Graphene manifest file for the Intel SGX PPML Tutorial

pytorch.manifest.template

# PyTorch manifest template
#
# This manifest was tested on Ubuntu 16.04 and 18.04.
#
# Run the application with:
#
# ./pal_loader pytorch.manifest pytorchexample.py

# The executable to load in Graphene
loader.exec = file:/usr/bin/python3
loader.argv0_override = python3
loader.insecure__use_host_env = 1
loader.insecure__disable_aslr=1

# Graphene environment, including the path to the library OS and the debug
# option (inline/none)
loader.preload = file:$(GRAPHENEDIR)/Runtime/libsysdb.so
loader.debug_type = none

# Read application arguments directly from the command line. Don't use this on production!
loader.insecure__use_cmdline_argv = 1

# Environment variables
loader.env.LD_LIBRARY_PATH = /lib:/usr/lib:$(ARCH_LIBDIR):/usr/$(ARCH_LIBDIR):.

loader.env.LD_PRELOAD = libsecret_prov_attest.so

loader.env.SECRET_PROVISION_CONSTRUCTOR = 1
loader.env.SECRET_PROVISION_SET_PF_KEY = 1
loader.env.SECRET_PROVISION_CA_CHAIN_PATH = "certs/test-ca-sha256.crt"
loader.env.SECRET_PROVISION_SERVERS = "dummyserver:80;localhost:4433;anotherdummy:4433"

sgx.trusted_files.libsecretprovattest = file:libsecret_prov_attest.so
#sgx.trusted_files.libmbedcrypto = file:libmbedcrypto.so.4
#sgx.trusted_files.libmbedx509 = file:libmbedx509.so.1

sgx.trusted_files.cachain = file:certs/test-ca-sha256.crt

sgx.remote_attestation = 1

# Default glibc files, mounted from the Runtime directory in GRAPHENEDIR
fs.mount.lib.type = chroot
fs.mount.lib.path = /lib
fs.mount.lib.uri = file:$(GRAPHENEDIR)/Runtime/

# More libraries required by PyTorch
fs.mount.lib2.type = chroot
fs.mount.lib2.path = $(ARCH_LIBDIR)
fs.mount.lib2.uri = file:$(ARCH_LIBDIR)

fs.mount.usr.type = chroot
fs.mount.usr.path = /usr
fs.mount.usr.uri = file:/usr

# Host-level directory to NSS files required by Glibc + NSS libs
fs.mount.etc.type = chroot
fs.mount.etc.path = /etc
fs.mount.etc.uri = file:/etc

# Workload needs to create temporary files
fs.mount.tmp.type = chroot
fs.mount.tmp.path = /tmp
fs.mount.tmp.uri = file:/tmp

# PyTorch loads its pre-trained models from here
# Uncomment lines below if you want to use torchvision.model.alexnet(pretrained=True)
# fs.mount.torch.type = chroot
# fs.mount.torch.path = $(HOME)/.cache/torch
# fs.mount.torch.uri = file:$(HOME)/.cache/torch

# When run as `pip install --user ...`, pip installs Python packages here
fs.mount.pip.type = chroot
fs.mount.pip.path = $(HOME)/.local/lib
fs.mount.pip.uri  = file:$(HOME)/.local/lib

# SGX general options

# Set the virtual memory size of the SGX enclave. For SGX v1, the enclave
# size must be specified during signing. If the workload needs more virtual memory
# than the enclave size, Graphene will not be able to allocate it.
#
# In particular, libtorch*.so is more than 1G, thus 4G is the minimum to make this run.
sgx.enclave_size = 4G

# Set the maximum number of enclave threads. For SGX v1, the number of enclave
# TCSes must be specified during signing, so the application cannot use more
# threads than the number of TCSes. Note that Graphene also creates an internal
# thread for handling inter-process communication (IPC), and potentially another
# thread for asynchronous events. Therefore, the actual number of threads that
# the application can create is (sgx.thread_num - 2).
#
# We (somewhat arbitrarily) specify 16 threads for this workload.
sgx.thread_num = 16
# SGX trusted libraries

sgx.trusted_files.ld          = file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2
sgx.trusted_files.libc        = file:$(GRAPHENEDIR)/Runtime/libc.so.6
sgx.trusted_files.libdl       = file:$(GRAPHENEDIR)/Runtime/libdl.so.2
sgx.trusted_files.libm        = file:$(GRAPHENEDIR)/Runtime/libm.so.6
sgx.trusted_files.libpthread  = file:$(GRAPHENEDIR)/Runtime/libpthread.so.0
sgx.trusted_files.libnssdns     = file:$(GRAPHENEDIR)/Runtime/libnss_dns.so.2
sgx.trusted_files.libresolv   = file:$(GRAPHENEDIR)/Runtime/libresolv.so.2
sgx.trusted_files.librt       = file:$(GRAPHENEDIR)/Runtime/librt.so.1
sgx.trusted_files.libutil     = file:$(GRAPHENEDIR)/Runtime/libutil.so.1

sgx.trusted_files.libnssmyhostname = file:$(ARCH_LIBDIR)/libnss_myhostname.so.2
sgx.trusted_files.libnssmdns    = file:$(ARCH_LIBDIR)/libnss_mdns4_minimal.so.2
sgx.trusted_files.libudev                       = file:/lib/x86_64-linux-gnu/libudev.so.1
sgx.trusted_files.libzstd                       = file:/usr/lib/x86_64-linux-gnu/libzstd.so.1
sgx.trusted_files.libstdc     = file:/usr/$(ARCH_LIBDIR)/libstdc++.so.6
sgx.trusted_files.libgccs     = file:$(ARCH_LIBDIR)/libgcc_s.so.1
sgx.trusted_files.libaptpkg   = file:/usr/$(ARCH_LIBDIR)/libapt-pkg.so.5.0
sgx.trusted_files.liblz4      = file:/usr/$(ARCH_LIBDIR)/liblz4.so.1
sgx.trusted_files.libsystemd  = file:$(ARCH_LIBDIR)/libsystemd.so.0
sgx.trusted_files.libselinux  = file:$(ARCH_LIBDIR)/libselinux.so.1
sgx.trusted_files.libgcrypt   = file:$(ARCH_LIBDIR)/libgcrypt.so.20
sgx.trusted_files.libpcre     = file:$(ARCH_LIBDIR)/libpcre.so.3
sgx.trusted_files.libgpgerror = file:$(ARCH_LIBDIR)/libgpg-error.so.0
sgx.trusted_files.libexpat    = file:$(ARCH_LIBDIR)/libexpat.so.1
sgx.trusted_files.libz        = file:$(ARCH_LIBDIR)/libz.so.1
sgx.trusted_files.libz2       = file:$(ARCH_LIBDIR)/libbz2.so.1.0
sgx.trusted_files.liblzma     = file:$(ARCH_LIBDIR)/liblzma.so.5
sgx.trusted_files.libmpdec    = file:/usr/$(ARCH_LIBDIR)/libmpdec.so.2

# Ubuntu16.04 sgx.trusted_files.libcrypto = file:$(ARCH_LIBDIR)/libcrypto.so.1.0.0
# Ubuntu16.04 sgx.trusted_files.libssl    = file:$(ARCH_LIBDIR)/libssl.so.1.0.0
# Ubuntu18.04 sgx.trusted_files.libcrypto = file:/usr/$(ARCH_LIBDIR)/libcrypto.so.1.1
# Ubuntu18.04 sgx.trusted_files.libssl    = file:/usr/$(ARCH_LIBDIR)/libssl.so.1.1

# Name Service Switch (NSS) libraries (Glibc dependencies)
sgx.trusted_files.libnssfiles  = file:$(ARCH_LIBDIR)/libnss_files.so.2
sgx.trusted_files.libnsscompat = file:$(ARCH_LIBDIR)/libnss_compat.so.2
sgx.trusted_files.libnssnis    = file:$(ARCH_LIBDIR)/libnss_nis.so.2
sgx.trusted_files.libnsl       = file:$(ARCH_LIBDIR)/libnsl.so.1

sgx.allowed_files.nsswitch  = file:/etc/nsswitch.conf
sgx.allowed_files.ethers    = file:/etc/ethers
sgx.allowed_files.hostconf  = file:/etc/host.conf
sgx.allowed_files.hosts     = file:/etc/hosts
sgx.allowed_files.group     = file:/etc/group
sgx.allowed_files.passwd    = file:/etc/passwd
sgx.allowed_files.gaiconf   = file:/etc/gai.conf
sgx.allowed_files.resolv    = file:/etc/resolv.conf

sgx.allowed_files.apport                        = file:/etc/default/apport                                                                                       [11/1844]
sgx.allowed_files.apt00                 = file:/etc/apt/apt.conf.d/00aptitude
sgx.allowed_files.apt01                 = file:/etc/apt/apt.conf.d/00trustcdrom
sgx.allowed_files.apt02                 = file:/etc/apt/apt.conf.d/01-vendor-ubuntu
sgx.allowed_files.apt03                 = file:/etc/apt/apt.conf.d/01autoremove
sgx.allowed_files.apt04                 = file:/etc/apt/apt.conf.d/01autoremove-kernels
sgx.allowed_files.apt05                 = file:/etc/apt/apt.conf.d/10periodic
sgx.allowed_files.apt06                 = file:/etc/apt/apt.conf.d/15update-stamp
sgx.allowed_files.apt07                 = file:/etc/apt/apt.conf.d/20archive
sgx.allowed_files.apt08                 = file:/etc/apt/apt.conf.d/20auto-upgrades
sgx.allowed_files.apt09                 = file:/etc/apt/apt.conf.d/20dbus
sgx.allowed_files.apt10                 = file:/etc/apt/apt.conf.d/20snapd.conf
sgx.allowed_files.apt11                 = file:/etc/apt/apt.conf.d/50appstream
sgx.allowed_files.apt12                 = file:/etc/apt/apt.conf.d/50command-not-found
sgx.allowed_files.apt13                 = file:/etc/apt/apt.conf.d/50unattended-upgrades
sgx.allowed_files.apt14                 = file:/etc/apt/apt.conf.d/70debconf
sgx.allowed_files.apt15                 = file:/etc/apt/apt.conf.d/99update-notifier
sgx.allowed_files.apt16                 = file:/etc/apt/apt.conf
sgx.allowed_files.apt17                 = file:/usr/share/dpkg/cputable
sgx.allowed_files.dpkg01                = file:/usr/share/dpkg/tupletable

# The script to run
sgx.trusted_files.script  = file:pytorchexample.py

# required by Python package ctypes (lib/python3.6/lib-dynload/ctypes.cpython-36m-x86_64-linux-gnu.so)
# Ubuntu18.04 sgx.trusted_files.libffi = file:/usr/$(ARCH_LIBDIR)/libffi.so.6

# File containing the classes, i.e., things the classifier has been trained to distinguish between
#sgx.trusted_files.classes = file:classes.txt
sgx.protected_files.classes = file:encrypted/classes.txt

# Input image
# sgx.trusted_files.image   = file:input.jpg
sgx.protected_files.image = file:encrypted/input.jpg

# File containing the pre-trained model
# Uncomment lines below if you want to use torchvision.model.alexnet(pretrained=True)
# sgx.trusted_files.torch   = file:$(HOME)/.cache/torch/checkpoints/alexnet-owt-4df8aa71.pth

# Pre-trained model saved as a file
#sgx.trusted_files.model   = file:alexnet-pretrained.pt
sgx.protected_files.model               = file:encrypted/alexnet-pretrained.pt

sgx.protected_files.result              = file:encrypted/result.txt

# Scratch space
sgx.allowed_files.tmp     = file:/tmp

# Output file
sgx.allow_file_creation   = 1

# The workload needs to fork/execve; this allows it to do so
sgx.trusted_children.fork = file:python3.sig

# Various locations where Python dependencies are found
sgx.allowed_files.python3    = file:/usr/lib/python3
sgx.allowed_files.pythonhome = file:$(HOME)/.local/lib
# Ubuntu16.04 sgx.allowed_files.python35 = file:/usr/lib/python3.5
# Ubuntu18.04 sgx.allowed_files.python36 = file:/usr/lib/python3.6

# Some Python package wants to access these files on Ubuntu 16.04
# Ubuntu16.04 sgx.allowed_files.aptconfd = file:/etc/apt/apt.conf.d
# Ubuntu16.04 sgx.allowed_files.aptconf  = file:/etc/apt/apt.conf
# Ubuntu16.04 sgx.allowed_files.apport   = file:/etc/default/apport

# Name Service Switch (NSS) files (Glibc reads these files)
sgx.trusted_files.nsswitch     = file:/etc/nsswitch.conf
sgx.trusted_files.group        = file:/etc/group
sgx.trusted_files.passwd       = file:/etc/passwd