diff --git a/Documentation/devel/debugging.rst b/Documentation/devel/debugging.rst
index 45985121..1b5847b2 100644
--- a/Documentation/devel/debugging.rst
+++ b/Documentation/devel/debugging.rst
@@ -19,7 +19,7 @@ To build Graphene with debug symbols, the source code needs to be compiled with
 
 To run Graphene with GDB, use the following command to run your application::
 
-    GDB=1 [Graphene Directory]/Runtime/pal_loader [executable|manifest] [arguments]
+    GDB=1 [Graphene Directory]/Runtime/pal_loader [executable] [arguments]
 
 Debugging with SGX support
 --------------------------
@@ -46,4 +46,4 @@ run the following commands::
 To run Graphene with GDB, use the Graphene loader (``pal_loader``) and specify
 ``GDB=1``::
 
-    GDB=1 SGX=1 [Graphene Directory]/Runtime/pal_loader [executable|manifest] [arguments]
+    GDB=1 SGX=1 [Graphene Directory]/Runtime/pal_loader [executable] [arguments]
diff --git a/Documentation/devel/performance.rst b/Documentation/devel/performance.rst
index 4fd05829..3c27aaba 100644
--- a/Documentation/devel/performance.rst
+++ b/Documentation/devel/performance.rst
@@ -472,7 +472,7 @@ Recording samples with ``perf record``
 
 To record (saves ``perf.data``)::
 
-    perf record ./pal_loader manifest
+    perf record ./pal_loader executable
 
 To view the report for ``perf.data``::
 
diff --git a/Documentation/manpages/pal_loader.rst b/Documentation/manpages/pal_loader.rst
index 2f6a8012..fc553ba0 100644
--- a/Documentation/manpages/pal_loader.rst
+++ b/Documentation/manpages/pal_loader.rst
@@ -11,7 +11,7 @@
 Synopsis
 ========
 
-:command:`pal_loader` [SGX] [GDB] {<*MANIFEST*> | <*EXECUTABLE*>} [<*ARGS*> ...]
+:command:`pal_loader` [SGX] [GDB] {<*EXECUTABLE*>} [<*ARGS*> ...]
 
 Description
 ===========
diff --git a/Documentation/pal/host-abi.rst b/Documentation/pal/host-abi.rst
index 0c22a2c3..36a15836 100644
--- a/Documentation/pal/host-abi.rst
+++ b/Documentation/pal/host-abi.rst
@@ -28,26 +28,18 @@ is described in :doc:`../manifest-syntax`.
 Manifest and executable loading
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-The PAL loader supports multiple ways of locating the manifest and executable.
 To run a program in Graphene properly, the PAL loader generally requires both a
-manifest and an executable, although it is possible to load with only one of
-them. The user shall specify either the manifest or the executable to load in
-the command line, and the PAL loader will try to locate the other based on the
-file name.
+manifest and an executable. The user shall specify the executable to load in
+the command line, and the PAL loader will try to locate the manifest based on
+the file name.
 
 Precisely, the loading rules for the manifest and executable are as follows:
 
-#. The first argument given to :program:`pal_loader` can be either a manifest
-   file or an executable.
-#. If an executable is given to the command line, the loader will search for the
+#. The first argument given to :program:`pal_loader` has to be an executable.
+#. The loader will search for the
    manifest in the following order: the same file name as the executable with
-   a `.manifest` or `.manifest.sgx` extension, a `manifest` file without any
-   extension, or no manifest at all.
-#. If a manifest is given to the command line, then the manifest will be used
-   to infer the executable. The potential executable file has the same file name
-   as the manifest file except it doesn't have the `.manifest` or
-   `.manifest.sgx` extension.
-
+   a ``.manifest`` or ``.manifest.sgx`` extension, or ``manifest`` file
+   without any extension.
 
 Data types and variables
 ------------------------
diff --git a/Documentation/tutorials/pytorch/index.rst b/Documentation/tutorials/pytorch/index.rst
index 1c8c2f98..a6682e64 100644
--- a/Documentation/tutorials/pytorch/index.rst
+++ b/Documentation/tutorials/pytorch/index.rst
@@ -186,8 +186,8 @@ Python as the actual executable). For illustrative purposes, we will look at
 only a few entries of the file. Note that we can simply ignore SGX-specific keys
 (starting with the ``sgx.`` prefix) for our non-SGX run.
 
-Notice that the manifest file is not fully secure because it propagates
-untrusted command-line arguments and environment variables into the enclave. We
+Notice that the manifest file is not secure because it propagates untrusted
+command-line arguments and environment variables into the enclave. We
 keep these work-arounds in this tutorial for simplicity, but this configuration
 must not be used in production::
 
@@ -229,11 +229,11 @@ This command will autogenerate a couple new files:
    also create a symlink to the Python binary, with the name corresponding to
    the manifest.
 
-Now, launch Graphene with the generated manifest via ``pal_loader``. You can
-simply append the arguments after the manifest name.  Our example takes
+Now, launch Graphene via ``pal_loader``. You can simply append the arguments
+after the executable name.  Our example takes
 ``pytorchexample.py`` as an argument::
 
-   ./pal_loader python3.manifest pytorchexample.py
+   ./pal_loader ./python3 pytorchexample.py
 
 That's it. You have run the PyTorch example with Graphene. You can check
 ``result.txt`` to make sure it ran correctly.
@@ -306,7 +306,7 @@ After running this command and building all the required files, we can simply
 set ``SGX=1`` environment variable and use ``pal_loader`` to launch the PyTorch
 workload inside an SGX enclave::
 
-   SGX=1 ./pal_loader python3.manifest.sgx pytorchexample.py
+   SGX=1 ./pal_loader ./python3 pytorchexample.py
 
 It will run exactly the same Python script but inside the SGX enclave. Again,
 you can verify that PyTorch ran correctly by examining ``result.txt``.
@@ -538,7 +538,7 @@ We are ready to run the end-to-end PyTorch example. Notice that we didn't change
 a line of code in the Python script. Moreover, we can run it with exactly the
 same command used in the previous section::
 
-   SGX=1 ./pal_loader python3.manifest pytorchexample.py
+   SGX=1 ./pal_loader ./python3 pytorchexample.py
 
 This should run PyTorch with encrypted input files and generate the encrypted
 ``result.txt`` output file. Note that we already launched the secret
diff --git a/Examples/apache/Makefile b/Examples/apache/Makefile
index d7ece0c6..e1797d81 100644
--- a/Examples/apache/Makefile
+++ b/Examples/apache/Makefile
@@ -256,7 +256,7 @@ start-native-server: all clean-server
 .PHONY: start-graphene-server
 start-graphene-server: all clean-server
 	@echo "Listen on $(LISTEN_HOST):$(LISTEN_PORT)"
-	$(PREFIX) ./pal_loader httpd.manifest -D FOREGROUND \
+	$(PREFIX) ./pal_loader ./httpd -D FOREGROUND \
 		-f conf/httpd-graphene.conf \
 		-C "LoadModule mpm_prefork_module modules/mod_mpm_prefork.so" \
 		-C "Listen $(LISTEN_HOST):$(LISTEN_PORT)" \
@@ -276,7 +276,7 @@ start-native-multithreaded-server: all clean-server
 .PHONY: start-graphene-multithreaded-server
 start-graphene-multithreaded-server: all clean-server
 	@echo "Listen on $(LISTEN_HOST):$(LISTEN_PORT)"
-	$(PREFIX) ./pal_loader httpd.manifest -D FOREGROUND \
+	$(PREFIX) ./pal_loader ./httpd -D FOREGROUND \
 		-f conf/httpd-graphene.conf \
 		-C "LoadModule mpm_worker_module modules/mod_mpm_worker.so" \
 		-C "Listen $(LISTEN_HOST):$(LISTEN_PORT)" \
diff --git a/Examples/bash/Makefile b/Examples/bash/Makefile
index 543205d0..8dcd4514 100644
--- a/Examples/bash/Makefile
+++ b/Examples/bash/Makefile
@@ -123,18 +123,18 @@ pal_loader:
 regression: all
 	@mkdir -p scripts/testdir
 
-	./pal_loader bash.manifest -c "ls" > OUTPUT
+	./pal_loader ./bash -c "ls" > OUTPUT
 	@grep -q "Makefile" OUTPUT && echo "[ Success 1/6 ]"
 	@rm OUTPUT
 
-	./pal_loader bash.manifest -c "cd scripts && bash bash_test.sh 1" > OUTPUT
+	./pal_loader ./bash -c "cd scripts && bash bash_test.sh 1" > OUTPUT
 	@grep -q "hello 1" OUTPUT      && echo "[ Success 2/6 ]"
 	@grep -q "createdfile" OUTPUT  && echo "[ Success 3/6 ]"
 	@grep -q "somefile" OUTPUT     && echo "[ Success 4/6 ]"
 	@grep -q "current date" OUTPUT && echo "[ Success 5/6 ]"
 	@rm OUTPUT
 
-	./pal_loader bash.manifest -c "cd scripts && bash bash_test.sh 3" > OUTPUT
+	./pal_loader ./bash -c "cd scripts && bash bash_test.sh 3" > OUTPUT
 	@grep -q "hello 3" OUTPUT      && echo "[ Success 6/6 ]"
 	@rm OUTPUT
 
diff --git a/Examples/bash/README.md b/Examples/bash/README.md
index 7d68ee83..4b1661fa 100644
--- a/Examples/bash/README.md
+++ b/Examples/bash/README.md
@@ -20,12 +20,12 @@ Here's an example of running Bash scripts under Graphene:
 
 Without SGX:
 ```
-./pal_loader bash.manifest -c "ls"
-./pal_loader bash.manifest -c "cd scripts && bash bash_test.sh 2"
+./pal_loader ./bash -c "ls"
+./pal_loader ./bash -c "cd scripts && bash bash_test.sh 2"
 ```
 
 With SGX:
 ```
-SGX=1 ./pal_loader bash.manifest -c "ls"
-SGX=1 ./pal_loader bash.manifest -c "cd scripts && bash bash_test.sh 2"
+SGX=1 ./pal_loader ./bash -c "ls"
+SGX=1 ./pal_loader ./bash -c "cd scripts && bash bash_test.sh 2"
 ```
diff --git a/Examples/busybox/README.md b/Examples/busybox/README.md
index 56e85fcb..dbceeaac 100644
--- a/Examples/busybox/README.md
+++ b/Examples/busybox/README.md
@@ -16,27 +16,11 @@ make SGX=1
 
 # run Busybox shell in non-SGX Graphene
 ./pal_loader busybox sh
-# or
-./pal_loader busybox.manifest sh
 
 # run Busybox shell in Graphene-SGX
 SGX=1 ./pal_loader busybox sh
-# or
-SGX=1 ./pal_loader busybox.manifest.sgx sh
 
 # now a shell session should be running e.g. typing:
 ls
 # should run program `ls` which lists current working directory
 ```
-
-Note that busybox can also be started via a manifest file (which contains path
-to the busybox binary):
-
-```sh
-   ./busybox.manifest sh         # to run a shell
-   ./busybox.manifest ls -l      # to list local directory
-
-   # or under SGX:
-   ./busybox.manifest.sgx sh     # to run a shell
-   ./busybox.manifest.sgx ls -l  # to list local directory
-```
diff --git a/Examples/busybox/busybox.manifest.template b/Examples/busybox/busybox.manifest.template
index 9447af72..257bb8fb 100644
--- a/Examples/busybox/busybox.manifest.template
+++ b/Examples/busybox/busybox.manifest.template
@@ -4,10 +4,6 @@
 
 ################################## GRAPHENE ###################################
 
-# Name of the executable e.g. as visible through argv[0] when ran as manifest
-# file (`./pal_loader busybox.manifest`).
-loader.argv0_override = "busybox"
-
 # Read application arguments directly from the command line. Don't use this on production!
 loader.insecure__use_cmdline_argv = 1
 
diff --git a/Examples/curl/Makefile b/Examples/curl/Makefile
index f104a5f3..53bdeb1d 100644
--- a/Examples/curl/Makefile
+++ b/Examples/curl/Makefile
@@ -84,7 +84,7 @@ pal_loader:
 check: all
 	(cd test-docroot; exec python3 -m http.server -b 127.0.0.1 19111) & httpd_pid=$$!; \
 	sleep 1; \
-	./pal_loader curl.manifest http://127.0.0.1:19111/ > OUTPUT; rc=$$?; \
+	./pal_loader ./curl http://127.0.0.1:19111/ > OUTPUT; rc=$$?; \
 	kill $$httpd_pid; exit $$rc
 
 	@grep -q "Hello World" OUTPUT && echo "[ Success 1/1 ]"
diff --git a/Examples/gcc/Makefile b/Examples/gcc/Makefile
index 60482a8d..5fb69237 100644
--- a/Examples/gcc/Makefile
+++ b/Examples/gcc/Makefile
@@ -115,13 +115,13 @@ cc1-ldd: cc1
 .PHONY: check
 check: all
 	@echo "\n\nCompiling hello.c..."
-	./pal_loader gcc.manifest test_files/helloworld.c -o test_files/hello
+	./pal_loader ./gcc test_files/helloworld.c -o test_files/hello
 	@chmod 755 test_files/hello
 	-./test_files/hello
 	$(RM) test_files/hello
 
 	@echo "\n\nCompiling bzip2.c..."
-	./pal_loader ./gcc.manifest test_files/bzip2.c -o test_files/bzip2
+	./pal_loader ./gcc test_files/bzip2.c -o test_files/bzip2
 	@chmod 755 test_files/bzip2
 	$(RM) bzip2.tmp
 	@cp -f test_files/bzip2 test_files/bzip2.copy
@@ -131,7 +131,7 @@ check: all
 	$(RM) test_files/bzip2 test_file/bzip2.copy
 
 	@echo "\n\nCompiling gzip.c..."
-	./pal_loader ./gcc.manifest test_files/gzip.c -o test_files/gzip
+	./pal_loader ./gcc test_files/gzip.c -o test_files/gzip
 	@chmod 755 test_files/gzip
 	@cp -f test_files/gzip test_files/gzip.copy
 	./test_files/gzip test_files/gzip.copy
diff --git a/Examples/lighttpd/Makefile b/Examples/lighttpd/Makefile
index 51ab6a95..d9f25560 100644
--- a/Examples/lighttpd/Makefile
+++ b/Examples/lighttpd/Makefile
@@ -164,7 +164,7 @@ start-native-server: all
 
 .PHONY: start-graphene-server
 start-graphene-server: all
-	./pal_loader lighttpd.manifest -D -m $(INSTALL_DIR)/lib -f lighttpd.conf
+	./pal_loader ./lighttpd -D -m $(INSTALL_DIR)/lib -f lighttpd.conf
 
 .PHONY: clean
 clean:
diff --git a/Examples/lighttpd/lighttpd.manifest.template b/Examples/lighttpd/lighttpd.manifest.template
index 6d09eecd..29428b5c 100644
--- a/Examples/lighttpd/lighttpd.manifest.template
+++ b/Examples/lighttpd/lighttpd.manifest.template
@@ -4,7 +4,7 @@
 #
 # lighttpd must be run with the pal_loader:
 #
-# ./pal_loader lighttpd.manifest <script>
+# ./pal_loader ./lighttpd <script>
 
 loader.argv0_override = "lighttpd"
 
diff --git a/Examples/nginx/Makefile b/Examples/nginx/Makefile
index 92ca0b74..1c87e8b4 100644
--- a/Examples/nginx/Makefile
+++ b/Examples/nginx/Makefile
@@ -173,7 +173,7 @@ start-native-server: all
 
 .PHONY: start-graphene-server
 start-graphene-server: all
-	./pal_loader nginx.manifest -c conf/nginx-graphene.conf
+	./pal_loader ./nginx -c conf/nginx-graphene.conf
 
 .PHONY: clean
 clean:
diff --git a/Examples/nginx/README.md b/Examples/nginx/README.md
index 5464b4b9..c329cd01 100644
--- a/Examples/nginx/README.md
+++ b/Examples/nginx/README.md
@@ -25,12 +25,12 @@ make SGX=1
 kill -SIGINT %%
 
 # run Nginx in non-SGX Graphene against a benchmark
-./pal_loader ./nginx.manifest -c conf/nginx-graphene.conf &
+./pal_loader ./nginx -c conf/nginx-graphene.conf &
 ./benchmark-http.sh 127.0.0.1:8002
 kill -SIGINT %%
 
 # run Nginx in Graphene-SGX against a benchmark
-SGX=1 ./pal_loader ./nginx.manifest -c conf/nginx-graphene.conf &
+SGX=1 ./pal_loader ./nginx -c conf/nginx-graphene.conf &
 ./benchmark-http.sh 127.0.0.1:8002
 kill -SIGINT %%
 
diff --git a/Examples/nodejs-express-server/Makefile b/Examples/nodejs-express-server/Makefile
index 9ea06383..7bb6a063 100644
--- a/Examples/nodejs-express-server/Makefile
+++ b/Examples/nodejs-express-server/Makefile
@@ -81,7 +81,7 @@ pal_loader:
 
 .PHONY: check
 check: all
-	./pal_loader nodejs.manifest helloworld.js 3000 & SERVER_ID=$$!; \
+	./pal_loader ./nodejs helloworld.js 3000 & SERVER_ID=$$!; \
 	sleep 3; \
 	curl localhost:3000 > OUTPUT; \
 	kill -9 $$SERVER_ID;
diff --git a/Examples/nodejs/Makefile b/Examples/nodejs/Makefile
index d068de65..df856dc5 100644
--- a/Examples/nodejs/Makefile
+++ b/Examples/nodejs/Makefile
@@ -81,7 +81,7 @@ pal_loader:
 
 .PHONY: check
 check: all
-	./pal_loader nodejs.manifest helloworld.js > OUTPUT
+	./pal_loader ./nodejs helloworld.js > OUTPUT
 	@grep -q "Hello World" OUTPUT && echo "[ Success 1/1 ]"
 	@rm OUTPUT
 
diff --git a/Examples/python-scipy-insecure/Makefile b/Examples/python-scipy-insecure/Makefile
index 83f7e093..54d923e5 100644
--- a/Examples/python-scipy-insecure/Makefile
+++ b/Examples/python-scipy-insecure/Makefile
@@ -111,12 +111,12 @@ pal_loader:
 
 .PHONY: check
 check: all
-	./pal_loader python.manifest scripts/test-numpy.py > OUTPUT 2> /dev/null
+	./pal_loader ./python scripts/test-numpy.py > OUTPUT 2> /dev/null
 	@sleep 1  # to make sure Bash child processes flush output under Graphene-SGX
 	@grep -q "dot: " OUTPUT && echo "[ Success 1/2 ]"
 	@rm OUTPUT
 
-	./pal_loader python.manifest scripts/test-scipy.py > OUTPUT 2> /dev/null
+	./pal_loader ./python scripts/test-scipy.py > OUTPUT 2> /dev/null
 	@sleep 1
 	@grep -q "cholesky: " OUTPUT && echo "[ Success 2/2 ]"
 	@rm OUTPUT
diff --git a/Examples/python-scipy-insecure/README.md b/Examples/python-scipy-insecure/README.md
index 251d55da..35b266b6 100644
--- a/Examples/python-scipy-insecure/README.md
+++ b/Examples/python-scipy-insecure/README.md
@@ -46,12 +46,12 @@ Here's an example of running Python scripts under Graphene:
 
 Without SGX:
 ```
-./pal_loader python.manifest scripts/test-numpy.py
-./pal_loader python.manifest scripts/test-scipy.py
+./pal_loader ./python scripts/test-numpy.py
+./pal_loader ./python scripts/test-scipy.py
 ```
 
 With SGX:
 ```
-SGX=1 ./pal_loader python.manifest scripts/test-numpy.py
-SGX=1 ./pal_loader python.manifest scripts/test-scipy.py
+SGX=1 ./pal_loader ./python scripts/test-numpy.py
+SGX=1 ./pal_loader ./python scripts/test-scipy.py
 ```
diff --git a/Examples/python-simple/README.md b/Examples/python-simple/README.md
index 19794a8e..a86cc3ef 100644
--- a/Examples/python-simple/README.md
+++ b/Examples/python-simple/README.md
@@ -42,14 +42,14 @@ Here's an example of running Python scripts under Graphene:
 
 Without SGX:
 ```
-./pal_loader python.manifest scripts/helloworld.py
-./pal_loader python.manifest scripts/fibonacci.py
+./pal_loader ./python scripts/helloworld.py
+./pal_loader ./python scripts/fibonacci.py
 ```
 
 With SGX:
 ```
-SGX=1 ./pal_loader python.manifest scripts/helloworld.py
-SGX=1 ./pal_loader python.manifest scripts/fibonacci.py
+SGX=1 ./pal_loader ./python scripts/helloworld.py
+SGX=1 ./pal_loader ./python scripts/fibonacci.py
 ```
 
 You can also manually run included tests:
diff --git a/Examples/python-simple/run-tests.sh b/Examples/python-simple/run-tests.sh
index c981148e..514ced76 100755
--- a/Examples/python-simple/run-tests.sh
+++ b/Examples/python-simple/run-tests.sh
@@ -4,23 +4,23 @@ set -e
 
 # === hellworld ===
 echo -e "\n\nRunning helloworld.py:"
-./pal_loader python.manifest scripts/helloworld.py > OUTPUT
+./pal_loader ./python scripts/helloworld.py > OUTPUT
 grep -q "Hello World" OUTPUT && echo "[ Success 1/3 ]"
 rm OUTPUT
 
 # === fibonacci ===
 echo -e "\n\nRunning fibonacci.py:"
-./pal_loader python.manifest scripts/fibonacci.py > OUTPUT
+./pal_loader ./python scripts/fibonacci.py > OUTPUT
 grep -q "fib2              55" OUTPUT && echo "[ Success 2/3 ]"
 rm OUTPUT
 
 # === web server and client (on port 8005) ===
 echo -e "\n\nRunning HTTP server dummy-web-server.py in the background:"
-./pal_loader python.manifest scripts/dummy-web-server.py 8005 & echo $! > server.PID
+./pal_loader ./python scripts/dummy-web-server.py 8005 & echo $! > server.PID
 sleep 30  # Graphene-SGX takes a lot of time to initialize
 
 echo -e "\n\nRunning HTTP client test-http.py:"
-./pal_loader python.manifest scripts/test-http.py localhost 8005 > OUTPUT1
+./pal_loader ./python scripts/test-http.py localhost 8005 > OUTPUT1
 wget -q http://localhost:8005/ -O OUTPUT2
 echo >> OUTPUT2  # include newline since wget doesn't add it
 # check if all lines from OUTPUT2 are included in OUTPUT1
diff --git a/Examples/pytorch/README.md b/Examples/pytorch/README.md
index f2f5a1d4..22d41511 100644
--- a/Examples/pytorch/README.md
+++ b/Examples/pytorch/README.md
@@ -37,5 +37,5 @@ Run `make` to build the non-SGX version and `make SGX=1` to build the SGX versio
 Execute any one of the following commands to run the workload
 
 - natively: `python3 pytorchexample.py`
-- Graphene w/o SGX: `./pal_loader ./python3.manifest ./pytorchexample.py`
-- Graphene with SGX: `SGX=1 ./pal_loader ./python3.manifest ./pytorchexample.py`
+- Graphene w/o SGX: `./pal_loader ./python3 ./pytorchexample.py`
+- Graphene with SGX: `SGX=1 ./pal_loader ./python3 ./pytorchexample.py`
diff --git a/Examples/r/Makefile b/Examples/r/Makefile
index 3ffc2445..929b9995 100644
--- a/Examples/r/Makefile
+++ b/Examples/r/Makefile
@@ -119,7 +119,7 @@ pal_loader:
 
 .PHONY: check
 check: all
-	./pal_loader R.manifest --slave --vanilla -f scripts/sample.r > OUTPUT 2> /dev/null
+	./pal_loader ./R --slave --vanilla -f scripts/sample.r > OUTPUT 2> /dev/null
 	@grep -q "success" OUTPUT && echo "[ Success 1/1 ]"
 	@$(RM) OUTPUT
 
diff --git a/Examples/r/README.md b/Examples/r/README.md
index f5c43af8..c537ca20 100644
--- a/Examples/r/README.md
+++ b/Examples/r/README.md
@@ -34,12 +34,12 @@ Here's an example of running an R script under Graphene:
 
 Without SGX:
 ```
-./pal_loader R.manifest --slave --vanilla -f scripts/sample.r
-./pal_loader R.manifest --slave --vanilla -f scripts/R-benchmark-25.R
+./pal_loader ./R --slave --vanilla -f scripts/sample.r
+./pal_loader ./R --slave --vanilla -f scripts/R-benchmark-25.R
 ```
 
 With SGX:
 ```
-SGX=1 ./pal_loader R.manifest --slave --vanilla -f scripts/sample.r
-SGX=1 ./pal_loader R.manifest --slave --vanilla -f scripts/R-benchmark-25.R
+SGX=1 ./pal_loader ./R --slave --vanilla -f scripts/sample.r
+SGX=1 ./pal_loader ./R --slave --vanilla -f scripts/R-benchmark-25.R
 ```
diff --git a/Examples/ra-tls-mbedtls/README.md b/Examples/ra-tls-mbedtls/README.md
index 278531ce..40d59c11 100644
--- a/Examples/ra-tls-mbedtls/README.md
+++ b/Examples/ra-tls-mbedtls/README.md
@@ -142,7 +142,7 @@ RA_CLIENT_SPID=12345678901234567890123456789012 RA_CLIENT_LINKABLE=0 make app cl
 
 SGX=1 ./pal_loader ./server epid &
 
-RA_TLS_EPID_API_KEY=12345678901234567890123456789012 SGX=1 ./pal_loader client_epid.manifest.sgx epid
+RA_TLS_EPID_API_KEY=12345678901234567890123456789012 SGX=1 ./pal_loader ./client_epid epid
 
 # client will successfully connect to the server via RA-TLS/EPID flows
 kill %%
@@ -156,7 +156,7 @@ make app client_dcap.manifest.sgx
 
 SGX=1 ./pal_loader ./server dcap &
 
-SGX=1 ./pal_loader client_dcap.manifest.sgx dcap
+SGX=1 ./pal_loader ./client_dcap dcap
 
 # client will successfully connect to the server via RA-TLS/DCAP flows
 kill %%
diff --git a/LibOS/shim/include/shim_internal.h b/LibOS/shim/include/shim_internal.h
index 2c059ebf..772d6943 100644
--- a/LibOS/shim/include/shim_internal.h
+++ b/LibOS/shim/include/shim_internal.h
@@ -486,7 +486,6 @@ int init_brk_region(void* brk_region, size_t data_segment_size);
 void reset_brk(void);
 int init_internal_map(void);
 int init_loader(void);
-int init_manifest(PAL_HANDLE manifest_handle);
 int init_rlimit(void);
 
 bool test_user_memory(void* addr, size_t size, bool write);
diff --git a/LibOS/shim/src/shim_init.c b/LibOS/shim/src/shim_init.c
index a655e4d5..45fded54 100644
--- a/LibOS/shim/src/shim_init.c
+++ b/LibOS/shim/src/shim_init.c
@@ -352,63 +352,6 @@ static int read_environs(const char** envp) {
     return 0;
 }
 
-int init_manifest(PAL_HANDLE manifest_handle) {
-    int ret = 0;
-    void* addr = NULL;
-    size_t size = 0, map_size = 0;
-    bool stream_mapped = false;
-
-    if (PAL_CB(manifest_preload.start)) {
-        addr = PAL_CB(manifest_preload.start);
-        size = PAL_CB(manifest_preload.end) - PAL_CB(manifest_preload.start);
-    } else {
-        PAL_STREAM_ATTR attr;
-        if (!DkStreamAttributesQueryByHandle(manifest_handle, &attr))
-            return -PAL_ERRNO();
-
-        size = attr.pending_size;
-        map_size = ALLOC_ALIGN_UP(size);
-        ret = bkeep_mmap_any(map_size, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS | VMA_INTERNAL, NULL,
-                             0, "manifest", &addr);
-        if (ret < 0) {
-            return ret;
-        }
-
-        void* ret_addr = DkStreamMap(manifest_handle, addr, PAL_PROT_READ, 0, ALLOC_ALIGN_UP(size));
-
-        if (!ret_addr) {
-            ret = -ENOMEM;
-            goto fail;
-        }
-        stream_mapped = true;
-        assert(addr == ret_addr);
-    }
-
-    char errbuf[256];
-    g_manifest_root = toml_parse(addr, errbuf, sizeof(errbuf));
-    if (!g_manifest_root) {
-        debug("PAL failed at parsing the manifest: %s\n"
-              "  Graphene switched to the TOML format recently, please update the manifest\n"
-              "  (in particular, string values must be put in double quotes)\n", errbuf);
-        goto fail;
-    }
-
-    return 0;
-
-fail:
-    if (map_size) {
-        void* tmp_vma = NULL;
-        if (bkeep_munmap(addr, map_size, /*is_internal=*/true, &tmp_vma) < 0) {
-            BUG();
-        }
-        if (stream_mapped) {
-            DkStreamUnmap(addr, map_size);
-        }
-        bkeep_remove_tmp_vma(tmp_vma);
-    }
-    return ret;
-}
-
 #define CALL_INIT(func, args...) func(args)
 
 #define RUN_INIT(func, ...)                                              \
@@ -443,6 +386,8 @@ noreturn void* shim_init(int argc, void* args) {
         DkProcessExit(EINVAL);
     }
 
+    g_manifest_root = PAL_CB(manifest_root);
+
     shim_xstate_init();
 
     if (!create_lock(&__master_lock)) {
@@ -476,9 +421,6 @@ noreturn void* shim_init(int argc, void* args) {
         RUN_INIT(receive_checkpoint_and_restore, &hdr);
     }
 
-    if (PAL_CB(manifest_handle))
-        RUN_INIT(init_manifest, PAL_CB(manifest_handle));
-
     RUN_INIT(init_mount_root);
     RUN_INIT(init_ipc);
     RUN_INIT(init_process);
diff --git a/Pal/include/host/Linux-common/linux_utils.h b/Pal/include/host/Linux-common/linux_utils.h
index c0e83181..7251883f 100644
--- a/Pal/include/host/Linux-common/linux_utils.h
+++ b/Pal/include/host/Linux-common/linux_utils.h
@@ -6,5 +6,7 @@ double sanitize_bogomips_value(double);
 
 char* get_main_exec_path(void);
 
+int read_text_file_to_cstr(const char* path, char** out);
+
 #endif // _LINUX_UTILS_H
 
diff --git a/Pal/include/pal/pal.h b/Pal/include/pal/pal.h
index f0e881d3..07f9c586 100644
--- a/Pal/include/pal/pal.h
+++ b/Pal/include/pal/pal.h
@@ -13,6 +13,8 @@
 #include <stdint.h>
 #include <stdnoreturn.h>
 
+#include "toml.h"
+
 #if defined(__i386__) || defined(__x86_64__)
 #include "cpu.h"
 #endif
@@ -130,11 +132,12 @@ typedef struct PAL_CONTROL_ {
     /*
      * Handles and executables
      */
-    PAL_HANDLE manifest_handle; /*!< program manifest */
-    PAL_STR executable;         /*!< executable name */
-    PAL_HANDLE parent_process;  /*!< handle of parent process */
-    PAL_HANDLE first_thread;    /*!< handle of first thread */
-    PAL_BOL enable_debug_log;   /*!< enable debug log calls */
+
+    toml_table_t* manifest_root; /*!< program manifest */
+    PAL_STR executable;          /*!< executable name */
+    PAL_HANDLE parent_process;   /*!< handle of parent process */
+    PAL_HANDLE first_thread;     /*!< handle of first thread */
+    PAL_BOL enable_debug_log;    /*!< enable debug log calls */
 
     /*
      * Memory layout
diff --git a/Pal/regression/.gitignore b/Pal/regression/.gitignore
index 165f49e9..180d763f 100644
--- a/Pal/regression/.gitignore
+++ b/Pal/regression/.gitignore
@@ -10,9 +10,7 @@
 /AttestationReport
 /avl_tree_test
 /Bootstrap
-/Bootstrap2
 /Bootstrap3
-/Bootstrap4
 /Bootstrap6
 /Bootstrap7
 /Directory
diff --git a/Pal/regression/Bootstrap.c b/Pal/regression/Bootstrap.c
index 156643cc..22433f3a 100644
--- a/Pal/regression/Bootstrap.c
+++ b/Pal/regression/Bootstrap.c
@@ -16,11 +16,6 @@ int main(int argc, char** argv, char** envp) {
     /* check executable name */
     pal_printf("Loaded Executable: %s\n", pal_control.executable);
 
-    /* check manifest name */
-    char manifest[30];
-    DkStreamGetName(pal_control.manifest_handle, manifest, 30);
-    pal_printf("Loaded Manifest: %s\n", manifest);
-
     /* check arguments */
     pal_printf("# of Arguments: %d\n", argc);
     for (int i = 0; i < argc; i++) {
diff --git a/Pal/regression/Bootstrap2.c b/Pal/regression/Bootstrap2.c
deleted file mode 100644
index 0a96eacb..00000000
--- a/Pal/regression/Bootstrap2.c
+++ /dev/null
@@ -1,24 +0,0 @@
-#include "pal.h"
-#include "pal_debug.h"
-
-int main(int argc, char** argv, char** envp) {
-    /* check if the program is loaded */
-    pal_printf("User Program Started\n");
-
-    /* check control block */
-    /* check executable name */
-    pal_printf("Loaded Executable: %s\n", pal_control.executable);
-
-    /* check manifest name */
-    char manifest[30] = "";
-    DkStreamGetName(pal_control.manifest_handle, manifest, 30);
-    pal_printf("Loaded Manifest: %s\n", manifest);
-
-    /* check arguments */
-    pal_printf("# of Arguments: %d\n", argc);
-    for (int i = 0; i < argc; i++) {
-        pal_printf("argv[%d] = %s\n", i, argv[i]);
-    }
-
-    return 0;
-}
diff --git a/Pal/regression/Bootstrap2.manifest.template b/Pal/regression/Bootstrap2.manifest.template
deleted file mode 100644
index ef9b544a..00000000
--- a/Pal/regression/Bootstrap2.manifest.template
+++ /dev/null
@@ -1,2 +0,0 @@
-loader.debug_type = "inline"
-loader.argv0_override = "Bootstrap2"
diff --git a/Pal/regression/Bootstrap4.manifest.template b/Pal/regression/Bootstrap4.manifest.template
deleted file mode 100644
index 3a405012..00000000
--- a/Pal/regression/Bootstrap4.manifest.template
+++ /dev/null
@@ -1 +0,0 @@
-loader.argv0_override = "Bootstrap"
diff --git a/Pal/regression/Makefile b/Pal/regression/Makefile
index 96f99920..01c5abdf 100644
--- a/Pal/regression/Makefile
+++ b/Pal/regression/Makefile
@@ -24,7 +24,6 @@ executables = \
 	AttestationReport \
 	avl_tree_test \
 	Bootstrap \
-	Bootstrap2 \
 	Bootstrap3 \
 	Bootstrap7 \
 	Directory \
@@ -60,9 +59,7 @@ executables = \
 
 manifests = \
 	manifest \
-	Bootstrap2.manifest \
 	Bootstrap3.manifest \
-	Bootstrap4.manifest \
 	Bootstrap6.manifest \
 	Bootstrap7.manifest \
 	File.manifest \
@@ -74,7 +71,6 @@ manifests = \
 	Thread2_exitless.manifest
 
 target = \
-	Bootstrap4 \
 	Bootstrap6 \
 	Thread2_exitless \
 	$(executables) \
@@ -118,7 +114,7 @@ $(executables): %: %.c $(LDLIBS-executables)
 # Handle multiple tests which share one binary (Graphene requires 1-1 manifest-executable
 # correspondence).
 
-Bootstrap4 Bootstrap6: Bootstrap
+Bootstrap6: Bootstrap
 	$(call cmd,ln_sfr)
 
 Thread2_exitless: Thread2
diff --git a/Pal/regression/Process.c b/Pal/regression/Process.c
index 10f1eaed..35af22aa 100644
--- a/Pal/regression/Process.c
+++ b/Pal/regression/Process.c
@@ -10,11 +10,6 @@ int main(int argc, char** argv, char** envp) {
     if (argc > 1 && !memcmp(argv[1], "Child", 6)) {
         pal_printf("Child Process Created\n");
 
-        /* check manifest name */
-        char manifest[30] = "";
-        DkStreamGetName(pal_control.manifest_handle, manifest, 30);
-        pal_printf("Loaded Manifest: %s\n", manifest);
-
         /* check arguments */
         pal_printf("# of Arguments: %d\n", argc);
         for (int i = 0; i < argc; i++) {
diff --git a/Pal/regression/test_pal.py b/Pal/regression/test_pal.py
index 930c6f39..b07d3d33 100644
--- a/Pal/regression/test_pal.py
+++ b/Pal/regression/test_pal.py
@@ -188,18 +188,6 @@ class TC_01_Bootstrap(RegressionTestCase):
         _, stderr = self.run_binary(['..Bootstrap'])
         self.assertIn('User Program Started', stderr)
 
-    def test_104_manifest_as_executable_name(self):
-        manifest = self.get_manifest('Bootstrap2')
-        _, stderr = self.run_binary(['Bootstrap2'])
-        self.assertIn('User Program Started', stderr)
-        self.assertIn('Loaded Manifest: file:' + manifest, stderr)
-
-    def test_105_manifest_as_argument(self):
-        manifest = self.get_manifest('Bootstrap4')
-        _, stderr = self.run_binary(['Bootstrap4'])
-        self.assertIn('Loaded Manifest: file:' + manifest, stderr)
-        self.assertIn('Loaded Executable: file:Bootstrap', stderr)
-
     def test_110_preload_libraries(self):
         _, stderr = self.run_binary(['Bootstrap3'])
         self.assertIn('Binary 1 Preloaded', stderr)
@@ -209,9 +197,7 @@ class TC_01_Bootstrap(RegressionTestCase):
 
     @unittest.skipUnless(HAS_SGX, 'this test requires SGX')
     def test_120_8gb_enclave(self):
-        manifest = self.get_manifest('Bootstrap6')
         _, stderr = self.run_binary(['Bootstrap6'], timeout=360)
-        self.assertIn('Loaded Manifest: file:' + manifest, stderr)
         self.assertIn('Executable Range OK', stderr)
 
     def test_130_large_number_of_items_in_manifest(self):
diff --git a/Pal/src/db_main.c b/Pal/src/db_main.c
index 868b7edc..c69deab2 100644
--- a/Pal/src/db_main.c
+++ b/Pal/src/db_main.c
@@ -31,9 +31,6 @@ static void load_libraries(void) {
     int ret = 0;
     char* preload_str = NULL;
 
-    if (!g_pal_state.manifest_root)
-        return;
-
     /* FIXME: rewrite to use array-of-strings TOML syntax */
     /* string with preload libs: can be multiple URIs separated by commas */
     ret = toml_string_in(g_pal_state.manifest_root, "loader.preload", &preload_str);
@@ -71,9 +68,6 @@ static int insert_envs_from_manifest(const char*** envpp) {
     int ret;
     assert(envpp);
 
-    if (!g_pal_state.manifest_root)
-        return 0;
-
     toml_table_t* toml_loader = toml_table_in(g_pal_state.manifest_root, "loader");
     if (!toml_loader)
         return 0;
@@ -159,9 +153,6 @@ static int insert_envs_from_manifest(const char*** envpp) {
 static void set_debug_type(void) {
     int ret = 0;
 
-    if (!g_pal_state.manifest_root)
-        return;
-
     char* debug_type = NULL;
     ret = toml_string_in(g_pal_state.manifest_root, "loader.debug_type", &debug_type);
     if (ret < 0)
@@ -258,9 +249,11 @@ out_fail:
     return ret;
 }
 
-/* 'pal_main' must be called by the host-specific bootloader */
+/* 'pal_main' must be called by the host-specific loader.
+ * At this point the manifest is assumed to be already parsed, because some PAL loaders use manifest
+ * configuration for early initialization.
+ */
 noreturn void pal_main(PAL_NUM instance_id,        /* current instance id */
-                       PAL_HANDLE manifest_handle, /* manifest handle if opened */
                        PAL_HANDLE exec_handle,     /* executable handle if opened */
                        PAL_PTR exec_loaded_addr,   /* executable addr if loaded */
                        PAL_HANDLE parent_process,  /* parent process if it's a child */
@@ -268,133 +261,49 @@ noreturn void pal_main(PAL_NUM instance_id,        /* current instance id */
                        PAL_STR* arguments,         /* application arguments */
                        PAL_STR* environments       /* environment variables */) {
     g_pal_state.instance_id = instance_id;
-    g_pal_state.alloc_align = _DkGetAllocationAlignment();
-    assert(IS_POWER_OF_2(g_pal_state.alloc_align));
-
-    init_slab_mgr(g_pal_state.alloc_align);
-
     g_pal_state.parent_process = parent_process;
 
     char uri_buf[URI_MAX];
-    char* manifest_uri = NULL;
     char* exec_uri = NULL;
     ssize_t ret;
 
-    if (exec_handle) {
-        ret = _DkStreamGetName(exec_handle, uri_buf, URI_MAX);
-        if (ret < 0)
-            INIT_FAIL(-ret, "Cannot get executable name");
+    assert(g_pal_state.manifest_root);
+    assert(g_pal_state.alloc_align && IS_POWER_OF_2(g_pal_state.alloc_align));
+    assert(exec_handle);
 
-        exec_uri = malloc_copy(uri_buf, ret + 1);
-    }
+    ret = _DkStreamGetName(exec_handle, uri_buf, URI_MAX);
+    if (ret < 0)
+        INIT_FAIL(-ret, "Cannot get executable name");
 
-    if (manifest_handle) {
-        ret = _DkStreamGetName(manifest_handle, uri_buf, URI_MAX);
-        if (ret < 0)
-            INIT_FAIL(-ret, "Cannot get manifest name");
+    exec_uri = malloc_copy(uri_buf, ret + 1);
 
-        manifest_uri = malloc_copy(uri_buf, ret + 1);
-    } else {
-        if (!exec_handle)
-            INIT_FAIL(PAL_ERROR_INVAL, "Must have manifest or executable");
-
-        /* try opening "<execname>.manifest" */
-        size_t len = sizeof(uri_buf);
-        ret = get_norm_path(exec_uri, uri_buf, &len);
-        if (ret < 0) {
-            INIT_FAIL(-ret, "Cannot normalize exec_uri");
-        }
-
-        strcpy_static(uri_buf + len, ".manifest", sizeof(uri_buf) - len);
-        ret = _DkStreamOpen(&manifest_handle, uri_buf, PAL_ACCESS_RDONLY, 0, 0, 0);
-        if (ret) {
-            /* try opening "file:manifest" */
-            manifest_uri = URI_PREFIX_FILE "manifest";
-            ret = _DkStreamOpen(&manifest_handle, manifest_uri, PAL_ACCESS_RDONLY, 0, 0, 0);
-            if (ret) {
-                INIT_FAIL(PAL_ERROR_DENIED, "Cannot find manifest file");
-            }
-        }
-    }
-
-    /* load manifest if there is one */
-    if (!g_pal_state.manifest_root && manifest_handle) {
-        PAL_STREAM_ATTR attr;
-        ret = _DkStreamAttributesQueryByHandle(manifest_handle, &attr);
-        if (ret < 0)
-            INIT_FAIL(-ret, "Cannot open manifest file");
-
-        void* cfg_addr = NULL;
-        int cfg_size = attr.pending_size;
-
-        ret = _DkStreamMap(manifest_handle, &cfg_addr, PAL_PROT_READ, 0, ALLOC_ALIGN_UP(cfg_size));
-        if (ret < 0)
-            INIT_FAIL(-ret, "Cannot open manifest file");
-
-        char errbuf[256];
-        g_pal_state.manifest_root = toml_parse(cfg_addr, errbuf, sizeof(errbuf));
-        if (!g_pal_state.manifest_root)
-            INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, errbuf);
-    }
-
-    if (g_pal_state.manifest_root) {
-        char* dummy_exec_str = NULL;
-        ret = toml_string_in(g_pal_state.manifest_root, "loader.exec", &dummy_exec_str);
-        if (ret < 0 || dummy_exec_str)
-            INIT_FAIL(PAL_ERROR_INVAL, "loader.exec is not supported anymore. Please update your "
-                                       "manifest according to the current documentation.");
-    }
-
-    /* try to find an executable with the name matching the manifest name */
-    if (!exec_handle && manifest_uri) {
-        size_t exec_uri_len;
-        bool success = false;
-        // try ".manifest"
-        if (strendswith(manifest_uri, ".manifest")) {
-            exec_uri_len = strlen(manifest_uri) - 9;
-            success = true;
-        } else if (strendswith(manifest_uri, ".manifest.sgx")) {
-            exec_uri_len = strlen(manifest_uri) - 13;
-            success = true;
-        }
-
-        if (success) {
-            exec_uri = alloc_concat(manifest_uri, exec_uri_len, NULL, 0);
-            if (!exec_uri)
-                INIT_FAIL(PAL_ERROR_NOMEM, "Cannot allocate URI buf");
-            ret = _DkStreamOpen(&exec_handle, exec_uri, PAL_ACCESS_RDONLY, 0, 0, 0);
-            if (ret < 0)
-                INIT_FAIL(PAL_ERROR_INVAL, "Cannot open the executable");
-        }
-    }
+    char* dummy_exec_str = NULL;
+    ret = toml_string_in(g_pal_state.manifest_root, "loader.exec", &dummy_exec_str);
+    if (ret < 0 || dummy_exec_str)
+        INIT_FAIL(PAL_ERROR_INVAL, "loader.exec is not supported anymore. Please update your "
+                                   "manifest according to the current documentation.");
+    free(dummy_exec_str);
 
     /* must be an ELF */
-    if (exec_handle) {
-        if (exec_loaded_addr) {
-            if (!has_elf_magic(exec_loaded_addr, sizeof(ElfW(Ehdr))))
-                INIT_FAIL(PAL_ERROR_INVAL, "Executable is not an ELF binary");
-        } else {
-            if (!is_elf_object(exec_handle))
-                INIT_FAIL(PAL_ERROR_INVAL, "Executable is not an ELF binary");
-        }
+    if (exec_loaded_addr) {
+        if (!has_elf_magic(exec_loaded_addr, sizeof(ElfW(Ehdr))))
+            INIT_FAIL(PAL_ERROR_INVAL, "Executable is not an ELF binary");
+    } else {
+        if (!is_elf_object(exec_handle))
+            INIT_FAIL(PAL_ERROR_INVAL, "Executable is not an ELF binary");
     }
 
-    g_pal_state.manifest        = manifest_uri;
-    g_pal_state.manifest_handle = manifest_handle;
-    g_pal_state.exec            = exec_uri;
-    g_pal_state.exec_handle     = exec_handle;
+    g_pal_state.exec_handle = exec_handle;
 
     bool disable_aslr = false;
-    if (g_pal_state.manifest_root) {
-        int64_t disable_aslr_int64;
-        ret = toml_int_in(g_pal_state.manifest_root, "loader.insecure__disable_aslr",
-                          /*defaultval=*/0, &disable_aslr_int64);
-        if (ret < 0 || (disable_aslr_int64 != 0 && disable_aslr_int64 != 1)) {
-            INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse \'loader.insecure__disable_aslr\' "
-                                                 "(the value must be 0 or 1)");
-        }
-        disable_aslr = !!disable_aslr_int64;
+    int64_t disable_aslr_int64;
+    ret = toml_int_in(g_pal_state.manifest_root, "loader.insecure__disable_aslr",
+                      /*defaultval=*/0, &disable_aslr_int64);
+    if (ret < 0 || (disable_aslr_int64 != 0 && disable_aslr_int64 != 1)) {
+        INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse \'loader.insecure__disable_aslr\' "
+                                             "(the value must be 0 or 1)");
     }
+    disable_aslr = !!disable_aslr_int64;
 
     /* Load argv */
     /* TODO: Add an option to specify argv inline in the manifest. This requires an upgrade to the
@@ -403,32 +312,28 @@ noreturn void pal_main(PAL_NUM instance_id,        /* current instance id */
      * resolving https://github.com/oscarlab/graphene/issues/1053 (RFC: graphene invocation).
      */
     bool argv0_overridden = false;
-    if (g_pal_state.manifest_root) {
-        char* argv0_override = NULL;
-        ret = toml_string_in(g_pal_state.manifest_root, "loader.argv0_override", &argv0_override);
-        if (ret < 0)
-            INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse \'loader.argv0_override\'");
+    char* argv0_override = NULL;
+    ret = toml_string_in(g_pal_state.manifest_root, "loader.argv0_override", &argv0_override);
+    if (ret < 0)
+        INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse \'loader.argv0_override\'");
 
-        if (argv0_override) {
-            argv0_overridden = true;
-            if (!arguments[0]) {
-                arguments = malloc(sizeof(const char*) * 2);
-                if (!arguments)
-                    INIT_FAIL(PAL_ERROR_NOMEM, "malloc() failed");
-                arguments[1] = NULL;
-            }
-            arguments[0] = argv0_override;
+    if (argv0_override) {
+        argv0_overridden = true;
+        if (!arguments[0]) {
+            arguments = malloc(sizeof(const char*) * 2);
+            if (!arguments)
+                INIT_FAIL(PAL_ERROR_NOMEM, "malloc() failed");
+            arguments[1] = NULL;
         }
+        arguments[0] = argv0_override;
     }
 
     int64_t use_cmdline_argv = 0;
-    if (g_pal_state.manifest_root) {
-        ret = toml_int_in(g_pal_state.manifest_root, "loader.insecure__use_cmdline_argv",
-                          /*defaultval=*/0, &use_cmdline_argv);
-        if (ret < 0 || (use_cmdline_argv != 0 && use_cmdline_argv != 1)) {
-            INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse "
-                               "\'loader.insecure__use_cmdline_argv\' (the value must be 0 or 1)");
-        }
+    ret = toml_int_in(g_pal_state.manifest_root, "loader.insecure__use_cmdline_argv",
+                      /*defaultval=*/0, &use_cmdline_argv);
+    if (ret < 0 || (use_cmdline_argv != 0 && use_cmdline_argv != 1)) {
+        INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse "
+                           "\'loader.insecure__use_cmdline_argv\' (the value must be 0 or 1)");
     }
 
     if (use_cmdline_argv) {
@@ -440,11 +345,9 @@ noreturn void pal_main(PAL_NUM instance_id,        /* current instance id */
     } else {
         char* argv_src_file = NULL;
 
-        if (g_pal_state.manifest_root) {
-            ret = toml_string_in(g_pal_state.manifest_root, "loader.argv_src_file", &argv_src_file);
-            if (ret < 0)
-                INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse \'loader.argv_src_file\'");
-        }
+        ret = toml_string_in(g_pal_state.manifest_root, "loader.argv_src_file", &argv_src_file);
+        if (ret < 0)
+            INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse \'loader.argv_src_file\'");
 
         if (argv_src_file) {
             /* Load argv from a file and discard cmdline argv. We trust the file contents (this can
@@ -465,18 +368,19 @@ noreturn void pal_main(PAL_NUM instance_id,        /* current instance id */
     }
 
     int64_t use_host_env = 0;
-    if (g_pal_state.manifest_root) {
-        ret = toml_int_in(g_pal_state.manifest_root, "loader.insecure__use_host_env",
-                          /*defaultval=*/0, &use_host_env);
-        if (ret < 0 || (use_host_env != 0 && use_host_env != 1)) {
-            INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse "
-                               "\'loader.insecure__use_host_env\' (the value must be 0 or 1)");
-        }
+    ret = toml_int_in(g_pal_state.manifest_root, "loader.insecure__use_host_env",
+                      /*defaultval=*/0, &use_host_env);
+    if (ret < 0 || (use_host_env != 0 && use_host_env != 1)) {
+        INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse "
+                           "\'loader.insecure__use_host_env\' (the value must be 0 or 1)");
     }
 
     if (use_host_env) {
-        printf("WARNING: Forwarding host environment variables to the app is enabled. Don't use "
-               "this configuration in production!\n");
+        /* Warn only in the first process. */
+        if (!parent_process) {
+            printf("WARNING: Forwarding host environment variables to the app is enabled. Don't "
+                   "use this configuration in production!\n");
+        }
     } else {
         environments = malloc(sizeof(*environments));
         if (!environments)
@@ -485,11 +389,9 @@ noreturn void pal_main(PAL_NUM instance_id,        /* current instance id */
     }
 
     char* env_src_file = NULL;
-    if (g_pal_state.manifest_root) {
-        ret = toml_string_in(g_pal_state.manifest_root, "loader.env_src_file", &env_src_file);
-        if (ret < 0)
-            INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse \'loader.env_src_file\'");
-    }
+    ret = toml_string_in(g_pal_state.manifest_root, "loader.env_src_file", &env_src_file);
+    if (ret < 0)
+        INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, "Cannot parse \'loader.env_src_file\'");
 
     if (use_host_env && env_src_file)
         INIT_FAIL(PAL_ERROR_INVAL, "Wrong manifest configuration - cannot use "
@@ -513,23 +415,20 @@ noreturn void pal_main(PAL_NUM instance_id,        /* current instance id */
 
     load_libraries();
 
-    if (exec_handle) {
-        if (exec_loaded_addr) {
-            ret = add_elf_object(exec_loaded_addr, exec_handle, OBJECT_EXEC);
-        } else {
-            ret = load_elf_object_by_handle(exec_handle, OBJECT_EXEC);
-        }
-
-        if (ret < 0)
-            INIT_FAIL(-ret, pal_strerror(ret));
+    if (exec_loaded_addr) {
+        ret = add_elf_object(exec_loaded_addr, exec_handle, OBJECT_EXEC);
+    } else {
+        ret = load_elf_object_by_handle(exec_handle, OBJECT_EXEC);
     }
+    if (ret < 0)
+        INIT_FAIL(-ret, pal_strerror(ret));
 
     set_debug_type();
 
     g_pal_control.host_type       = XSTRINGIFY(HOST_TYPE);
     g_pal_control.process_id      = _DkGetProcessId();
     g_pal_control.host_id         = _DkGetHostId();
-    g_pal_control.manifest_handle = manifest_handle;
+    g_pal_control.manifest_root   = g_pal_state.manifest_root;
     g_pal_control.executable      = exec_uri;
     g_pal_control.parent_process  = parent_process;
     g_pal_control.first_thread    = first_thread;
diff --git a/Pal/src/host/Linux-SGX/Makefile b/Pal/src/host/Linux-SGX/Makefile
index e464a62b..5deaa29a 100644
--- a/Pal/src/host/Linux-SGX/Makefile
+++ b/Pal/src/host/Linux-SGX/Makefile
@@ -34,7 +34,7 @@ CFLAGS += $(defs)
 ASFLAGS += $(defs)
 
 commons_objs_encl = bogomips.o
-commons_objs_urts = main_exec_path.o
+commons_objs_urts = file_utils.o main_exec_path.o
 
 enclave-objs = \
 	db_devices.o \
diff --git a/Pal/src/host/Linux-SGX/db_main.c b/Pal/src/host/Linux-SGX/db_main.c
index e1ec3a43..4444ba42 100644
--- a/Pal/src/host/Linux-SGX/db_main.c
+++ b/Pal/src/host/Linux-SGX/db_main.c
@@ -193,6 +193,10 @@ noreturn void pal_linux_main(char* uptr_libpal_uri, size_t libpal_uri_len, char*
         ocall_exit(1, /*is_exitgroup=*/true);
     }
 
+    /* Initialize alloc_align as early as possible, a lot of PAL APIs depend on this being set. */
+    g_pal_state.alloc_align = _DkGetAllocationAlignment();
+    assert(IS_POWER_OF_2(g_pal_state.alloc_align));
+
     struct pal_sec sec_info;
     if (!sgx_copy_to_enclave(&sec_info, sizeof(sec_info), uptr_sec_info, sizeof(*uptr_sec_info))) {
         SGX_DBG(DBG_E, "Copying sec_info into the enclave failed\n");
@@ -240,9 +244,6 @@ noreturn void pal_linux_main(char* uptr_libpal_uri, size_t libpal_uri_len, char*
     COPY_ARRAY(g_pal_sec.exec_name, sec_info.exec_name);
     g_pal_sec.exec_name[sizeof(g_pal_sec.exec_name) - 1] = '\0';
 
-    COPY_ARRAY(g_pal_sec.manifest_name, sec_info.manifest_name);
-    g_pal_sec.manifest_name[sizeof(g_pal_sec.manifest_name) - 1] = '\0';
-
     g_pal_sec.stream_fd = sec_info.stream_fd;
 
     COPY_ARRAY(g_pal_sec.pipe_prefix, sec_info.pipe_prefix);
@@ -306,9 +307,6 @@ noreturn void pal_linux_main(char* uptr_libpal_uri, size_t libpal_uri_len, char*
     /* now we can add a link map for PAL itself */
     setup_pal_map(&g_pal_map);
 
-    /* Set the alignment early */
-    g_pal_state.alloc_align = g_page_size;
-
     /* initialize enclave properties */
     rv = init_enclave();
     if (rv) {
@@ -379,9 +377,8 @@ noreturn void pal_linux_main(char* uptr_libpal_uri, size_t libpal_uri_len, char*
      * read anything.
      */
 
-    PAL_HANDLE manifest, exec = NULL;
+    PAL_HANDLE exec = NULL;
 
-    manifest = setup_dummy_file_handle(g_pal_sec.manifest_name);
     exec = setup_dummy_file_handle(g_pal_sec.exec_name);
 
     uint64_t manifest_size = GET_ENCLAVE_TLS(manifest_size);
@@ -390,7 +387,7 @@ noreturn void pal_linux_main(char* uptr_libpal_uri, size_t libpal_uri_len, char*
     g_pal_control.manifest_preload.start = (PAL_PTR)manifest_addr;
     g_pal_control.manifest_preload.end   = (PAL_PTR)manifest_addr + manifest_size;
 
-    /* parse manifest data into config storage */
+    /* parse manifest */
     char errbuf[256];
     toml_table_t* manifest_root = toml_parse(manifest_addr, errbuf, sizeof(errbuf));
     if (!manifest_root) {
@@ -399,6 +396,7 @@ noreturn void pal_linux_main(char* uptr_libpal_uri, size_t libpal_uri_len, char*
                 "  (in particular, string values must be put in double quotes)\n", errbuf);
         ocall_exit(1, /*is_exitgroup=*/true);
     }
+    g_pal_state.raw_manifest_data = manifest_addr;
     g_pal_state.manifest_root = manifest_root;
 
     ret = toml_sizestring_in(g_pal_state.manifest_root, "loader.pal_internal_mem_size",
@@ -450,6 +448,6 @@ noreturn void pal_linux_main(char* uptr_libpal_uri, size_t libpal_uri_len, char*
     SET_ENCLAVE_TLS(thread, &first_thread->thread);
 
     /* call main function */
-    pal_main(g_pal_sec.instance_id, manifest, exec, g_pal_sec.exec_addr, parent, first_thread,
-             arguments, environments);
+    pal_main(g_pal_sec.instance_id, exec, g_pal_sec.exec_addr, parent, first_thread, arguments,
+             environments);
 }
diff --git a/Pal/src/host/Linux-SGX/db_misc.c b/Pal/src/host/Linux-SGX/db_misc.c
index fea8ac33..0a3f6bc3 100644
--- a/Pal/src/host/Linux-SGX/db_misc.c
+++ b/Pal/src/host/Linux-SGX/db_misc.c
@@ -397,8 +397,6 @@ int _DkAttestationQuote(const PAL_PTR user_report_data, PAL_NUM user_report_data
     sgx_spid_t spid;
     bool linkable;
 
-    assert(g_pal_state.manifest_root);
-
     /* read sgx.ra_client_spid from manifest (must be hex string) */
     char* ra_client_spid_str = NULL;
     ret = toml_string_in(g_pal_state.manifest_root, "sgx.ra_client_spid", &ra_client_spid_str);
diff --git a/Pal/src/host/Linux-SGX/enclave_framework.c b/Pal/src/host/Linux-SGX/enclave_framework.c
index 91859843..d551c2d5 100644
--- a/Pal/src/host/Linux-SGX/enclave_framework.c
+++ b/Pal/src/host/Linux-SGX/enclave_framework.c
@@ -705,7 +705,6 @@ static int init_trusted_file(const char* key, const char* uri) {
     int ret;
 
     /* read sgx.trusted_checksum.<key> entry from manifest */
-    assert(g_pal_state.manifest_root);
     char* fullkey = alloc_concat("sgx.trusted_checksum.", static_strlen("sgx.trusted_checksum."),
                                  key, strlen(key));
     if (!fullkey)
diff --git a/Pal/src/host/Linux-SGX/enclave_pf.c b/Pal/src/host/Linux-SGX/enclave_pf.c
index 79ec01c1..103df8b7 100644
--- a/Pal/src/host/Linux-SGX/enclave_pf.c
+++ b/Pal/src/host/Linux-SGX/enclave_pf.c
@@ -406,7 +406,6 @@ out:
 /* Read PF paths from manifest and register them */
 static int register_protected_files(void) {
     int ret;
-    assert(g_pal_state.manifest_root);
     toml_table_t* manifest_sgx = toml_table_in(g_pal_state.manifest_root, "sgx");
     if (!manifest_sgx)
         return 0;
@@ -462,8 +461,6 @@ int init_protected_files(void) {
     pf_set_callbacks(cb_read, cb_write, cb_truncate, cb_aes_gcm_encrypt, cb_aes_gcm_decrypt,
                      cb_random, debug_callback);
 
-    assert(g_pal_state.manifest_root);
-
     /* if wrap key is not hard-coded in the manifest, assume that it was received from parent or
      * it will be provisioned after local/remote attestation; otherwise read it from manifest */
     char* protected_files_key_str = NULL;
diff --git a/Pal/src/host/Linux-SGX/pal_linux.h b/Pal/src/host/Linux-SGX/pal_linux.h
index 99080fd2..0b742d36 100644
--- a/Pal/src/host/Linux-SGX/pal_linux.h
+++ b/Pal/src/host/Linux-SGX/pal_linux.h
@@ -287,7 +287,8 @@ int _DkStreamSecureSave(LIB_SSL_CONTEXT* ssl_ctx, const uint8_t** obuf, size_t*
 
 #else
 
-int sgx_create_process(const char* uri, size_t nargs, const char** args, int* stream_fd);
+int sgx_create_process(const char* uri, size_t nargs, const char** args, int* stream_fd,
+                       const char* manifest);
 
 #ifdef DEBUG
 #ifndef SIGCHLD
diff --git a/Pal/src/host/Linux-SGX/pal_security.h b/Pal/src/host/Linux-SGX/pal_security.h
index 03de5d64..a643af70 100644
--- a/Pal/src/host/Linux-SGX/pal_security.h
+++ b/Pal/src/host/Linux-SGX/pal_security.h
@@ -28,8 +28,6 @@ struct pal_sec {
     PAL_PTR     exec_addr;
     PAL_NUM     exec_size;
 
-    PAL_SEC_STR manifest_name;
-
     /* child's stream FD created and sent over by parent */
     PAL_IDX stream_fd;
 
diff --git a/Pal/src/host/Linux-SGX/sgx_enclave.c b/Pal/src/host/Linux-SGX/sgx_enclave.c
index b2405554..c7e5ef7f 100644
--- a/Pal/src/host/Linux-SGX/sgx_enclave.c
+++ b/Pal/src/host/Linux-SGX/sgx_enclave.c
@@ -1,3 +1,6 @@
+/* SPDX-License-Identifier: LGPL-3.0-or-later */
+/* Copyright (C) 2014 Stony Brook University
+ */
 #include "sgx_enclave.h"
 
 #include <asm/errno.h>
@@ -14,6 +17,7 @@
 
 #include "cpu.h"
 #include "ecall_types.h"
+#include "linux_utils.h"
 #include "ocall_types.h"
 #include "pal_linux_error.h"
 #include "pal_security.h"
@@ -288,13 +292,34 @@ static long sgx_ocall_clone_thread(void* pms) {
 }
 
 static long sgx_ocall_create_process(void* pms) {
+    long ret;
+    char* manifest = NULL;
+    char* manifest_path = NULL;
+
     ms_ocall_create_process_t* ms = (ms_ocall_create_process_t*)pms;
     ODEBUG(OCALL_CREATE_PROCESS, ms);
-    long ret = sgx_create_process(ms->ms_uri, ms->ms_nargs, ms->ms_args, &ms->ms_stream_fd);
-    if (ret < 0)
-        return ret;
+
+    /* Temporary solution, will be removed after introduction of centralized manifests. */
+    manifest_path = alloc_concat(ms->ms_uri + URI_PREFIX_FILE_LEN, -1, ".manifest.sgx", -1);
+    if (!manifest_path) {
+        ret = -ENOMEM;
+        goto out;
+    }
+    ret = read_text_file_to_cstr(manifest_path, &manifest);
+    if (ret < 0) {
+        goto out;
+    }
+
+    ret = sgx_create_process(ms->ms_uri, ms->ms_nargs, ms->ms_args, &ms->ms_stream_fd, manifest);
+    if (ret < 0) {
+        goto out;
+    }
     ms->ms_pid = ret;
-    return 0;
+    ret = 0;
+out:
+    free(manifest_path);
+    free(manifest);
+    return ret;
 }
 
 static long sgx_ocall_futex(void* pms) {
diff --git a/Pal/src/host/Linux-SGX/sgx_framework.c b/Pal/src/host/Linux-SGX/sgx_framework.c
index dbf94df9..dd181916 100644
--- a/Pal/src/host/Linux-SGX/sgx_framework.c
+++ b/Pal/src/host/Linux-SGX/sgx_framework.c
@@ -288,6 +288,9 @@ int add_pages_to_enclave(sgx_arch_secs_t* secs, void* addr, void* user_addr, uns
         .flags   = skip_eextend ? 0 : SGX_PAGE_MEASURE,
         .count   = 0, /* output parameter, will be checked after IOCTL */
     };
+    /* DCAP and in-kernel drivers require aligned data */
+    assert(IS_ALIGNED_POW2(param.src, g_page_size));
+    assert(IS_ALIGNED_POW2(param.offset, g_page_size));
 
     /* NOTE: SGX driver v39 removes `count` field and returns "number of bytes added" as return
      * value directly in `ret`. It also caps the maximum number of bytes to be added as 1MB, or 256
diff --git a/Pal/src/host/Linux-SGX/sgx_internal.h b/Pal/src/host/Linux-SGX/sgx_internal.h
index 52cd5f2d..25fe821a 100644
--- a/Pal/src/host/Linux-SGX/sgx_internal.h
+++ b/Pal/src/host/Linux-SGX/sgx_internal.h
@@ -50,21 +50,22 @@ uint16_t ntohs(uint16_t shortval);
 
 extern struct pal_enclave {
     /* attributes */
+    bool is_first_process; // Initial process in Graphene namespace is special.
     unsigned long baseaddr;
     unsigned long size;
     unsigned long thread_num;
     unsigned long rpc_thread_num;
     unsigned long ssaframesize;
+    bool use_static_address;
+    bool remote_attestation_enabled;
+    bool use_epid_attestation; /* Valid only if `remote_attestation_enabled` is true, selects
+                                * EPID/DCAP attestation scheme. */
 
     /* files */
-    int manifest;
     int exec;
     int sigfile;
     int token;
 
-    /* manifest */
-    toml_table_t* manifest_root;
-
     /* Path to the PAL binary */
     char* libpal_uri;
 
@@ -140,7 +141,7 @@ void thread_exit(int status);
 uint64_t sgx_edbgrd(void* addr);
 void sgx_edbgwr(void* addr, uint64_t data);
 
-int sgx_init_child_process(int parent_pipe_fd, struct pal_sec* pal_sec);
+int sgx_init_child_process(int parent_pipe_fd, struct pal_sec* pal_sec, char** manifest);
 int sgx_signal_setup(void);
 int block_signals(bool block, const int* sigs, int nsig);
 int block_async_signals(bool block);
diff --git a/Pal/src/host/Linux-SGX/sgx_main.c b/Pal/src/host/Linux-SGX/sgx_main.c
index c1ef79be..f3f4a7cb 100644
--- a/Pal/src/host/Linux-SGX/sgx_main.c
+++ b/Pal/src/host/Linux-SGX/sgx_main.c
@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-3.0-or-later */
 /* Copyright (C) 2014 Stony Brook University
  * Copyright (C) 2020 Intel Corporation
+ *                    Michał Kowalczyk <mkow@invisiblethingslab.com>
  * Copyright (C) 2020 Invisible Things Lab
  *                    Michał Kowalczyk <mkow@invisiblethingslab.com>
  */
@@ -172,7 +173,7 @@ static int load_enclave_binary(sgx_arch_secs_t* secs, int fd, unsigned long base
     return 0;
 }
 
-static int initialize_enclave(struct pal_enclave* enclave) {
+static int initialize_enclave(struct pal_enclave* enclave, const char* manifest_to_measure) {
     int ret = 0;
     int enclave_image = -1;
     sgx_arch_token_t enclave_token;
@@ -193,93 +194,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
         goto out;
     }
 
-    assert(enclave->manifest_root);
-
-    ret = toml_sizestring_in(enclave->manifest_root, "sgx.enclave_size", /*defaultval=*/0,
-                             &enclave->size);
-    if (ret < 0) {
-        SGX_DBG(DBG_E, "Cannot parse \'sgx.enclave_size\' "
-                       "(the value must be put in double quotes!)\n");
-        ret = -EINVAL;
-        goto out;
-    }
-
-    if (!enclave->size || !IS_POWER_OF_2(enclave->size)) {
-        SGX_DBG(DBG_E, "Enclave size not a power of two (an SGX-imposed requirement)\n");
-        ret = -EINVAL;
-        goto out;
-    }
-
-    int64_t thread_num_int64;
-    ret = toml_int_in(enclave->manifest_root, "sgx.thread_num", /*defaultval=*/0,
-                      &thread_num_int64);
-    if (ret < 0) {
-        SGX_DBG(DBG_E, "Cannot parse \'sgx.thread_num\'\n");
-        ret = -EINVAL;
-        goto out;
-    }
-
-    if (thread_num_int64 < 0) {
-        SGX_DBG(DBG_E, "Negative \'sgx.thread_num\' is impossible\n");
-        ret = -EINVAL;
-        goto out;
-    }
-
-    enclave->thread_num = thread_num_int64;
-
-    if (!enclave->thread_num) {
-        SGX_DBG(DBG_I, "Number of enclave threads (\'sgx.thread_num\') is not specified; "
-                       "assumed to be 1\n");
-        enclave->thread_num = 1;
-    }
-
-    if (enclave->thread_num > MAX_DBG_THREADS) {
-        SGX_DBG(DBG_E, "Too large \'sgx.thread_num\', maximum allowed is %d\n", MAX_DBG_THREADS);
-        ret = -EINVAL;
-        goto out;
-    }
-
-    int64_t rpc_thread_num_int64;
-    ret = toml_int_in(enclave->manifest_root, "sgx.rpc_thread_num", /*defaultval=*/0,
-                      &rpc_thread_num_int64);
-    if (ret < 0) {
-        SGX_DBG(DBG_E, "Cannot parse \'sgx.rpc_thread_num\'\n");
-        ret = -EINVAL;
-        goto out;
-    }
-
-    if (rpc_thread_num_int64 < 0) {
-        SGX_DBG(DBG_E, "Negative \'sgx.rpc_thread_num\' is impossible\n");
-        ret = -EINVAL;
-        goto out;
-    }
-
-    enclave->rpc_thread_num = rpc_thread_num_int64;
-
-    if (enclave->rpc_thread_num > MAX_RPC_THREADS) {
-        SGX_DBG(DBG_E, "Too large \'sgx.rpc_thread_num\', maximum allowed is %d\n",
-                MAX_RPC_THREADS);
-        ret = -EINVAL;
-        goto out;
-    }
-
-    if (enclave->rpc_thread_num && enclave->thread_num > RPC_QUEUE_SIZE) {
-        SGX_DBG(DBG_E,
-                "Too many threads for exitless feature (more than capacity of RPC queue)\n");
-        ret = -EINVAL;
-        goto out;
-    }
-
-    int64_t static_address;
-    ret = toml_int_in(enclave->manifest_root, "sgx.static_address", /*defaultval=*/0,
-                      &static_address);
-    if (ret < 0 || (static_address != 0 && static_address != 1)) {
-        SGX_DBG(DBG_E, "Cannot parse \'sgx.static_address\' (the value must be 0 or 1)\n");
-        ret = -EINVAL;
-        goto out;
-    }
-
-    if (static_address) {
+    if (enclave->use_static_address) {
         /* executable is static, i.e. it is non-PIE: enclave base address must cover code segment
          * loaded at 0x400000, and heap cannot start at zero (modern OSes do not allow this) */
         enclave->baseaddr = DEFAULT_ENCLAVE_BASE;
@@ -291,16 +206,6 @@ static int initialize_enclave(struct pal_enclave* enclave) {
         enclave_heap_min  = 0;
     }
 
-    int64_t enable_stats_int64;
-    ret = toml_int_in(enclave->manifest_root, "sgx.enable_stats", /*defaultval=*/0,
-                      &enable_stats_int64);
-    if (ret < 0 || (enable_stats_int64 != 0 && enable_stats_int64 != 1)) {
-        SGX_DBG(DBG_E, "Cannot parse \'sgx.enable_stats\' (the value must be 0 or 1)\n");
-        ret = -EINVAL;
-        goto out;
-    }
-    g_sgx_enable_stats = !!enable_stats_int64;
-
     ret = read_enclave_token(enclave->token, &enclave_token);
     if (ret < 0) {
         SGX_DBG(DBG_E, "Reading enclave token failed: %d\n", -ret);
@@ -325,21 +230,26 @@ static int initialize_enclave(struct pal_enclave* enclave) {
 
     enclave->ssaframesize = enclave_secs.ssa_frame_size * g_page_size;
 
-    struct stat stat;
-    ret = INLINE_SYSCALL(fstat, 2, enclave->manifest, &stat);
-    if (IS_ERR(ret)) {
-        SGX_DBG(DBG_E, "Reading manifest file's size failed: %d\n", -ret);
-        ret = -ERRNO(ret);
-        goto out;
-    }
-    int manifest_size = stat.st_size;
-
     /* Start populating enclave memory */
     struct mem_area {
         const char* desc;
         bool skip_eextend;
-        int fd;
-        bool is_binary; /* only meaningful if fd != -1 */
+
+        enum {
+            ELF_FD, // read from `fd` and parse as ELF
+            ZERO,
+            BUF,
+            TCS,
+            TLS
+        } data_src;
+        union {
+            int fd; // valid iff data_src == ELF_FD
+            struct { // valid iff data_src == BUF
+                const char* buf;
+                size_t buf_size;
+            };
+        };
+
         unsigned long addr, size, prot;
         enum sgx_page_type type;
     };
@@ -356,10 +266,12 @@ static int initialize_enclave(struct pal_enclave* enclave) {
     /* The manifest needs to be allocated at the upper end of the enclave
      * memory. That's used by pal_linux_main to find the manifest area. So add
      * it first to the list with memory areas. */
+    size_t manifest_size = strlen(manifest_to_measure) + 1;
     areas[area_num] = (struct mem_area){.desc         = "manifest",
                                         .skip_eextend = false,
-                                        .fd           = enclave->manifest,
-                                        .is_binary    = false,
+                                        .data_src     = BUF,
+                                        .buf          = manifest_to_measure,
+                                        .buf_size     = manifest_size,
                                         .addr         = 0,
                                         .size         = ALLOC_ALIGN_UP(manifest_size),
                                         .prot         = PROT_READ,
@@ -369,8 +281,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
     areas[area_num] =
         (struct mem_area){.desc         = "ssa",
                           .skip_eextend = false,
-                          .fd           = -1,
-                          .is_binary    = false,
+                          .data_src     = ZERO,
                           .addr         = 0,
                           .size         = enclave->thread_num * enclave->ssaframesize * SSAFRAMENUM,
                           .prot         = PROT_READ | PROT_WRITE,
@@ -379,8 +290,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
 
     areas[area_num] = (struct mem_area){.desc = "tcs",
                                         .skip_eextend = false,
-                                        .fd           = -1,
-                                        .is_binary    = false,
+                                        .data_src     = TCS,
                                         .addr         = 0,
                                         .size         = enclave->thread_num * g_page_size,
                                         .prot         = PROT_READ | PROT_WRITE,
@@ -389,8 +299,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
 
     areas[area_num] = (struct mem_area){.desc         = "tls",
                                         .skip_eextend = false,
-                                        .fd           = -1,
-                                        .is_binary    = false,
+                                        .data_src     = TLS,
                                         .addr         = 0,
                                         .size         = enclave->thread_num * g_page_size,
                                         .prot         = PROT_READ | PROT_WRITE,
@@ -401,8 +310,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
     for (uint32_t t = 0; t < enclave->thread_num; t++) {
         areas[area_num] = (struct mem_area){.desc         = "stack",
                                             .skip_eextend = false,
-                                            .fd           = -1,
-                                            .is_binary    = false,
+                                            .data_src     = ZERO,
                                             .addr         = 0,
                                             .size         = ENCLAVE_STACK_SIZE,
                                             .prot         = PROT_READ | PROT_WRITE,
@@ -414,8 +322,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
     for (uint32_t t = 0; t < enclave->thread_num; t++) {
         areas[area_num] = (struct mem_area){.desc         = "sig_stack",
                                             .skip_eextend = false,
-                                            .fd           = -1,
-                                            .is_binary    = false,
+                                            .data_src     = ZERO,
                                             .addr         = 0,
                                             .size         = ENCLAVE_SIG_STACK_SIZE,
                                             .prot         = PROT_READ | PROT_WRITE,
@@ -425,10 +332,9 @@ static int initialize_enclave(struct pal_enclave* enclave) {
 
     areas[area_num] = (struct mem_area){.desc         = "pal",
                                         .skip_eextend = false,
+                                        .data_src     = ELF_FD,
                                         .fd           = enclave_image,
-                                        .is_binary    = true,
-                                        .addr         = 0,
-                                        .size         = 0 /* set below */,
+                                        /* `addr` and `size` are set below */
                                         .prot         = 0,
                                         .type         = SGX_PAGE_REG};
     struct mem_area* pal_area = &areas[area_num++];
@@ -442,10 +348,9 @@ static int initialize_enclave(struct pal_enclave* enclave) {
     struct mem_area* exec_area = NULL;
     areas[area_num] = (struct mem_area){.desc         = "exec",
                                         .skip_eextend = false,
+                                        .data_src     = ELF_FD,
                                         .fd           = enclave->exec,
-                                        .is_binary    = true,
-                                        .addr         = 0,
-                                        .size         = 0 /* set below */,
+                                        /* `addr` and `size` are set below */
                                         .prot         = PROT_WRITE,
                                         .type         = SGX_PAGE_REG};
     exec_area = &areas[area_num++];
@@ -468,7 +373,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
 
     if (exec_area) {
         if (exec_area->addr + exec_area->size > pal_area->addr) {
-            SGX_DBG(DBG_E, "Application binary overlaps with Pal binary\n");
+            SGX_DBG(DBG_E, "Application binary overlaps with PAL binary\n");
             ret = -EINVAL;
             goto out;
         }
@@ -481,8 +386,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
 
                 areas[area_num] = (struct mem_area){.desc         = "free",
                                                     .skip_eextend = true,
-                                                    .fd           = -1,
-                                                    .is_binary    = false,
+                                                    .data_src     = ZERO,
                                                     .addr         = addr,
                                                     .size         = populating - addr,
                                                     .prot = PROT_READ | PROT_WRITE | PROT_EXEC,
@@ -497,8 +401,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
     if (populating > enclave_heap_min) {
         areas[area_num] = (struct mem_area){.desc         = "free",
                                             .skip_eextend = true,
-                                            .fd           = -1,
-                                            .is_binary    = false,
+                                            .data_src     = ZERO,
                                             .addr         = enclave_heap_min,
                                             .size         = populating - enclave_heap_min,
                                             .prot         = PROT_READ | PROT_WRITE | PROT_EXEC,
@@ -507,7 +410,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
     }
 
     for (int i = 0; i < area_num; i++) {
-        if (areas[i].fd != -1 && areas[i].is_binary) {
+        if (areas[i].data_src == ELF_FD) {
             ret = load_enclave_binary(&enclave_secs, areas[i].fd, areas[i].addr, areas[i].prot);
             if (ret < 0) {
                 SGX_DBG(DBG_E, "Loading enclave binary failed: %d\n", -ret);
@@ -517,16 +420,17 @@ static int initialize_enclave(struct pal_enclave* enclave) {
         }
 
         void* data = NULL;
-
-        if (!strcmp(areas[i].desc, "tls")) {
+        if (areas[i].data_src != ZERO) {
             data = (void*)INLINE_SYSCALL(mmap, 6, NULL, areas[i].size, PROT_READ | PROT_WRITE,
                                          MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
             if (IS_ERR_P(data) || data == NULL) {
                 /* Note that Graphene currently doesn't handle 0x0 addresses */
-                SGX_DBG(DBG_E, "Allocating memory for tls pages failed\n");
+                SGX_DBG(DBG_E, "Allocating memory failed\n");
                 goto out;
             }
+        }
 
+        if (areas[i].data_src == TLS) {
             for (uint32_t t = 0; t < enclave->thread_num; t++) {
                 struct enclave_tls* gs = data + g_page_size * t;
                 memset(gs, 0, g_page_size);
@@ -550,15 +454,7 @@ static int initialize_enclave(struct pal_enclave* enclave) {
                 }
                 gs->thread = NULL;
             }
-        } else if (!strcmp(areas[i].desc, "tcs")) {
-            data = (void*)INLINE_SYSCALL(mmap, 6, NULL, areas[i].size, PROT_READ | PROT_WRITE,
-                                         MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
-            if (IS_ERR_P(data) || data == NULL) {
-                /* Note that Graphene currently doesn't handle 0x0 addresses */
-                SGX_DBG(DBG_E, "Allocating memory for tcs pages failed\n");
-                goto out;
-            }
-
+        } else if (areas[i].data_src == TCS) {
             for (uint32_t t = 0; t < enclave->thread_num; t++) {
                 sgx_arch_tcs_t* tcs = data + g_page_size * t;
                 memset(tcs, 0, g_page_size);
@@ -571,14 +467,10 @@ static int initialize_enclave(struct pal_enclave* enclave) {
                 tcs->ogs_limit = 0xfff;
                 tcs_addrs[t] = (void*)enclave_secs.base + tcs_area->addr + g_page_size * t;
             }
-        } else if (areas[i].fd != -1) {
-            data = (void*)INLINE_SYSCALL(mmap, 6, NULL, areas[i].size, PROT_READ,
-                                         MAP_FILE | MAP_PRIVATE, areas[i].fd, 0);
-            if (IS_ERR_P(data) || data == NULL) {
-                /* Note that Graphene currently doesn't handle 0x0 addresses */
-                SGX_DBG(DBG_E, "Allocating memory for file %s failed\n", areas[i].desc);
-                goto out;
-            }
+        } else if (areas[i].data_src == BUF) {
+            memcpy(data, areas[i].buf, areas[i].buf_size);
+        } else {
+            assert(areas[i].data_src == ZERO);
         }
 
         ret = add_pages_to_enclave(&enclave_secs, (void*)areas[i].addr, data, areas[i].size,
@@ -666,26 +558,13 @@ static void create_instance(struct pal_sec* pal_sec) {
     pal_sec->instance_id = id;
 }
 
-static int load_manifest(int fd, toml_table_t** manifest_root_ptr) {
+static int parse_loader_config(char* loader_config, struct pal_enclave* enclave_info) {
     int ret = 0;
     toml_table_t* manifest_root = NULL;
-
-    int nbytes = INLINE_SYSCALL(lseek, 3, fd, 0, SEEK_END);
-    if (IS_ERR(nbytes)) {
-        SGX_DBG(DBG_E, "Cannot detect size of manifest file\n");
-        return -ERRNO(nbytes);
-    }
-
-    void* manifest_addr = (void*)INLINE_SYSCALL(mmap, 6, NULL, nbytes, PROT_READ, MAP_PRIVATE, fd,
-                                                0);
-    if (IS_ERR_P(manifest_addr)) {
-        SGX_DBG(DBG_E, "Cannot mmap manifest file\n");
-        ret = -ERRNO_P(manifest_addr);
-        goto out;
-    }
+    char* sgx_ra_client_spid_str = NULL;
 
     char errbuf[256];
-    manifest_root = toml_parse(manifest_addr, errbuf, sizeof(errbuf));
+    manifest_root = toml_parse(loader_config, errbuf, sizeof(errbuf));
     if (!manifest_root) {
         SGX_DBG(DBG_E, "PAL failed at parsing the manifest: %s\n"
                 "  Graphene switched to the TOML format recently, please update the manifest\n"
@@ -694,15 +573,151 @@ static int load_manifest(int fd, toml_table_t** manifest_root_ptr) {
         goto out;
     }
 
-    *manifest_root_ptr = manifest_root;
+    ret = toml_sizestring_in(manifest_root, "sgx.enclave_size", /*defaultval=*/0,
+                             &enclave_info->size);
+    if (ret < 0) {
+        SGX_DBG(DBG_E, "Cannot parse \'sgx.enclave_size\' "
+                       "(the value must be put in double quotes!)\n");
+        ret = -EINVAL;
+        goto out;
+    }
+
+    if (!enclave_info->size || !IS_POWER_OF_2(enclave_info->size)) {
+        SGX_DBG(DBG_E, "Enclave size not a power of two (an SGX-imposed requirement)\n");
+        ret = -EINVAL;
+        goto out;
+    }
+
+    int64_t thread_num_int64;
+    ret = toml_int_in(manifest_root, "sgx.thread_num", /*defaultval=*/0, &thread_num_int64);
+    if (ret < 0) {
+        SGX_DBG(DBG_E, "Cannot parse \'sgx.thread_num\'\n");
+        ret = -EINVAL;
+        goto out;
+    }
+
+    if (thread_num_int64 < 0) {
+        SGX_DBG(DBG_E, "Negative \'sgx.thread_num\' is impossible\n");
+        ret = -EINVAL;
+        goto out;
+    }
+
+    enclave_info->thread_num = thread_num_int64;
+
+    if (!enclave_info->thread_num) {
+        SGX_DBG(DBG_I, "Number of enclave threads (\'sgx.thread_num\') is not specified; "
+                       "assumed to be 1\n");
+        enclave_info->thread_num = 1;
+    }
+
+    if (enclave_info->thread_num > MAX_DBG_THREADS) {
+        SGX_DBG(DBG_E, "Too large \'sgx.thread_num\', maximum allowed is %d\n", MAX_DBG_THREADS);
+        ret = -EINVAL;
+        goto out;
+    }
+
+    int64_t rpc_thread_num_int64;
+    ret = toml_int_in(manifest_root, "sgx.rpc_thread_num", /*defaultval=*/0, &rpc_thread_num_int64);
+    if (ret < 0) {
+        SGX_DBG(DBG_E, "Cannot parse \'sgx.rpc_thread_num\'\n");
+        ret = -EINVAL;
+        goto out;
+    }
+
+    if (rpc_thread_num_int64 < 0) {
+        SGX_DBG(DBG_E, "Negative \'sgx.rpc_thread_num\' is impossible\n");
+        ret = -EINVAL;
+        goto out;
+    }
+
+    enclave_info->rpc_thread_num = rpc_thread_num_int64;
+
+    if (enclave_info->rpc_thread_num > MAX_RPC_THREADS) {
+        SGX_DBG(DBG_E, "Too large \'sgx.rpc_thread_num\', maximum allowed is %d\n",
+                MAX_RPC_THREADS);
+        ret = -EINVAL;
+        goto out;
+    }
+
+    if (enclave_info->rpc_thread_num && enclave_info->thread_num > RPC_QUEUE_SIZE) {
+        SGX_DBG(DBG_E, "Too many threads for exitless feature (more than capacity of RPC queue)\n");
+        ret = -EINVAL;
+        goto out;
+    }
+
+    int64_t static_address;
+    ret = toml_int_in(manifest_root, "sgx.static_address", /*defaultval=*/0, &static_address);
+    if (ret < 0 || (static_address != 0 && static_address != 1)) {
+        SGX_DBG(DBG_E, "Cannot parse \'sgx.static_address\' (the value must be 0 or 1)\n");
+        ret = -EINVAL;
+        goto out;
+    }
+    enclave_info->use_static_address = !!static_address;
+
+    int64_t enable_stats_int64;
+    ret = toml_int_in(manifest_root, "sgx.enable_stats", /*defaultval=*/0, &enable_stats_int64);
+    if (ret < 0 || (enable_stats_int64 != 0 && enable_stats_int64 != 1)) {
+        SGX_DBG(DBG_E, "Cannot parse \'sgx.enable_stats\' (the value must be 0 or 1)\n");
+        ret = -EINVAL;
+        goto out;
+    }
+    g_sgx_enable_stats = !!enable_stats_int64;
+
+    char* dummy_sigfile_str = NULL;
+    ret = toml_string_in(manifest_root, "sgx.sigfile", &dummy_sigfile_str);
+    if (ret < 0 || dummy_sigfile_str) {
+        SGX_DBG(DBG_E, "sgx.sigfile is not supported anymore. Please update your manifest "
+                       "according to the current documentation.\n");
+        ret = -EINVAL;
+        goto out;
+    }
+    free(dummy_sigfile_str);
+
+    int64_t sgx_remote_attestation_int;
+    ret = toml_int_in(manifest_root, "sgx.remote_attestation", /*defaultval=*/0,
+                      &sgx_remote_attestation_int);
+    if (ret < 0 || (sgx_remote_attestation_int != 0 && sgx_remote_attestation_int != 1)) {
+        SGX_DBG(DBG_E, "Cannot parse \'sgx.remote_attestation\' (the value must be 0 or 1)\n");
+        ret = -EINVAL;
+        goto out;
+    }
+    enclave_info->remote_attestation_enabled = !!sgx_remote_attestation_int;
+
+    ret = toml_string_in(manifest_root, "sgx.ra_client_spid", &sgx_ra_client_spid_str);
+    if (ret < 0) {
+        SGX_DBG(DBG_E, "Cannot parse \'sgx.ra_client_spid\' "
+                       "(the value must be put in double quotes!)\n");
+        ret = -EINVAL;
+        goto out;
+    }
+
+    int64_t sgx_ra_client_linkable_int;
+    ret = toml_int_in(manifest_root, "sgx.ra_client_linkable", /*defaultval=*/-1,
+                      &sgx_ra_client_linkable_int);
+    if (ret < 0) {
+        SGX_DBG(DBG_E, "Cannot parse \'sgx.ra_client_linkable\'\n");
+        ret = -EINVAL;
+        goto out;
+    }
+
+    if (!enclave_info->remote_attestation_enabled &&
+            (sgx_ra_client_spid_str || sgx_ra_client_linkable_int >= 0)) {
+        SGX_DBG(DBG_E,
+                "Detected EPID remote attestation parameters \'ra_client_spid\' and/or "
+                "\'ra_client_linkable\' in the manifest but no \'remote_attestation\' parameter. "
+                "Please add \'sgx.remote_attestation = 1\' to the manifest.\n");
+        ret = -EINVAL;
+        goto out;
+    }
+
+    /* EPID is used if SPID is a non-empty string in manifest, otherwise DCAP/ECDSA */
+    enclave_info->use_epid_attestation = sgx_ra_client_spid_str && strlen(sgx_ra_client_spid_str);
+
     ret = 0;
 
 out:
-    if (ret < 0) {
-        toml_free(manifest_root);
-        if (!IS_ERR_P(manifest_addr))
-            INLINE_SYSCALL(munmap, 2, manifest_addr, nbytes);
-    }
+    free(sgx_ra_client_spid_str);
+    toml_free(manifest_root);
     return ret;
 }
 
@@ -767,9 +782,8 @@ static int get_hw_resource(const char* filename, bool count) {
 
 /* Warning: This function does not free up resources on failure - it assumes that the whole process
  * exits after this function's failure. */
-static int load_enclave(struct pal_enclave* enclave, int manifest_fd, char* manifest_path,
-                        char* exec_path, char* args, size_t args_size, char* env, size_t env_size,
-                        bool need_gsgx) {
+static int load_enclave(struct pal_enclave* enclave, char* loader_config, const char* exec_path,
+                        char* args, size_t args_size, char* env, size_t env_size, bool need_gsgx) {
     struct pal_sec* pal_sec = &enclave->pal_sec;
     int ret;
     size_t exec_path_len = strlen(exec_path);
@@ -857,11 +871,9 @@ static int load_enclave(struct pal_enclave* enclave, int manifest_fd, char* mani
     enclave->debug_map = NULL;
 #endif
 
-    enclave->manifest = manifest_fd;
-
-    ret = load_manifest(enclave->manifest, &enclave->manifest_root);
+    ret = parse_loader_config(loader_config, enclave);
     if (ret < 0) {
-        SGX_DBG(DBG_E, "Invalid manifest: %s\n", manifest_path);
+        SGX_DBG(DBG_E, "Parsing manifest failed\n");
         return -EINVAL;
     }
 
@@ -882,14 +894,6 @@ static int load_enclave(struct pal_enclave* enclave, int manifest_fd, char* mani
         return -EINVAL;
     }
 
-    char* dummy_sigfile_str = NULL;
-    ret = toml_string_in(enclave->manifest_root, "sgx.sigfile", &dummy_sigfile_str);
-    if (ret < 0 || dummy_sigfile_str) {
-        SGX_DBG(DBG_E, "sgx.sigfile is not supported anymore. Please update your manifest "
-                       "according to the current documentation.\n");
-        return -EINVAL;
-    }
-
     char* sig_path = alloc_concat(exec_path, exec_path_len, ".sig", -1);
     if (!sig_path) {
         return -ENOMEM;
@@ -918,20 +922,13 @@ static int load_enclave(struct pal_enclave* enclave, int manifest_fd, char* mani
     SGX_DBG(DBG_I, "Token file: %s\n", token_path);
     free(token_path);
 
-    ret = initialize_enclave(enclave);
+    ret = initialize_enclave(enclave, loader_config);
     if (ret < 0)
         return ret;
 
     if (!pal_sec->instance_id)
         create_instance(&enclave->pal_sec);
 
-    size_t manifest_path_size = strlen(manifest_path) + 1;
-    if (URI_PREFIX_FILE_LEN + manifest_path_size > ARRAY_SIZE(pal_sec->manifest_name)) {
-        return -E2BIG;
-    }
-    memcpy(pal_sec->manifest_name, URI_PREFIX_FILE, URI_PREFIX_FILE_LEN);
-    memcpy(pal_sec->manifest_name + URI_PREFIX_FILE_LEN, manifest_path, manifest_path_size);
-
     if (sizeof(pal_sec->exec_name) < URI_PREFIX_FILE_LEN + exec_path_len + 1) {
         return -E2BIG;
     }
@@ -942,48 +939,9 @@ static int load_enclave(struct pal_enclave* enclave, int manifest_fd, char* mani
     if (ret < 0)
         return ret;
 
-
-    int64_t sgx_remote_attestation_int;
-    ret = toml_int_in(enclave->manifest_root, "sgx.remote_attestation", /*defaultval=*/0,
-                      &sgx_remote_attestation_int);
-    if (ret < 0 || (sgx_remote_attestation_int != 0 && sgx_remote_attestation_int != 1)) {
-        SGX_DBG(DBG_E, "Cannot parse \'sgx.remote_attestation\' (the value must be 0 or 1)\n");
-        return -EINVAL;
-    }
-
-    char* sgx_ra_client_spid_str = NULL;
-    ret = toml_string_in(enclave->manifest_root, "sgx.ra_client_spid", &sgx_ra_client_spid_str);
-    if (ret < 0) {
-        SGX_DBG(DBG_E, "Cannot parse \'sgx.ra_client_spid\' "
-                       "(the value must be put in double quotes!)\n");
-        return -EINVAL;
-    }
-
-    int64_t sgx_ra_client_linkable_int;
-    ret = toml_int_in(enclave->manifest_root, "sgx.ra_client_linkable", /*defaultval=*/-1,
-                      &sgx_ra_client_linkable_int);
-    if (ret < 0) {
-        SGX_DBG(DBG_E, "Cannot parse \'sgx.ra_client_linkable\'\n");
-        return -EINVAL;
-    }
-
-    if (sgx_remote_attestation_int != 1 &&
-            (sgx_ra_client_spid_str || sgx_ra_client_linkable_int >= 0)) {
-        SGX_DBG(DBG_E,
-                "Detected EPID remote attestation parameters \'ra_client_spid\' and/or "
-                "\'ra_client_linkable\' in the manifest but no \'remote_attestation\' parameter. "
-                "Please add \'sgx.remote_attestation = 1\' to the manifest.\n");
-        return -EINVAL;
-    }
-
-    /* EPID is used if SPID is a non-empty string in manifest, otherwise DCAP/ECDSA */
-    bool is_epid = false;
-    if (sgx_ra_client_spid_str && strlen(sgx_ra_client_spid_str))
-        is_epid = true;
-    free(sgx_ra_client_spid_str);
-
-    if (sgx_remote_attestation_int == 1) {
+    if (enclave->remote_attestation_enabled) {
         /* initialize communication with Quoting Enclave only if app requests attestation */
+        bool is_epid = enclave->use_epid_attestation;
         SGX_DBG(DBG_I, "Using SGX %s attestation\n", is_epid ? "EPID" : "DCAP/ECDSA");
         ret = init_quoting_enclave_targetinfo(is_epid, &pal_sec->qe_targetinfo);
         if (ret < 0)
@@ -1023,10 +981,9 @@ static void force_linux_to_grow_stack(void) {
 int main(int argc, char* argv[], char* envp[]) {
     char* manifest_path = NULL;
     char* exec_path = NULL;
-    int exec_fd = -1;
-    int manifest_fd = -1;
     int ret = 0;
     bool need_gsgx = true;
+    char* loader_config = NULL;
 
     force_linux_to_grow_stack();
 
@@ -1057,67 +1014,30 @@ int main(int argc, char* argv[], char* envp[]) {
     }
 
     if (first_process) {
-        /* The initial Graphene process is special - it was started by the user, so `exec_path` may
-         * either contain a path to the executable or to a manifest. */
+        g_pal_enclave.is_first_process = true;
 
-        exec_path = strdup(argv[3]);
-        if (!exec_path) {
-            ret = -ENOMEM;
-            goto out;
-        }
-
-        if (strendswith(exec_path, ".manifest.sgx")) {
-            manifest_path = strdup(exec_path);
-        } else if (strendswith(exec_path, ".manifest")) {
-            manifest_path = alloc_concat(exec_path, -1, ".sgx", -1);
-        } else {
-            manifest_path = alloc_concat(exec_path, -1, ".manifest.sgx", -1);
-        }
+        exec_path = argv[3];
+        manifest_path = alloc_concat(exec_path, -1, ".manifest.sgx", -1);
         if (!manifest_path) {
             ret = -ENOMEM;
             goto out;
         }
 
-        exec_fd = INLINE_SYSCALL(open, 3, exec_path, O_RDONLY | O_CLOEXEC, 0);
-        if (IS_ERR(exec_fd)) {
-            SGX_DBG(DBG_E, "Input file not found: %s\n", exec_path);
-            goto usage;
-        }
-
-        char file_first_four_bytes[4];
-        ret = INLINE_SYSCALL(read, 3, exec_fd, file_first_four_bytes, sizeof(file_first_four_bytes));
-        if (IS_ERR(ret)) {
+        SGX_DBG(DBG_I, "Manifest file: %s\n", manifest_path);
+        ret = read_text_file_to_cstr(manifest_path, &loader_config);
+        if (ret < 0) {
+            SGX_DBG(DBG_E, "Reading manifest failed\n");
             goto out;
         }
-        if (ret != sizeof(file_first_four_bytes)) {
-            ret = -EINVAL;
-            goto out;
-        }
-
-        if (memcmp(file_first_four_bytes, "\177ELF", sizeof(file_first_four_bytes))) {
-            /* exec_path doesn't refer to ELF executable, so it must refer to the
-             * manifest. Verify this and update exec_path with the manifest suffix
-             * removed.
-             */
-
-            if (strendswith(exec_path, ".manifest")) {
-                exec_path[strlen(exec_path) - static_strlen(".manifest")] = '\0';
-            } else if (strendswith(exec_path, ".manifest.sgx")) {
-                INLINE_SYSCALL(lseek, 3, exec_fd, 0, SEEK_SET);
-                manifest_fd = exec_fd;
-                exec_fd = -1;
-
-                exec_path[strlen(exec_path) - static_strlen(".manifest.sgx")] = '\0';
-            } else {
-                SGX_DBG(DBG_E, "Invalid manifest file specified: %s\n", exec_path);
-                goto usage;
-            }
-        }
+        free(manifest_path);
+        manifest_path = NULL;
     } else {
-        /* We're one of the children spawned to host new processes started inside Graphene.
-         * We'll receive our argv and config via IPC. */
+        /* We're one of the children spawned to host new processes started inside Graphene. */
+        g_pal_enclave.is_first_process = false;
+
+        /* We'll receive our argv and config via IPC. */
         int parent_pipe_fd = atoi(argv[3]);
-        ret = sgx_init_child_process(parent_pipe_fd, &g_pal_enclave.pal_sec);
+        ret = sgx_init_child_process(parent_pipe_fd, &g_pal_enclave.pal_sec, &loader_config);
         if (ret < 0)
             goto out;
         exec_path = strdup(g_pal_enclave.pal_sec.exec_name + URI_PREFIX_FILE_LEN);
@@ -1125,22 +1045,8 @@ int main(int argc, char* argv[], char* envp[]) {
             ret = -ENOMEM;
             goto out;
         }
-        manifest_path = alloc_concat(exec_path, -1, ".manifest.sgx", -1);
-        if (!manifest_path) {
-            ret = -ENOMEM;
-            goto out;
-        }
     }
 
-    if (manifest_fd == -1) {
-        manifest_fd = INLINE_SYSCALL(open, 3, manifest_path, O_RDONLY | O_CLOEXEC, 0);
-        if (IS_ERR(manifest_fd)) {
-            SGX_DBG(DBG_E, "Cannot open manifest file: %s\n", manifest_path);
-            goto usage;
-        }
-    }
-
-    SGX_DBG(DBG_I, "Manifest file: %s\n", manifest_path);
     SGX_DBG(DBG_I, "Executable file: %s\n", exec_path);
 
     /*
@@ -1165,32 +1071,27 @@ int main(int argc, char* argv[], char* envp[]) {
     char* env = envp[0];
     size_t env_size = envc > 0 ? (envp[envc - 1] - envp[0]) + strlen(envp[envc - 1]) + 1 : 0;
 
-    ret = load_enclave(&g_pal_enclave, manifest_fd, manifest_path, exec_path, args, args_size, env,
-                       env_size, need_gsgx);
+    ret = load_enclave(&g_pal_enclave, loader_config, exec_path, args, args_size, env, env_size,
+                       need_gsgx);
     if (ret < 0) {
         SGX_DBG(DBG_E, "load_enclave() failed with error %d\n", ret);
     }
 
 out:
+    free(manifest_path);
     if (g_pal_enclave.exec >= 0)
         INLINE_SYSCALL(close, 1, g_pal_enclave.exec);
     if (g_pal_enclave.sigfile >= 0)
         INLINE_SYSCALL(close, 1, g_pal_enclave.sigfile);
     if (g_pal_enclave.token >= 0)
         INLINE_SYSCALL(close, 1, g_pal_enclave.token);
-    if (!IS_ERR(exec_fd))
-        INLINE_SYSCALL(close, 1, exec_fd);
-    if (!IS_ERR(manifest_fd))
-        INLINE_SYSCALL(close, 1, manifest_fd);
-    free(exec_path);
-    free(manifest_path);
 
     return ret;
 
 usage:;
     const char* self = argv[0] ?: "<this program>";
     printf("USAGE:\n"
-           "\tFirst process: %s <path to libpal.so> init [<executable>|<manifest>] args...\n"
+           "\tFirst process: %s <path to libpal.so> init <executable> args...\n"
            "\tChildren:      %s <path to libpal.so> child <parent_pipe_fd> args...\n",
            self, self);
     printf("This is an internal interface. Use pal_loader to launch applications in Graphene.\n");
diff --git a/Pal/src/host/Linux-SGX/sgx_process.c b/Pal/src/host/Linux-SGX/sgx_process.c
index 8017e3aa..44b37313 100644
--- a/Pal/src/host/Linux-SGX/sgx_process.c
+++ b/Pal/src/host/Linux-SGX/sgx_process.c
@@ -28,6 +28,7 @@ struct proc_args {
     unsigned int parent_process_id;
     int          stream_fd;
     PAL_SEC_STR  pipe_prefix;
+    size_t       manifest_size; // manifest will follow this struct on the pipe.
 };
 
 /*
@@ -58,7 +59,8 @@ static int __attribute_noinline vfork_exec(int parent_stream, const char** argv)
     return 0;
 }
 
-int sgx_create_process(const char* uri, size_t nargs, const char** args, int* stream_fd) {
+int sgx_create_process(const char* uri, size_t nargs, const char** args, int* stream_fd,
+                       const char* manifest) {
     int ret, rete, child;
     int fds[2] = {-1, -1};
 
@@ -105,17 +107,24 @@ int sgx_create_process(const char* uri, size_t nargs, const char** args, int* st
     proc_args.instance_id       = pal_sec->instance_id;
     proc_args.parent_process_id = pal_sec->pid;
     proc_args.stream_fd         = fds[0];
+    proc_args.manifest_size     = strlen(manifest);
     memcpy(proc_args.pipe_prefix, pal_sec->pipe_prefix, sizeof(PAL_SEC_STR));
 
     ret = INLINE_SYSCALL(write, 3, fds[1], &proc_args, sizeof(struct proc_args));
-    if (IS_ERR(ret) || (size_t)ret < sizeof(struct proc_args)) {
-        ret = -EPERM;
+    if (IS_ERR(ret) || (size_t)ret != sizeof(struct proc_args)) {
+        ret = IS_ERR(ret) ? ret : -EINTR;
         goto out;
     }
 
-    ret = INLINE_SYSCALL(read, 3, fds[1], &rete, sizeof(int));
-    if (IS_ERR(ret) || (size_t)ret < sizeof(int)) {
-        ret = -EPERM;
+    ret = INLINE_SYSCALL(write, 3, fds[1], manifest, proc_args.manifest_size);
+    if (IS_ERR(ret) || (size_t)ret != proc_args.manifest_size) {
+        ret = IS_ERR(ret) ? ret : -EINTR;
+        goto out;
+    }
+
+    ret = INLINE_SYSCALL(read, 3, fds[1], &rete, sizeof(rete));
+    if (IS_ERR(ret) || (size_t)ret != sizeof(rete)) {
+        ret = IS_ERR(ret) ? ret : -EINTR;
         goto out;
     }
 
@@ -141,20 +150,37 @@ out:
     return ret;
 }
 
-int sgx_init_child_process(int parent_pipe_fd, struct pal_sec* pal_sec) {
+int sgx_init_child_process(int parent_pipe_fd, struct pal_sec* pal_sec, char** manifest_out) {
+    int ret;
     struct proc_args proc_args;
+    long bytes_read, bytes_written;
+    char* manifest = NULL;
 
-    int ret = INLINE_SYSCALL(read, 3, parent_pipe_fd, &proc_args, sizeof(struct proc_args));
-    if (IS_ERR(ret)) {
-        if (ERRNO(ret) == EBADF)
-            return 0;
-        return ret;
+    bytes_read = INLINE_SYSCALL(read, 3, parent_pipe_fd, &proc_args, sizeof(struct proc_args));
+    if (IS_ERR(bytes_read) || bytes_read != sizeof(struct proc_args)) {
+        ret = IS_ERR(bytes_read) ? bytes_read : -EINTR;
+        goto out;
     }
 
+    manifest = malloc(proc_args.manifest_size + 1);
+    if (!manifest) {
+        ret = -ENOMEM;
+        goto out;
+    }
+
+    bytes_read = INLINE_SYSCALL(read, 3, parent_pipe_fd, manifest, proc_args.manifest_size);
+    if (IS_ERR(bytes_read)) {
+        ret = IS_ERR(bytes_read) ? bytes_read : -EINTR;
+        goto out;
+    }
+    manifest[proc_args.manifest_size] = '\0';
+
     int child_status = 0;
-    ret = INLINE_SYSCALL(write, 3, parent_pipe_fd, &child_status, sizeof(int));
-    if (IS_ERR(ret))
-        return ret;
+    bytes_written = INLINE_SYSCALL(write, 3, parent_pipe_fd, &child_status, sizeof(int));
+    if (IS_ERR(bytes_written)) {
+        ret = IS_ERR(bytes_written) ? bytes_written : -EINTR;
+        goto out;
+    }
 
     memcpy(pal_sec->exec_name, proc_args.exec_name, sizeof(PAL_SEC_STR));
     pal_sec->instance_id = proc_args.instance_id;
@@ -162,5 +188,10 @@ int sgx_init_child_process(int parent_pipe_fd, struct pal_sec* pal_sec) {
     pal_sec->stream_fd   = proc_args.stream_fd;
     memcpy(pal_sec->pipe_prefix, proc_args.pipe_prefix, sizeof(PAL_SEC_STR));
 
-    return 1;
+    *manifest_out = manifest;
+    ret = 0;
+out:
+    if (ret < 0)
+        free(manifest);
+    return ret;
 }
diff --git a/Pal/src/host/Linux-common/file_utils.c b/Pal/src/host/Linux-common/file_utils.c
new file mode 100644
index 00000000..1b1ad711
--- /dev/null
+++ b/Pal/src/host/Linux-common/file_utils.c
@@ -0,0 +1,69 @@
+/* SPDX-License-Identifier: LGPL-3.0-or-later */
+/* Copyright (C) 2020 Intel Corporation
+ *                    Michał Kowalczyk <mkow@invisiblethingslab.com>
+ */
+
+#include <asm/errno.h>
+#include <asm/fcntl.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "api.h"
+#include "linux_utils.h"
+#include "sysdep-arch.h"
+
+int read_text_file_to_cstr(const char* path, char** out) {
+    long ret;
+    char* buf = NULL;
+    long fd = INLINE_SYSCALL(open, 3, path, O_RDONLY, 0);
+    if (fd < 0) {
+        ret = fd;
+        goto out;
+    }
+
+    ret = INLINE_SYSCALL(lseek, 3, fd, 0, SEEK_END);
+    if (ret < 0) {
+        goto out;
+    }
+    size_t size = ret;
+
+    ret = INLINE_SYSCALL(lseek, 3, fd, 0, SEEK_SET);
+    if (ret < 0) {
+        goto out;
+    }
+
+    if (size + 1 < size) {
+        ret = -E2BIG; // int overflow
+        goto out;
+    }
+    buf = malloc(size + 1);
+    if (!buf) {
+        ret = -ENOMEM;
+        goto out;
+    }
+
+    size_t bytes_read = 0;
+    while (bytes_read < size) {
+        ret = INLINE_SYSCALL(read, 3, fd, buf + bytes_read, size - bytes_read);
+        if (ret <= 0) {
+            if (ret == -EINTR)
+                continue;
+            if (ret == 0)
+                ret = -EINVAL; // unexpected EOF
+            goto out;
+        }
+        bytes_read += ret;
+    }
+    buf[size] = '\0';
+    *out = buf;
+    buf = NULL;
+    ret = 0;
+out:
+    if (fd >= 0) {
+        long close_ret = INLINE_SYSCALL(close, 1, fd);
+        if (ret == 0)
+            ret = close_ret;
+    }
+    free(buf);
+    return (int)ret;
+}
diff --git a/Pal/src/host/Linux/Makefile b/Pal/src/host/Linux/Makefile
index a797490c..e48e0ea0 100644
--- a/Pal/src/host/Linux/Makefile
+++ b/Pal/src/host/Linux/Makefile
@@ -28,6 +28,7 @@ ASFLAGS += $(defs)
 
 commons_objs = \
 	bogomips.o \
+	file_utils.o \
 	main_exec_path.o
 
 objs = \
diff --git a/Pal/src/host/Linux/db_main.c b/Pal/src/host/Linux/db_main.c
index a6f0c4f1..637f5496 100644
--- a/Pal/src/host/Linux/db_main.c
+++ b/Pal/src/host/Linux/db_main.c
@@ -147,7 +147,7 @@ static struct link_map g_pal_map;
 noreturn static void print_usage_and_exit(const char* argv_0) {
     const char* self = argv_0 ?: "<this program>";
     printf("USAGE:\n"
-           "\tFirst process: %s <path to libpal.so> init [<executable>|<manifest>] args...\n"
+           "\tFirst process: %s <path to libpal.so> init <executable> args...\n"
            "\tChildren:      %s <path to libpal.so> child <parent_pipe_fd> args...\n",
            self, self);
     printf("This is an internal interface. Use pal_loader to launch applications in Graphene.\n");
@@ -156,11 +156,14 @@ noreturn static void print_usage_and_exit(const char* argv_0) {
 
 noreturn void pal_linux_main(void* initial_rsp, void* fini_callback) {
     __UNUSED(fini_callback);  // TODO: We should call `fini_callback` at the end.
-
+    int ret;
     uint64_t start_time = _DkSystemTimeQueryEarly();
     g_pal_state.start_time = start_time;
 
-    int ret;
+    /* Initialize alloc_align as early as possible, a lot of PAL APIs depend on this being set. */
+    g_pal_state.alloc_align = _DkGetAllocationAlignment();
+    assert(IS_POWER_OF_2(g_pal_state.alloc_align));
+
     int argc;
     const char** argv;
     const char** envp;
@@ -222,13 +225,6 @@ noreturn void pal_linux_main(void* initial_rsp, void* fini_callback) {
         setup_vdso_map(g_sysinfo_ehdr);
 #endif
 
-    PAL_HANDLE parent = NULL, exec = NULL, manifest = NULL;
-    if (!first_process) {
-        // Children receive their argv and config via IPC.
-        int parent_pipe_fd = atoi(argv[3]);
-        init_child_process(parent_pipe_fd, &parent, &exec, &manifest);
-    }
-
     if (!g_pal_sec.process_id)
         g_pal_sec.process_id = INLINE_SYSCALL(getpid, 0);
     g_linux_state.pid = g_pal_sec.process_id;
@@ -240,27 +236,49 @@ noreturn void pal_linux_main(void* initial_rsp, void* fini_callback) {
     if (!g_linux_state.parent_process_id)
         g_linux_state.parent_process_id = g_linux_state.process_id;
 
+    PAL_HANDLE parent = NULL;
+    PAL_HANDLE exec_handle = NULL;
+    char* manifest = NULL;
     if (first_process) {
         char* exec_uri = alloc_concat(URI_PREFIX_FILE, URI_PREFIX_FILE_LEN, argv[3], -1);
-        if (!exec_uri)
+        char* manifest_path = alloc_concat(argv[3], -1, ".manifest", -1);
+        if (!exec_uri || !manifest_path)
             INIT_FAIL(PAL_ERROR_NOMEM, "Out of memory");
-        PAL_HANDLE file;
-        int ret = _DkStreamOpen(&file, exec_uri, PAL_ACCESS_RDONLY, 0, 0, PAL_OPTION_CLOEXEC);
+        ret = _DkStreamOpen(&exec_handle, exec_uri, PAL_ACCESS_RDONLY, 0, 0, PAL_OPTION_CLOEXEC);
         free(exec_uri);
-        if (ret < 0)
+        if (ret < 0) {
             INIT_FAIL(-ret, "Failed to open file to execute");
-
-        if (is_elf_object(file)) {
-            exec = file;
-        } else {
-            manifest = file;
         }
+
+        if (!is_elf_object(exec_handle)) {
+            INIT_FAIL(EINVAL, "First argument passed to Graphene must be an executable");
+        }
+
+        ret = read_text_file_to_cstr(manifest_path, &manifest);
+        if (ret == -ENOENT) {
+            ret = read_text_file_to_cstr("manifest", &manifest);
+        }
+        if (ret < 0) {
+            INIT_FAIL(-ret, "Reading manifest failed");
+        }
+    } else {
+        // Children receive their argv and config via IPC.
+        int parent_pipe_fd = atoi(argv[3]);
+        init_child_process(parent_pipe_fd, &parent, &exec_handle, &manifest);
     }
+    assert(manifest);
 
     signal_setup();
 
+    g_pal_state.raw_manifest_data = manifest;
+
+    char errbuf[256];
+    g_pal_state.manifest_root = toml_parse(manifest, errbuf, sizeof(errbuf));
+    if (!g_pal_state.manifest_root)
+        INIT_FAIL_MANIFEST(PAL_ERROR_DENIED, errbuf);
+
     /* call to main function */
-    pal_main((PAL_NUM)g_linux_state.parent_process_id, manifest, exec, NULL, parent, first_thread,
+    pal_main((PAL_NUM)g_linux_state.parent_process_id, exec_handle, NULL, parent, first_thread,
              first_process ? argv + 3 : argv + 4, envp);
 }
 
diff --git a/Pal/src/host/Linux/db_process.c b/Pal/src/host/Linux/db_process.c
index fa9979b0..38325683 100644
--- a/Pal/src/host/Linux/db_process.c
+++ b/Pal/src/host/Linux/db_process.c
@@ -92,7 +92,6 @@ out:
 struct proc_param {
     PAL_HANDLE parent;
     PAL_HANDLE exec;
-    PAL_HANDLE manifest;
     const char** argv;
 };
 
@@ -128,8 +127,6 @@ static int __attribute_noinline child_process(struct proc_param* proc_param) {
         handle_set_cloexec(proc_param->parent, false);
     if (proc_param->exec)
         handle_set_cloexec(proc_param->exec, false);
-    if (proc_param->manifest)
-        handle_set_cloexec(proc_param->manifest, false);
 
     int res = INLINE_SYSCALL(execve, 3, g_pal_loader_path, proc_param->argv,
                              g_linux_state.host_environ);
@@ -144,6 +141,9 @@ int _DkProcessCreate(PAL_HANDLE* handle, const char* uri, const char** args) {
     PAL_HANDLE exec = NULL;
     PAL_HANDLE parent_handle = NULL;
     PAL_HANDLE child_handle = NULL;
+    struct proc_args* proc_args = NULL;
+    void* parent_data = NULL;
+    void* exec_data = NULL;
     int ret;
 
     assert(uri);
@@ -182,63 +182,52 @@ int _DkProcessCreate(PAL_HANDLE* handle, const char* uri, const char** args) {
 
     param.parent   = parent_handle;
     param.exec     = exec;
-    param.manifest = g_pal_state.manifest_handle;
 
     /* step 3: compose process parameters */
 
-    size_t parent_datasz = 0, exec_datasz = 0, manifest_datasz = 0;
-    void* parent_data = NULL;
-    void* exec_data = NULL;
-    void* manifest_data = NULL;
+    size_t parent_data_size = 0;
+    size_t exec_data_size = 0;
+    size_t manifest_data_size = 0;
 
     ret = handle_serialize(parent_handle, &parent_data);
     if (ret < 0)
         goto out;
-    parent_datasz = (size_t)ret;
+    parent_data_size = (size_t)ret;
 
     ret = handle_serialize(exec, &exec_data);
     if (ret < 0) {
-        free(parent_data);
         goto out;
     }
-    exec_datasz = (size_t)ret;
+    exec_data_size = (size_t)ret;
 
-    if (g_pal_state.manifest_handle) {
-        ret = handle_serialize(g_pal_state.manifest_handle, &manifest_data);
-        if (ret < 0) {
-            free(parent_data);
-            free(exec_data);
-            goto out;
-        }
-        manifest_datasz = (size_t)ret;
+    manifest_data_size = strlen(g_pal_state.raw_manifest_data);
+
+    size_t data_size = parent_data_size + exec_data_size + manifest_data_size;
+    proc_args = malloc(sizeof(struct proc_args) + data_size);
+    if (!proc_args) {
+        ret = -ENOMEM;
+        goto out;
     }
 
-    size_t datasz = parent_datasz + exec_datasz + manifest_datasz;
-    struct proc_args* proc_args = __alloca(sizeof(struct proc_args) + datasz);
-
     proc_args->parent_process_id = g_linux_state.parent_process_id;
     memcpy(&proc_args->pal_sec, &g_pal_sec, sizeof(struct pal_sec));
     proc_args->pal_sec._dl_debug_state = NULL;
     proc_args->pal_sec._r_debug        = NULL;
     proc_args->memory_quota            = g_linux_state.memory_quota;
 
-    void* data = (void*)(proc_args + 1);
+    char* data = (char*)(proc_args + 1);
 
-    memcpy(data, parent_data, parent_datasz);
-    data += (proc_args->parent_data_size = parent_datasz);
-    free(parent_data);
+    memcpy(data, parent_data, parent_data_size);
+    proc_args->parent_data_size = parent_data_size;
+    data += parent_data_size;
 
-    memcpy(data, exec_data, exec_datasz);
-    data += (proc_args->exec_data_size = exec_datasz);
-    free(exec_data);
+    memcpy(data, exec_data, exec_data_size);
+    proc_args->exec_data_size = exec_data_size;
+    data += exec_data_size;
 
-    if (manifest_data) {
-        memcpy(data, manifest_data, manifest_datasz);
-        data += (proc_args->manifest_data_size = manifest_datasz);
-        free(manifest_data);
-    } else {
-        proc_args->manifest_data_size = 0;
-    }
+    memcpy(data, g_pal_state.raw_manifest_data, manifest_data_size);
+    proc_args->manifest_data_size = manifest_data_size;
+    data += manifest_data_size;
 
     /* step 4: create a child thread which will execve in the future */
 
@@ -282,9 +271,9 @@ int _DkProcessCreate(PAL_HANDLE* handle, const char* uri, const char** args) {
     /* step 4: send parameters over the process handle */
 
     ret = INLINE_SYSCALL(write, 3, child_handle->process.stream, proc_args,
-                         sizeof(struct proc_args) + datasz);
+                         sizeof(struct proc_args) + data_size);
 
-    if (IS_ERR(ret) || (size_t)ret < sizeof(struct proc_args) + datasz) {
+    if (IS_ERR(ret) || (size_t)ret < sizeof(struct proc_args) + data_size) {
         ret = -PAL_ERROR_DENIED;
         goto out;
     }
@@ -292,6 +281,9 @@ int _DkProcessCreate(PAL_HANDLE* handle, const char* uri, const char** args) {
     *handle = child_handle;
     ret = 0;
 out:
+    free(parent_data);
+    free(exec_data);
+    free(proc_args);
     if (parent_handle)
         _DkObjectClose(parent_handle);
     if (exec)
@@ -304,68 +296,65 @@ out:
 }
 
 void init_child_process(int parent_pipe_fd, PAL_HANDLE* parent_handle, PAL_HANDLE* exec_handle,
-                        PAL_HANDLE* manifest_handle) {
+                        char** manifest_out) {
     int ret = 0;
 
-    /* try to do a very large reading, so it doesn't have to be read for the
-       second time */
-    struct proc_args* proc_args = __alloca(sizeof(struct proc_args));
-    struct proc_args* new_proc_args;
+    struct proc_args proc_args;
 
-    int bytes = INLINE_SYSCALL(read, 3, parent_pipe_fd, proc_args, sizeof(*proc_args));
-    if (IS_ERR(bytes)) {
-        INIT_FAIL(-unix_to_pal_error(ERRNO(bytes)), "communication with parent failed");
+    long bytes = INLINE_SYSCALL(read, 3, parent_pipe_fd, &proc_args, sizeof(proc_args));
+    if (IS_ERR(bytes) || bytes != sizeof(proc_args)) {
+        int err = IS_ERR(bytes) ? -unix_to_pal_error(ERRNO(bytes)) : PAL_ERROR_INTERRUPTED;
+        INIT_FAIL(err, "communication with parent failed");
     }
 
     /* a child must have parent handle and an executable */
-    if (!proc_args->parent_data_size)
+    if (!proc_args.parent_data_size)
         INIT_FAIL(PAL_ERROR_INVAL, "invalid process created");
 
-    size_t datasz = proc_args->parent_data_size + proc_args->exec_data_size
-                    + proc_args->manifest_data_size;
-    new_proc_args = __alloca(sizeof(*proc_args) + datasz);
-    memcpy(new_proc_args, proc_args, sizeof(*proc_args));
-    proc_args = new_proc_args;
-    void* data = (void*)(proc_args + 1);
+    size_t data_size = proc_args.parent_data_size + proc_args.exec_data_size
+                       + proc_args.manifest_data_size;
+    char* data = malloc(data_size);
+    if (!data)
+        INIT_FAIL(PAL_ERROR_NOMEM, "Out of memory");
 
-    bytes = INLINE_SYSCALL(read, 3, parent_pipe_fd, data, datasz);
-    if (IS_ERR(bytes))
+    bytes = INLINE_SYSCALL(read, 3, parent_pipe_fd, data, data_size);
+    if (IS_ERR(bytes) || (size_t)bytes != data_size)
         INIT_FAIL(PAL_ERROR_DENIED, "communication fail with parent");
 
     /* now deserialize the parent_handle */
     PAL_HANDLE parent = NULL;
-    ret = handle_deserialize(&parent, data, proc_args->parent_data_size);
+    char* data_iter = data;
+    ret = handle_deserialize(&parent, data_iter, proc_args.parent_data_size);
     if (ret < 0)
         INIT_FAIL(-ret, "cannot deserialize parent process handle");
-    data += proc_args->parent_data_size;
+    data_iter += proc_args.parent_data_size;
     *parent_handle = parent;
 
     /* deserialize the executable handle */
-    if (proc_args->exec_data_size) {
+    if (proc_args.exec_data_size) {
         PAL_HANDLE exec = NULL;
 
-        ret = handle_deserialize(&exec, data, proc_args->exec_data_size);
+        ret = handle_deserialize(&exec, data_iter, proc_args.exec_data_size);
         if (ret < 0)
             INIT_FAIL(-ret, "cannot deserialize executable handle");
 
-        data += proc_args->exec_data_size;
+        data_iter += proc_args.exec_data_size;
         *exec_handle = exec;
     }
 
-    /* deserialize the manifest handle, if there is one */
-    if (proc_args->manifest_data_size) {
-        PAL_HANDLE manifest = NULL;
+    char* manifest = malloc(proc_args.manifest_data_size + 1);
+    if (!manifest)
+        INIT_FAIL(PAL_ERROR_NOMEM, "Out of memory");
+    memcpy(manifest, data_iter, proc_args.manifest_data_size);
+    manifest[proc_args.manifest_data_size] = '\0';
+    data_iter += proc_args.manifest_data_size;
 
-        ret = handle_deserialize(&manifest, data, proc_args->manifest_data_size);
-        if (ret < 0)
-            INIT_FAIL(-ret, "cannot deserialize manifest handle");
+    g_linux_state.parent_process_id = proc_args.parent_process_id;
+    g_linux_state.memory_quota = proc_args.memory_quota;
+    memcpy(&g_pal_sec, &proc_args.pal_sec, sizeof(struct pal_sec));
 
-        data += proc_args->manifest_data_size;
-        *manifest_handle = manifest;
-    }
-    g_linux_state.parent_process_id = proc_args->parent_process_id;
-    g_linux_state.memory_quota = proc_args->memory_quota;
-    memcpy(&g_pal_sec, &proc_args->pal_sec, sizeof(struct pal_sec));
+    *manifest_out = manifest;
+    free(data);
 }
 
 noreturn void _DkProcessExit(int exitcode) {
diff --git a/Pal/src/host/Linux/pal_linux.h b/Pal/src/host/Linux/pal_linux.h
index e72b13a4..daed42ed 100644
--- a/Pal/src/host/Linux/pal_linux.h
+++ b/Pal/src/host/Linux/pal_linux.h
@@ -125,7 +125,7 @@ int handle_deserialize(PAL_HANDLE* handle, const void* data, int size);
 bool stataccess(struct stat* stats, int acc);
 
 void init_child_process(int parent_pipe_fd, PAL_HANDLE* parent, PAL_HANDLE* exec,
-                        PAL_HANDLE* manifest);
+                        char** manifest_out);
 
 int get_hw_resource(const char* filename, bool count);
 ssize_t read_file_buffer(const char* filename, char* buf, size_t buf_size);
diff --git a/Pal/src/pal_internal.h b/Pal/src/pal_internal.h
index ef4bf925..4830d8dd 100644
--- a/Pal/src/pal_internal.h
+++ b/Pal/src/pal_internal.h
@@ -149,12 +149,9 @@ extern struct pal_internal_state {
 
     PAL_HANDLE      parent_process;
 
-    const char*     manifest;
-    PAL_HANDLE      manifest_handle;
-
+    const char*     raw_manifest_data;
     toml_table_t*   manifest_root;
 
-    const char*     exec;
     PAL_HANDLE      exec_handle;
 
     /* May not be the same as page size, see e.g. SYSTEM_INFO::dwAllocationGranularity on Windows.
@@ -183,7 +180,6 @@ extern PAL_CONTROL g_pal_control;
  * This function must be called by the host-specific loader.
  *
  * \param instance_id       current instance id
- * \param manifest_handle   manifest handle if opened
  * \param exec_handle       executable handle if opened
  * \param exec_loaded_addr  executable addr if loaded
  * \param parent_process    parent process if it's a child
@@ -191,12 +187,15 @@ extern PAL_CONTROL g_pal_control;
  * \param arguments         application arguments
  * \param environments      environment variables
  */
-noreturn void pal_main(PAL_NUM instance_id, PAL_HANDLE manifest_handle, PAL_HANDLE exec_handle,
-                       PAL_PTR exec_loaded_addr, PAL_HANDLE parent_process, PAL_HANDLE first_thread,
-                       PAL_STR* arguments, PAL_STR* environments);
+noreturn void pal_main(PAL_NUM instance_id, PAL_HANDLE exec_handle, PAL_PTR exec_loaded_addr,
+                       PAL_HANDLE parent_process, PAL_HANDLE first_thread, PAL_STR* arguments,
+                       PAL_STR* environments);
 
 /* For initialization */
+
+/* Called very early, its implementation should have no dependencies. */
 unsigned long _DkGetAllocationAlignment(void);
+
 void _DkGetAvailableUserAddressRange(PAL_PTR* start, PAL_PTR* end);
 bool _DkCheckMemoryMappable(const void* addr, size_t size);
 PAL_NUM _DkGetProcessId(void);
diff --git a/Pal/src/slab.c b/Pal/src/slab.c
index bc947492..9fd60e2e 100644
--- a/Pal/src/slab.c
+++ b/Pal/src/slab.c
@@ -105,8 +105,7 @@ static inline void __free(void* addr, size_t size) {
 static SLAB_MGR g_slab_mgr = NULL;
 
 void init_slab_mgr(int alignment) {
-    if (g_slab_mgr)
-        return;
+    assert(!g_slab_mgr);
 
     g_slab_alignment = alignment;
     g_slab_mgr       = create_slab_mgr();
diff --git a/README.rst b/README.rst
index 5cd4bdc1..23ead667 100644
--- a/README.rst
+++ b/README.rst
@@ -63,20 +63,11 @@ are available <https://graphene.readthedocs.io/en/latest/building.html>`__.
 How to run an application in Graphene?
 ======================================
 
-Graphene library OS uses the PAL (``libpal.so``) as a loader to bootstrap
-applications in the library OS. To start Graphene, PAL (``libpal.so``) will have
-to be run as an executable, with the name of the program, and a |nbsp| "manifest
-file" (per-app configuration) given from the command line. Graphene provides
-two options for specifying the programs and manifest files:
+Graphene library OS uses :program:`pal_loader` utility as a loader to bootstrap
+applications in the library OS::
 
-- option 1 (automatic manifest)::
-
-   [PATH TO Runtime]/pal_loader [PROGRAM] [ARGUMENTS]...
-   (Manifest file: "[PROGRAM].manifest" or "manifest")
-
-- option 2 (given manifest)::
-
-   [PATH TO Runtime]/pal_loader [MANIFEST] [ARGUMENTS]...
+   [PATH TO Runtime]/pal_loader [EXECUTABLE] [ARGUMENTS]...
+   (Manifest file: "[EXECUTABLE].manifest" or "manifest")
 
 Running an application requires some minimal configuration in the application's
 manifest file. A |nbsp| sensible manifest file will include paths to the library
diff --git a/Scripts/regression.py b/Scripts/regression.py
index 2941cd40..df6abc55 100644
--- a/Scripts/regression.py
+++ b/Scripts/regression.py
@@ -22,9 +22,6 @@ class RegressionTestCase(unittest.TestCase):
     HOST_PAL_PATH_ENV = 'HOST_PAL_PATH'
     DEFAULT_TIMEOUT = (20 if HAS_SGX else 10)
 
-    def get_manifest(self, filename):
-        return filename + '.manifest' + ('.sgx' if HAS_SGX else '')
-
     def get_env(self, name):
         try:
             return os.environ[name]
diff --git a/Tools/gsc/templates/apploader.template b/Tools/gsc/templates/apploader.template
index f5345c1b..0818b020 100644
--- a/Tools/gsc/templates/apploader.template
+++ b/Tools/gsc/templates/apploader.template
@@ -17,8 +17,8 @@ then
     done
 
     # Run the application in Graphene
-    /graphene/Runtime/pal-$GSC_PAL /graphene/Runtime/libpal-$GSC_PAL.so init {{binary}}.manifest.sgx {% if insecure_args %}{{binary_arguments}} "${@}"{% endif %}
+    /graphene/Runtime/pal-$GSC_PAL /graphene/Runtime/libpal-$GSC_PAL.so init {{binary}} {% if insecure_args %}{{binary_arguments}} "${@}"{% endif %}
 else
     # Run the application in Graphene
-    /graphene/Runtime/pal-$GSC_PAL /graphene/Runtime/libpal-$GSC_PAL.so init {{binary}}.manifest {{binary_arguments}} "${@}"
+    /graphene/Runtime/pal-$GSC_PAL /graphene/Runtime/libpal-$GSC_PAL.so init {{binary}} {{binary_arguments}} "${@}"
 fi
diff --git a/python/graphenelibos/sgx_sign.py b/python/graphenelibos/sgx_sign.py
index 24cb43e6..6ca8886c 100644
--- a/python/graphenelibos/sgx_sign.py
+++ b/python/graphenelibos/sgx_sign.py
@@ -212,18 +212,6 @@ def resolve_uri(uri, check_exist=True):
             'Cannot resolve ' + orig_uri + ' or the file does not exist.')
     return target
 
-# Resolve an URI relative to manifest file to its absolute path
-def resolve_manifest_uri(manifest_path, uri):
-    if len(uri) < 2 or not uri.startswith('"') or not uri.endswith('"'):
-        raise Exception('Cannot parse uri `' + uri + '` (must be put in double quotes).')
-    uri = uri[1:-1]
-
-    if not uri.startswith('file:'):
-        raise Exception('URI ' + uri + ' is not a local file')
-    path = uri[len('file:'):]
-    if os.path.isabs(path):
-        return path
-    return os.path.join(os.path.dirname(manifest_path), path)
 
 def get_checksum(filename):
     digest = hashlib.sha256()
@@ -485,8 +473,7 @@ def gen_area_content(attr, areas, enclave_base_addr, enclave_heap_min):
                       enclave_base_addr + sig_stacks[t].addr + sig_stacks[t].size)
         set_tls_field(t, offs.SGX_SSA, ssa)
         set_tls_field(t, offs.SGX_GPR, ssa + SSAFRAMESIZE - offs.SGX_GPR_SIZE)
-        set_tls_field(t, offs.SGX_MANIFEST_SIZE,
-                      os.stat(manifest_area.file).st_size)
+        set_tls_field(t, offs.SGX_MANIFEST_SIZE, len(manifest_area.content))
         set_tls_field(t, offs.SGX_HEAP_MIN, enclave_base_addr + enclave_heap_min)
         set_tls_field(t, offs.SGX_HEAP_MAX, enclave_base_addr + enclave_heap_max)
         if exec_area is not None:
@@ -623,7 +610,7 @@ def generate_measurement(attr, areas):
             include_page(digest, page, flags, start_zero + data + end_zero, True)
 
     for area in areas:
-        if area.file:
+        if area.file is not None:
             with open(area.file, 'rb') as file:
                 if area.is_binary:
                     loadcmds = get_loadcmds(area.file)
@@ -660,7 +647,7 @@ def generate_measurement(attr, areas):
                     start = addr - area.addr
                     end = start + offs.PAGESIZE
                     data = area.content[start:end]
-
+                    data += b'\0' * (offs.PAGESIZE - len(data)) # pad last page
                 include_page(mrenclave, addr, area.flags, data, area.measure)
 
             print_area(area.addr, area.size, area.flags, area.desc,
@@ -879,11 +866,14 @@ def main_sign(args):
 
     output_manifest(args['output'], manifest, manifest_layout)
 
+    with open(args['output'], 'rb') as file:
+        manifest_data = file.read()
+    manifest_data += b'\0' # in-memory manifest needs NULL-termination
+
     memory_areas = [
-        MemoryArea('manifest', file=args['output'],
+        MemoryArea('manifest', content=manifest_data, size=len(manifest_data),
                    flags=PAGEINFO_R | PAGEINFO_REG)
         ] + memory_areas
-
     memory_areas = populate_memory_areas(attr, memory_areas, enclave_base_addr, enclave_heap_min)
 
     print("Memory:")
@@ -893,8 +883,8 @@ def main_sign(args):
     print("    %s" % mrenclave.hex())
 
     # Generate sigstruct
-    open(args['sigfile'], 'wb').write(
-        generate_sigstruct(attr, args, mrenclave))
+    with open(args['sigfile'], 'wb') as file:
+        file.write(generate_sigstruct(attr, args, mrenclave))
     return 0