gramineproject · dimakuv · Jul 24, 2024 · Mar 15, 2024
diff --git a/Documentation/manifest-syntax.rst b/Documentation/manifest-syntax.rst
@@ -69,19 +69,30 @@ Loader entrypoint
 
 ::
 
- loader.entrypoint = "[URI]"
+ loader.entrypoint.uri = "[URI]"
  (Default: "<path to libsysdb.so>")
 
-This specifies the LibOS component that Gramine will load and run before loading
-the first executable of the user application. **Note**: currently, there is only
-one LibOS implementation: ``libsysdb.so``, and there is no need to specify this
-option explicitly.
+ loader.entrypoint.sha256 = "[HASH]"
+
+``loader.entrypoint.uri`` specifies the LibOS component that Gramine will load
+and run before loading the first executable of the user application. **Note**:
+currently, there is only one LibOS implementation: ``libsysdb.so``, and there is
+no need to specify this option explicitly.
+
+Additionally, the loader entrypoint is cryptographically hashed at build time.
+At startup, Gramine verifies that the entrypoint's hash matches what is stored
+in the manifest in ``loader.entrypoint.sha256``. The signer tool will
+automatically generate the hash of this file and add it to the SGX-specific
+manifest (``.manifest.sgx``). The manifest writer may also explicitly specify
+the hash; in this case, hashing of the file will be skipped by the signer tool
+and the value in ``loader.entrypoint.sha256`` will be used instead.
 
 Note that the loader (the PAL binary) loads the LibOS binary specified in
 ``loader.entrypoint`` and passes control to this binary. Next, the LibOS binary
 loads the actual executable (the user application) specified in
 ``libos.entrypoint``. Also note that, in contrast to ``libos.entrypoint``, the
-``loader.entrypoint`` option specifies a PAL URI (with the ``file:`` prefix).
+``loader.entrypoint.uri`` option specifies a PAL URI (with the ``file:``
+prefix).
 
 .. _libos-entrypoint:
 
@@ -1359,3 +1370,15 @@ In addition, the application manifest must also contain ``sgx.debug = true``.
  independently.
 
 See :ref:`vtune-sgx-profiling` for more information.
+
+Deprecated options
+------------------
+
+Loader entrypoint (deprecated syntax)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+ loader.entrypoint = "[URI]"
+
+This syntax was renamed to ``loader.entrypoint.uri``.
diff --git a/libos/test/abi/x86_64/manifest.template b/libos/test/abi/x86_64/manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 fs.mounts = [
@@ -10,6 +9,5 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '4' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/abi/x86_64/stack_arg.manifest.template b/libos/test/abi/x86_64/stack_arg.manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 # The argv source file must set argv[0] as the basename of the entrypoint. This is crucial for
@@ -15,7 +14,6 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '4' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
 

diff --git a/libos/test/abi/x86_64/stack_env.manifest.template b/libos/test/abi/x86_64/stack_env.manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.foo = "bar"
@@ -15,6 +14,5 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '4' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/fs/manifest.template b/libos/test/fs/manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}"
@@ -29,7 +28,6 @@ sgx.allowed_files = [
 ]
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ binary_dir }}/{{ entrypoint }}",
  "file:{{ gramine.runtimedir() }}/",
  "file:{{ arch_libdir }}/libgcc_s.so.1",

diff --git a/libos/test/ltp/manifest.template b/libos/test/ltp/manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/lib:/usr/lib64"
@@ -36,7 +35,6 @@ sgx.allowed_files = [
 ]
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ binary_dir }}/{{ entrypoint }}",
  "file:{{ gramine.runtimedir() }}/ld-linux-x86-64.so.2",
  "file:{{ gramine.runtimedir() }}/libc.so.6",

diff --git a/libos/test/regression/argv_from_file.manifest.template b/libos/test/regression/argv_from_file.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -19,7 +18,6 @@ sgx.allowed_files = [
 ]
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/argv_from_manifest.manifest.template b/libos/test/regression/argv_from_manifest.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -22,7 +21,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/attestation.manifest.template b/libos/test/regression/attestation.manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -19,7 +18,6 @@ sgx.ra_client_spid = "{{ env.get('RA_CLIENT_SPID', '') }}"
 sgx.ra_client_linkable = {{ 'true' if env.get('RA_CLIENT_LINKABLE', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/bootstrap_cpp.manifest.template b/libos/test/regression/bootstrap_cpp.manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}"
@@ -18,7 +17,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ arch_libdir }}/libgcc_s.so.1",
  "file:/usr{{ arch_libdir }}/libstdc++.so.6",

diff --git a/libos/test/regression/debug_log_file.manifest.template b/libos/test/regression/debug_log_file.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -17,7 +16,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/debug_log_inline.manifest.template b/libos/test/regression/debug_log_inline.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -16,7 +15,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/device_ioctl.manifest.template b/libos/test/regression/device_ioctl.manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -12,7 +11,6 @@ fs.mounts = [
 sgx.debug = true
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

diff --git a/libos/test/regression/device_ioctl_fail.manifest.template b/libos/test/regression/device_ioctl_fail.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "device_ioctl" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -14,7 +13,6 @@ fs.mounts = [
 sgx.debug = true
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

diff --git a/libos/test/regression/device_ioctl_parse_fail.manifest.template b/libos/test/regression/device_ioctl_parse_fail.manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -12,7 +11,6 @@ fs.mounts = [
 sgx.debug = true
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

diff --git a/libos/test/regression/device_passthrough.manifest.template b/libos/test/regression/device_passthrough.manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -13,7 +12,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]

diff --git a/libos/test/regression/env_from_file.manifest.template b/libos/test/regression/env_from_file.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -19,7 +18,6 @@ sgx.allowed_files = [
 ]
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/env_from_host.manifest.template b/libos/test/regression/env_from_host.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -15,7 +14,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/env_passthrough.manifest.template b/libos/test/regression/env_passthrough.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "bootstrap" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -20,7 +19,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/eventfd_fork.manifest.template b/libos/test/regression/eventfd_fork.manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -14,7 +13,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/eventfd_fork_allowed_failing.manifest.template b/libos/test/regression/eventfd_fork_allowed_failing.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "eventfd_fork" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.log_level = "warning" # to print the warning about eventfd usage in child process
@@ -20,7 +19,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/fcntl_lock_child_only.manifest.template b/libos/test/regression/fcntl_lock_child_only.manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -16,7 +15,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
 ]
diff --git a/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template b/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "file_check_policy" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -18,9 +17,9 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.file_check_policy = "allow_all_but_log"
 
-# there are no "file:{{ gramine.libos }}" and "file:{{ gramine.runtimedir() }}/"
-# entries in `sgx.trusted_files` -- this is on purpose; we want to test that
-# `allow_all_but_log` also applies to Gramine-runtime files (e.g., LibOS binary)
+# there is no "file:{{ gramine.runtimedir() }}/" entry in `sgx.trusted_files` -- this is on purpose;
+# we want to test that `allow_all_but_log` also applies to Gramine-runtime files (e.g., libc
+# binaries)
 
 sgx.trusted_files = [
  "file:{{ binary_dir }}/{{ entrypoint }}",

diff --git a/libos/test/regression/file_check_policy_strict.manifest.template b/libos/test/regression/file_check_policy_strict.manifest.template
@@ -1,6 +1,5 @@
 {% set entrypoint = "file_check_policy" -%}
 
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -19,7 +18,6 @@ sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 sgx.file_check_policy = "strict"
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
 
  # test TOML inline table syntax without `sha256`

diff --git a/libos/test/regression/fork_and_access_file.manifest.template b/libos/test/regression/fork_and_access_file.manifest.template
@@ -1,4 +1,3 @@
-loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "{{ entrypoint }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib"
@@ -13,7 +12,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.trusted_files = [
- "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir(libc) }}/",
  "file:{{ binary_dir }}/{{ entrypoint }}",
  "file:fork_and_access_file_testfile",