gramine-manifest – Gramine manifest preprocessor

Synopsis

gramine-manifest [OPTION]… [SOURCE-FILE [OUTPUT-FILE]]

Description

gramine-manifest is used to preprocess manifests for Gramine using Jinja markup.

Command line arguments

--define <key>=<value>, -D <key>=<value>: Have a variable available in the template.

--check

After rendering manifest from template, perform validation against manifest schema to check for unknown manifest entries and/or missing mandatory options. See gramine-manifest-check – Gramine manifest schema validator for more details.

The check is enabled by default. This option serves to re-enable the check after --no-check.

--no-check: Disable schema validation, as described above in --check.

--chroot <path>

When calculating cryptographic hashes of trusted files, measure files inside a chroot instead of paths in root of the file system. Requires that all paths in manifest are absolute, and those will be interpreted as relative to the directory specified as the value of the option.

Note you need to be very careful that the Gramine runtime binaries are exactly the same inside chroot as the ones used to execute gramine-manifest.

Functions and constants available in templates

gramine.libos: Path to libsysdb.so.

gramine.runtimedir(libc='glibc'): The path to runtime directory with patched libc. Currently supported options are: 'glibc' and 'musl'.

python.stdlib: stdlib installation path from sysconfig module

python.platstdlib: platstdlib installation path from sysconfig module

python.purelib: purelib installation path from sysconfig module

python.distlib: On Debian systems, this is /usr/lib/python3/dist-packages.

python.get_path(...): sysconfig.get_path

python.get_paths(...): sysconfig.get_paths

python.implementation: sys.implementation

env.[ENVVAR]: The content of $ENVVAR environment variable.

ldd(\*executables): List of libraries which are linked from executables. Each library is provided at most once.

Example

manifest.template:

libos.entrypoint = "{{ entrypoint }}"
loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}"

fs.mounts = [
  { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
  { path = "/{{ entrypoint }}", uri = "file:{{ entrypoint }}" },
]

sgx.trusted_files = [
  "file:{{ entrypoint }}",
  "file:{{ gramine.runtimedir() }}/",
]

Makefile:

%.manifest: manifest.template
   gramine-manifest \
      -Dentrypoint=$(ENTRYPOINT) \
      -Darch_libdir=$(ARCH_LIBDIR) \
      $< $@