gramineproject · DukeDavis12 · Nov 5, 2024 · Nov 11, 2024 · Nov 21, 2024 · Nov 25, 2024
diff --git a/finalize_manifest.py b/finalize_manifest.py
@@ -10,6 +10,7 @@
 import subprocess
 import sys
 
+import hashlib
 import jinja2
 import tomli
 import tomli_w
@@ -21,6 +22,13 @@ def is_utf8(filename_bytes):
     except UnicodeError:
         return False
 
+def compute_sha256(filename):
+    sha256_hash = hashlib.sha256()
+    with open(filename, 'rb') as f:
+        for byte_block in iter(lambda: f.read(4096), b""):
+            sha256_hash.update(byte_block)
+    return sha256_hash.hexdigest()
+
 def extract_files_from_user_manifest(manifest):
     files = []
 
@@ -98,7 +106,7 @@ def generate_trusted_files(root_dir, already_added_files):
                 # user manifest already contains this file (probably as allowed or protected)
                 continue
 
-            trusted_files.append(trusted_file_entry)
+            trusted_files.append({"uri": trusted_file_entry, "sha256": compute_sha256(filename)})
             num_trusted += 1
 
     print(f'\t[from inside Docker container] Found {num_trusted} files in `{root_dir}`.')
@@ -143,6 +151,14 @@ def main(args=None):
     else:
         print(f'\t[from inside Docker container] Skipping trusted files generation. This image must not be used in production.')
 
+    # Check if the [loader] section and entrypoint.uri field are present
+    if 'loader' not in rendered_manifest_dict:
+        rendered_manifest_dict['loader'] = {}
+    if 'entrypoint' not in rendered_manifest_dict['loader']:
+        rendered_manifest_dict['loader']['entrypoint'] = {}
+    if 'uri' not in rendered_manifest_dict['loader']['entrypoint']:
+        rendered_manifest_dict['loader']['entrypoint']['uri'] = "file:/gramine/meson_build_output/lib/x86_64-linux-gnu/gramine/libsysdb.so"
+
     with open(manifest, 'wb') as manifest_file:
         tomli_w.dump(rendered_manifest_dict, manifest_file)
     print(f'\t[from inside Docker container] Successfully finalized `{manifest}`.')

diff --git a/templates/Dockerfile.common.build.template b/templates/Dockerfile.common.build.template
@@ -61,6 +61,8 @@ RUN chmod u+x /gramine/app_files/apploader.sh \
     && /usr/bin/python3 -B /gramine/app_files/finalize_manifest.py \
     && rm -f /gramine/app_files/finalize_manifest.py
 
+RUN {% block path %}{% endblock %} gramine-manifest-check /gramine/app_files/entrypoint.manifest
+
 # Define default command
 ENTRYPOINT ["/bin/bash", "/gramine/app_files/apploader.sh"]
 {% if insecure_args and cmd %}CMD {{ cmd | tojson }}{% endif %}
diff --git a/templates/centos/Dockerfile.build.template b/templates/centos/Dockerfile.build.template
@@ -38,3 +38,5 @@ RUN dnf install -y \
         vim
 {% endif %}
 {% endblock %}
+
+{% block path %}export PYTHONPATH="${PYTHONPATH}:$(find /gramine/meson_build_output/lib64 -type d -path '*/site-packages')" &&{% endblock %}
diff --git a/templates/centos/entrypoint.manifest.template b/templates/centos/entrypoint.manifest.template
@@ -1,6 +1,5 @@
 {% extends "entrypoint.common.manifest.template" %}
 
 {% block loader %}
-loader.entrypoint = "file:/gramine/meson_build_output/lib64/gramine/libsysdb.so"
 loader.env.LD_LIBRARY_PATH = "/gramine/meson_build_output/lib64/gramine/runtime/glibc:/usr/lib64:{{"{{library_paths}}"}}"
 {% endblock %}
diff --git a/templates/debian/Dockerfile.build.template b/templates/debian/Dockerfile.build.template
@@ -50,3 +50,5 @@ ENV LC_ALL en_US.UTF-8
 ENV LANG en_US.UTF-8
 ENV LANGUAGE en_US.UTF-8
 {% endblock %}
+
+{% block path %}export PYTHONPATH="${PYTHONPATH}:$(find /gramine/meson_build_output/lib -type d -path '*/site-packages')" &&{% endblock %}
diff --git a/templates/debian/entrypoint.manifest.template b/templates/debian/entrypoint.manifest.template
@@ -1,7 +1,6 @@
 {% extends "entrypoint.common.manifest.template" %}
 
 {% block loader %}
-loader.entrypoint = "file:/gramine/meson_build_output/lib/x86_64-linux-gnu/gramine/libsysdb.so"
 
 # Add "/usr/lib/x86_64-linux-gnu" explicitly because ldconfig in Ubuntu 21.04 doesn't
 # produce it; note that this Debian template is used by Ubuntu templates as well

diff --git a/templates/entrypoint.common.manifest.template b/templates/entrypoint.common.manifest.template
@@ -1,6 +1,6 @@
 libos.entrypoint = "/gramine/app_files/{{binary_basename}}"
 
-# Add distro-specific `loader.entrypoint` and `loader.env.LD_LIBRARY_PATH`
+# Add distro-specific `loader.env.LD_LIBRARY_PATH`
 {% block loader %}{% endblock %}
 
 loader.env.PATH = "{{"{{env_path}}"}}"
@@ -11,6 +11,8 @@ fs.root.uri = "file:/"
 
 # Gramine's default working dir is '/', so change the working directory to the desired one
 fs.start_dir = "{{working_dir}}"
+fs.mounts = [
+]
 
 sgx.debug = {% if buildtype != "release" %} true {% else %} false {% endif %}
 

diff --git a/templates/redhat/ubi-minimal/Dockerfile.build.template b/templates/redhat/ubi-minimal/Dockerfile.build.template
@@ -46,3 +46,5 @@ RUN microdnf install -y \
         strace
 {% endif %}
 {% endblock %}
+
+{% block path %}export PYTHONPATH="${PYTHONPATH}:$(find /gramine/meson_build_output/lib64 -type d -path '*/site-packages')" &&{% endblock %}
diff --git a/templates/redhat/ubi/Dockerfile.build.template b/templates/redhat/ubi/Dockerfile.build.template
@@ -44,3 +44,5 @@ RUN dnf install -y \
         strace
 {% endif %}
 {% endblock %}
+
+{% block path %}export PYTHONPATH="${PYTHONPATH}:$(find /gramine/meson_build_output/lib64 -type d -path '*/site-packages')" &&{% endblock %}
diff --git a/templates/suse/Dockerfile.build.template b/templates/suse/Dockerfile.build.template
@@ -42,3 +42,5 @@ RUN zypper install -y \
         vim
 {% endif %}
 {% endblock %}
+
+{% block path %}export PYTHONPATH="${PYTHONPATH:+$PYTHONPATH:}$(find /gramine/meson_build_output/lib64 -type d -path '*/site-packages')" &&{% endblock %}