teepot/packages/container-vault-unseal-sgx-azure/tee-vault-unseal.manifest.toml

libos.entrypoint = "{{ entrypoint }}"

[loader]
argv = ["{{ entrypoint }}"]
entrypoint = "file:{{ gramine.libos }}"

[loader.env]
### Admin Config ###
PORT = { passthrough = true }

### VAULT attestation ###
VAULT_ADDR = { passthrough = true }
VAULT_SGX_MRENCLAVE = { passthrough = true }
VAULT_SGX_MRSIGNER = { passthrough = true }
VAULT_SGX_ALLOWED_TCB_LEVELS = { passthrough = true }

### DEBUG ###
RUST_BACKTRACE = "1"
RUST_LOG = "info,tee_vault_unseal=trace,teepot=trace,vault_tee_client=trace,tee_client=trace,awc=debug"

### Enclave security ###
ALLOWED_TCB_LEVELS = "SwHardeningNeeded"

### Fixed values ###
LD_LIBRARY_PATH = "/lib"
SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"
PATH = "/bin"
HOME = "/app"

MALLOC_ARENA_MAX = "1"
AZDCAP_DEBUG_LOG_LEVEL = "ignore"
AZDCAP_COLLATERAL_VERSION = "v4"

VAULT_AUTH_TEE_SHA256 = "{{ vault_auth_tee_sha }}"
VAULT_AUTH_TEE_VERSION = "{{ vault_auth_tee_version }}"

[fs]
root.uri = "file:/"
start_dir = "/app"
mounts = [
  { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
  { path = "{{ gramine.runtimedir() }}/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
  { type = "tmpfs", path = "/var/tmp" },
  { type = "tmpfs", path = "/tmp" },
  { type = "tmpfs", path = "/app/.dcap-qcnl" },
  { type = "tmpfs", path = "/app/.az-dcap-client" },
]

[sgx]
trusted_files = [
  "file:/app/",
  "file:/bin/",
  "file:/etc/gai.conf",
  "file:/etc/sgx_default_qcnl.conf",
  "file:/etc/ssl/certs/ca-bundle.crt",
  "file:/lib/",
  "file:/lib/libdcap_quoteprov.so",
  "file:/nix/",
  "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir() }}/",
]
remote_attestation = "dcap"
max_threads = 64
edmm_enable = false
## max enclave size
enclave_size = "2G"

[sys]
enable_extra_runtime_domain_names_conf = true
enable_sigterm_injection = true

# possible tweak option, if problems with mio
# currently mio is compiled with `mio_unsupported_force_waker_pipe`
# insecure__allow_eventfd = true