# Python3 manifest example # # This manifest was prepared and tested on Ubuntu 16.04. # Graphene environment, including the path of the library OS and the debug # option (inline/none). loader.preload = "file:$(GRAPHENEDIR)/Runtime/libsysdb.so" loader.debug_type = "$(GRAPHENEDEBUG)" # Read application arguments directly from the command line. Don't use this on production! loader.insecure__use_cmdline_argv = 1 # Environment variables for Python loader.env.LD_LIBRARY_PATH = "$(PYTHONHOME)/lib:/lib:$(ARCH_LIBDIR):/usr/lib:/usr/$(ARCH_LIBDIR)" loader.env.PATH = "$(PYTHONHOME)/bin:/usr/bin:/bin" loader.env.PYTHONHOME = "$(PYTHONHOME)" loader.env.PYTHONPATH = "$(PYTHONHOME):$(PYTHONHOME)/plat-$(SYS):$(PYTHONDISTHOME):$(PYTHONHOME)/lib-dynload" loader.env.HOME = "/home/user" # Mounted FSes. The following "chroot" FSes mount a part of the host FS into the # guest. Other parts of the host FS will not be available in the guest. # Default glibc files, mounted from the Runtime directory in GRAPHENEDIR. fs.mount.lib.type = "chroot" fs.mount.lib.path = "/lib" fs.mount.lib.uri = "file:$(GRAPHENEDIR)/Runtime" # Host-level libraries (e.g., /lib/x86_64-linux-gnu) required by the Python executable fs.mount.lib2.type = "chroot" fs.mount.lib2.path = "$(ARCH_LIBDIR)" fs.mount.lib2.uri = "file:$(ARCH_LIBDIR)" # Host-level directory (/usr) required by the Python executable fs.mount.usr.type = "chroot" fs.mount.usr.path = "/usr" fs.mount.usr.uri = "file:/usr" # Mount $PYTHONHOME fs.mount.pyhome.type = "chroot" fs.mount.pyhome.path = "$(PYTHONHOME)" fs.mount.pyhome.uri = "file:$(PYTHONHOME)" # Mount $PYTHONDISTHOME fs.mount.pydisthome.type = "chroot" fs.mount.pydisthome.path = "$(PYTHONDISTHOME)" fs.mount.pydisthome.uri = "file:$(PYTHONDISTHOME)" # Mount /tmp fs.mount.tmp.type = "chroot" fs.mount.tmp.path = "/tmp" fs.mount.tmp.uri = "file:/tmp" # Mount /etc fs.mount.etc.type = "chroot" fs.mount.etc.path = "/etc" fs.mount.etc.uri = "file:/etc" # Graphene general options # Graphene creates stacks of 256KB by default. It is not enough for SciPy/NumPy # packages, e.g., libopenblas dependency assumes more than 512KB-sized stacks. sys.stack.size = "2M" # SGX general options # Set the virtual memory size of the SGX enclave. For SGX v1, the enclave # size must be specified during signing. If Python needs more virtual memory # than the enclave size, Graphene will not be able to allocate it. sgx.enclave_size = "1G" # Set the maximum number of enclave threads. For SGX v1, the number of enclave # TCSes must be specified during signing, so the application cannot use more # threads than the number of TCSes. Note that Graphene also creates an internal # thread for handling inter-process communication (IPC), and potentially another # thread for asynchronous events. Therefore, the actual number of threads that # the application can create is (sgx.thread_num - 2). sgx.thread_num = 32 # SGX trusted libraries # Glibc libraries sgx.trusted_files.ld = "file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2" sgx.trusted_files.libc = "file:$(GRAPHENEDIR)/Runtime/libc.so.6" sgx.trusted_files.libm = "file:$(GRAPHENEDIR)/Runtime/libm.so.6" sgx.trusted_files.libdl = "file:$(GRAPHENEDIR)/Runtime/libdl.so.2" sgx.trusted_files.librt = "file:$(GRAPHENEDIR)/Runtime/librt.so.1" sgx.trusted_files.libutil = "file:$(GRAPHENEDIR)/Runtime/libutil.so.1" sgx.trusted_files.libpthread = "file:$(GRAPHENEDIR)/Runtime/libpthread.so.0" # Other libraries sgx.trusted_files.libz = "file:$(ARCH_LIBDIR)/libz.so.1" sgx.trusted_files.libbz2 = "file:$(ARCH_LIBDIR)/libbz2.so.1.0" sgx.trusted_files.liblzma = "file:$(ARCH_LIBDIR)/liblzma.so.5" sgx.trusted_files.libexpat = "file:$(ARCH_LIBDIR)/libexpat.so.1" $(PYTHON_TRUSTED_LIBS) # SGX untrusted (allowed) files/directories sgx.allowed_files.scripts = "file:scripts" sgx.allowed_files.tmp = "file:/tmp" sgx.allowed_files.etc = "file:/etc" sgx.allowed_files.pyhome = "file:$(PYTHONHOME)" sgx.allowed_files.pydisthome = "file:$(PYTHONDISTHOME)"