teepot/bin/tee-vault-unseal/tee-vault-unseal.manifest.template

libos.entrypoint = "/app/tee-vault-unseal"

[loader]
argv = [ "/app/tee-vault-unseal" ]
entrypoint = "file:{{ gramine.libos }}"
env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}:/lib"
env.HOME = "/app"
env.MALLOC_ARENA_MAX = "1"
env.AZDCAP_DEBUG_LOG_LEVEL = "ignore"
env.AZDCAP_COLLATERAL_VERSION = "v4"

### Required configuration ###
env.ALLOWED_TCB_LEVELS = { passthrough = true }
env.VAULT_ADDR = { passthrough = true }

### DEBUG ###
env.RUST_BACKTRACE = "1"
env.RUST_LOG="info,tee_vault_unseal=trace,teepot=trace,awc=debug"

[fs]
root.uri = "file:/"
start_dir = "/app"
mounts = [
  { path = "{{ execdir }}", uri = "file:{{ execdir }}" },
  { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
  { path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
  { path = "/etc", uri = "file:/etc" },
  { type = "tmpfs", path = "/var/tmp" },
  { type = "tmpfs", path = "/tmp" },
  { type = "tmpfs", path = "/app/.dcap-qcnl" },
  { type = "tmpfs", path = "/app/.az-dcap-client" },
  { type = "encrypted", path = "/opt/vault/tls", uri = "file:/opt/vault/tls", key_name = "_sgx_mrsigner" },
  { path = "/lib/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
]

[sgx]
trusted_files = [
  "file:/etc/ld.so.cache",
  "file:/app/",
  "file:{{ execdir }}/",
  "file:{{ arch_libdir }}/",
  "file:/usr/{{ arch_libdir }}/",
  "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir() }}/",
  "file:/usr/lib/ssl/openssl.cnf",
  "file:/etc/ssl/",
  "file:/etc/sgx_default_qcnl.conf",
  "file:/lib/libdcap_quoteprov.so",
]
remote_attestation = "dcap"
max_threads = 64
edmm_enable = false
## max enclave size
enclave_size = "2G"

[sys]
enable_extra_runtime_domain_names_conf = true
enable_sigterm_injection = true

# possible tweak option, if problems with mio
# currently mio is compiled with `mio_unsupported_force_waker_pipe`
# insecure__allow_eventfd = true