The use of the ROOT environment variable is tripping me up here. How do you normally set that env var?

Ordinarily it's best with BASH scripts to define them such that it's clear where to trigger them from (i.e. from which folder to call them) and use relative paths as far as possible. If you need to expand a relative path to an absolute one, then there are BASH utilities/shell commands that can assist with that.

The use of the ROOT environment variable is tripping me up here. How do you normally set that env var?

Good point! Unfortunately we currently require ROOT to be the absolute path. I think this is a common pattern across all our scripts.

I think listen.sh needs a similar check for MOCK_SGX as relayer.sh has. let me know what you think

I have a slight preference for merging this PR without this change and later adding this to #96 (after merging these changes) because IIUC, update attestation is working well there, so it'll be easier to test. 🙏

Okay I agree, we can save the fix for listen.sh afterwords.

I ran the test with the MOCK_SGX and it worked, but now I did not pass the flag and I am running gramine normally, and I am getting this error:

[P1:T1:] error: libos_init() failed in init_exec_handle: Permission denied (EACCES)

Any ideas?

[P1:T1:] error: libos_init() failed in init_exec_handle: Permission denied (EACCES)

When do you see this error? As soon as the enclave starts? Or at the time of handshake?

Also, if you did a export MOCK_SGX=1, make sure to unset MOCK_SGX.

MOCK_SGX was already unset! here is where it fails:

Measurement:
    647d425aacfa2ac4b6103271d578bcaa764061fa110c9791c7d147c4695e0f51
--------------------------------------------------------
... start gramine
Gramine is starting. Parsing TOML manifest file, this may take some time...
-----------------------------------------------------------------------------------------------------------------------
Gramine detected the following insecure configurations:

  - sys.insecure__allow_eventfd = true         (host-based eventfd is enabled)
  - sgx.allowed_files = [ ... ]                (some files are passed through from untrusted host without verification)

Gramine will continue application execution, but this configuration must not be used in production!
-----------------------------------------------------------------------------------------------------------------------

[P1:T1:] error: libos_init() failed in init_exec_handle: Permission denied (EACCES)

The Gramine manifest had a bug where the bin name wasn't updated in the trusted_files array. Just pushed 60ed808 based on @davekaj's idea. Thanks for the fix @davekaj!