future loader rework PR.

Examples/python-simple/python.manifest.template

@@ -6,6 +6,7 @@
 # Graphene environment, including the path of the library OS and the debug
 # option (inline/none).
 loader.preload = "file:$(GRAPHENEDIR)/Runtime/libsysdb.so"
+libos.entrypoint = "file:$(PYTHONEXEC)"
 loader.debug_type = "$(GRAPHENEDEBUG)"
 
 # Read application arguments directly from the command line. Don't use this on production!
@@ -71,8 +72,12 @@ sgx.enclave_size = "1G"
 # the application can create is (sgx.thread_num - 2).
 sgx.thread_num = 8
 
+sgx.nonpie_binary = 1
+
 # SGX trusted libraries
 
+sgx.trusted_files.python = "file:$(PYTHONEXEC)"
+
 # Glibc libraries
 sgx.trusted_files.ld = "file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2"
 sgx.trusted_files.libc = "file:$(GRAPHENEDIR)/Runtime/libc.so.6"
@@ -88,7 +93,20 @@ sgx.trusted_files.libresolve = "file:$(GRAPHENEDIR)/Runtime/libresolv.so.2"
 sgx.trusted_files.libexpat = "file:$(ARCH_LIBDIR)/libexpat.so.1"
 sgx.trusted_files.libnssfiles = "file:$(ARCH_LIBDIR)/libnss_files.so.2"
 sgx.trusted_files.libnssmdns4 = "file:$(ARCH_LIBDIR)/libnss_mdns4_minimal.so.2"
-$(PYTHON_TRUSTED_LIBS)
+# [Ubuntu16.04] sgx.trusted_files.hashlib = "file:$(PYTHONHOME)/lib-dynload/_hashlib.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu18.04] sgx.trusted_files.hashlib = "file:$(PYTHONHOME)/lib-dynload/_hashlib.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu16.04] sgx.trusted_files.ctypes = "file:$(PYTHONHOME)/lib-dynload/_ctypes.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu18.04] sgx.trusted_files.ctypes = "file:$(PYTHONHOME)/lib-dynload/_ctypes.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu16.04] sgx.trusted_files.ssl = "file:$(PYTHONHOME)/lib-dynload/_ssl.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu18.04] sgx.trusted_files.ssl = "file:$(PYTHONHOME)/lib-dynload/_ssl.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu16.04] sgx.trusted_files.bz2 = "file:$(PYTHONHOME)/lib-dynload/_bz2.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu18.04] sgx.trusted_files.bz2 = "file:$(PYTHONHOME)/lib-dynload/_bz2.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu16.04] sgx.trusted_files.lzma = "file:$(PYTHONHOME)/lib-dynload/_lzma.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu18.04] sgx.trusted_files.lzma = "file:$(PYTHONHOME)/lib-dynload/_lzma.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu16.04] sgx.trusted_files.json = "file:$(PYTHONHOME)/lib-dynload/_json.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu18.04] sgx.trusted_files.json = "file:$(PYTHONHOME)/lib-dynload/_json.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu16.04] sgx.trusted_files.aptpkg = "file:$(PYTHONDISTHOME)/apt_pkg.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
+# [Ubuntu18.04] sgx.trusted_files.aptpkg = "file:$(PYTHONDISTHOME)/apt_pkg.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so"
 
 # Python scripts required for helloworld.py/fibonacci.py
 # NOTE: we ignore precompiled .pyc files since they are for optimization purposes only