[Pal/Linux-SGX] Allow specifying whole directories in trusted files

Signed-off-by: Michał Kowalczyk <[email protected]>

.ci/lib/stage-clean-check.jenkinsfile

@@ -14,7 +14,7 @@ stage('clean-check') {
         make -C LibOS/shim/test/regression clean
 
         make -C Examples/python-simple clean
-        make -C Examples/python-scipy-insecure clean
+        make -C Examples/python-scipy clean
         make -C Examples/bash clean
         make -C Examples/curl clean
         make -C Examples/gcc distclean

.ci/lib/stage-test-direct.jenkinsfile

@@ -18,7 +18,7 @@ stage('test-direct') {
     }
     timeout(time: 5, unit: 'MINUTES') {
         sh '''
-            cd Examples/python-scipy-insecure
+            cd Examples/python-scipy
             make ${MAKEOPTS} all
             make check
         '''

.ci/lib/stage-test-sgx.jenkinsfile

@@ -8,7 +8,7 @@ stage('test-sgx') {
     }
     timeout(time: 5, unit: 'MINUTES') {
         sh '''
-            cd Examples/python-scipy-insecure
+            cd Examples/python-scipy
             make ${MAKEOPTS}
             make ${MAKEOPTS} check
         '''

Documentation/tutorials/pytorch/index.rst

@@ -248,14 +248,15 @@ Below, we will highlight some of the SGX-specific manifest options in
 
 First, here are the following SGX-specific lines in the manifest template::
 
-   sgx.trusted_files.ld   = "file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2"
-   sgx.trusted_files.libc = "file:$(GRAPHENEDIR)/Runtime/libc.so.6"
+   sgx.trusted_files.python3 = "file:$(PYTHON3)"
+   sgx.trusted_files.runtime = "file:$(GRAPHENEDIR)/Runtime/"
    ...
 
-``sgx.trusted_files.<name>`` specifies a file that will be verified and trusted
-by the SGX enclave.  Note that the key string ``<name>`` may be an arbitrary
-legal string (but without ``-`` and other special symbols) and does not have to
-be the same as the actual file name.
+``sgx.trusted_files.<name>`` specifies a file or a directory that will be
+verified and trusted by the SGX enclave (in the latter case it's recursively
+traversed and all files are added as trusted). Note that the key string
+``<name>`` may be an arbitrary legal string and does not have to be the same as
+the actual file name.
 
 The way these Trusted Files work is before Graphene runs PyTorch inside the SGX
 enclave, Graphene generates the final SGX manifest file using ``pal-sgx-sign``

Examples/README.md

@@ -27,14 +27,13 @@ have the following elements:
   Graphene-SGX, please include the commands for signing and retrieving
   the token in the `Makefile`.
 
-- Manifest(s):
-  Please provide all the manifests needed for running your application
-  sample. Do not hard-code any user-specific path or personal info
-  in the manifests. The ideal way is to create manifest templates that
-  contain variables to be replaced by runtime options in `Makefile`.
-  See other subdirectories for examples of the manifest templates.
-  We also ask you to provide sufficient comments in all the manifests
-  to help users understand the environment.
+- Manifest:
+  Please provide the manifest needed for running your application sample. Do not
+  hard-code any user-specific path or personal info in the manifest. The ideal
+  way is to create a manifest template that contains variables to be replaced by
+  runtime options in `Makefile`. See other subdirectories for examples of the
+  manifest templates. We also ask you to provide sufficient comments in all the
+  manifests to help users understand the environment.
 
 - Sample inputs and test suites:
   If you have any inputs and test suites for testing the application,

Examples/apache/Makefile

@@ -64,18 +64,6 @@ $(HTTPD_SRC)/configure: $(HTTPD_SRC).tar.gz
 $(HTTPD_SRC).tar.gz:
 	$(GRAPHENEDIR)/Scripts/download --output $@ --sha256 $(HTTPD_CHECKSUM) $(foreach mirror,$(HTTPD_MIRRORS),--url $(mirror)httpd/$(HTTPD_SRC).tar.gz)
 
-# Apache dependencies (generate from ldd):
-#
-# For SGX, the manifest needs to list all the libraries loaded during the
-# execution, so that the signer can include the file checksums.
-#
-# The dependencies are generated from the ldd results.
-
-# We need to replace Glibc dependencies with Graphene-specific Glibc. The Glibc
-# binaries are already listed in the manifest template, so we can skip them
-# from the ldd results
-GLIBC_DEPS = linux-vdso /lib64/ld-linux-x86-64 libc libm librt libdl libpthread
-
 $(INSTALL_DIR)/conf/httpd.conf: $(INSTALL_DIR)/bin/httpd
 $(INSTALL_DIR)/conf/extra/httpd-ssl.conf: $(INSTALL_DIR)/bin/httpd
 
@@ -88,42 +76,11 @@ httpd-modules: $(INSTALL_DIR)/conf/httpd.conf
 	@echo $(INSTALL_DIR)/modules/mod_mpm_event.so  >> $@
 	@echo $(INSTALL_DIR)/modules/mod_ssl.so        >> $@
 
-# Listing all the Apache dependencies, besides Glibc libraries
-.INTERMEDIATE: httpd-ldd
-httpd-ldd: httpd-modules $(INSTALL_DIR)/bin/httpd
-	@for F in $(INSTALL_DIR)/bin/httpd `cat httpd-modules`; do \
-		ldd $$F >> $@ || exit 1; done
-
-.INTERMEDIATE: httpd-deps
-httpd-deps: httpd-ldd
-	@cat $< | awk '{if ($$2 =="=>") {split($$1,s,/\./); print s[1]}}' \
-		| sort | uniq | grep -v -x $(patsubst %,-e %,$(GLIBC_DEPS)) > $@
-
-# Generating manifest rules for Apache modules
-.INTERMEDIATE: httpd-trusted-mods
-httpd-trusted-mods: httpd-modules
-	@for F in `cat httpd-modules`; do \
-		N=`echo $$F | awk '{n=split($$1,s,/\/|\./); print s[n-1]}'`; \
-		echo -n "sgx.trusted_files.$$N = \\\"file:$$F\\\"\\\\n"; \
-	done > $@
-
-# Generating manifest rules for Apache dependencies
-.INTERMEDIATE: httpd-trusted-libs
-httpd-trusted-libs: httpd-deps httpd-modules $(INSTALL_DIR)/bin/httpd
-	@HTTPD_LIBS="$(INSTALL_DIR)/bin/httpd `cat httpd-modules`" && \
-	for F in `cat httpd-deps`; do \
-		P=`ldd $$HTTPD_LIBS | grep $$F | awk '{print $$3; exit}'`; \
-		N=`echo $$F | tr --delete '-'`; \
-		echo -n "sgx.trusted_files.$$N = \\\"file:$$P\\\"\\\\n"; \
-	done > $@
-
-httpd.manifest: httpd.manifest.template httpd-trusted-mods httpd-trusted-libs
+httpd.manifest: httpd.manifest.template
 	sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
 	    -e 's|$$(GRAPHENE_LOG_LEVEL)|'"$(GRAPHENE_LOG_LEVEL)"'|g' \
 	    -e 's|$$(INSTALL_DIR)|'"$(INSTALL_DIR)"'|g' \
 	    -e 's|$$(INSTALL_DIR_ABSPATH)|'"$(abspath $(INSTALL_DIR))"'|g' \
-	    -e 's|$$(HTTPD_TRUSTED_MODS)|'"`cat httpd-trusted-mods`"'|g' \
-	    -e 's|$$(HTTPD_TRUSTED_LIBS)|'"`cat httpd-trusted-libs`"'|g' \
 	    -e 's|$$(ARCH_LIBDIR)|'"$(ARCH_LIBDIR)"'|g' \
 	    $< > $@
 

Examples/apache/httpd.manifest.template

@@ -68,40 +68,16 @@ sgx.thread_num = 32
 # SGX trusted files
 
 sgx.trusted_files.httpd = "file:$(INSTALL_DIR)/bin/httpd"
-
-# Glibc libraries
-sgx.trusted_files.ld = "file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2"
-sgx.trusted_files.libc = "file:$(GRAPHENEDIR)/Runtime/libc.so.6"
-sgx.trusted_files.libm = "file:$(GRAPHENEDIR)/Runtime/libm.so.6"
-sgx.trusted_files.libdl = "file:$(GRAPHENEDIR)/Runtime/libdl.so.2"
-sgx.trusted_files.librt = "file:$(GRAPHENEDIR)/Runtime/librt.so.1"
-sgx.trusted_files.libutil = "file:$(GRAPHENEDIR)/Runtime/libutil.so.1"
-sgx.trusted_files.libpthread = "file:$(GRAPHENEDIR)/Runtime/libpthread.so.0"
+sgx.trusted_files.runtime = "file:$(GRAPHENEDIR)/Runtime/"
 
 # Other libraries required by Apache
-sgx.trusted_files.libgcc_s = "file:$(ARCH_LIBDIR)/libgcc_s.so.1"
-sgx.trusted_files.nss_files = "file:$(ARCH_LIBDIR)/libnss_files.so.2"
-sgx.trusted_files.libnsscompat = "file:$(ARCH_LIBDIR)/libnss_compat.so.2"
-sgx.trusted_files.libnssnis  = "file:$(ARCH_LIBDIR)/libnss_nis.so.2"
-sgx.trusted_files.libnsl = "file:$(ARCH_LIBDIR)/libnsl.so.1"
-
-# Apache modules and dependencies
-$(HTTPD_TRUSTED_MODS)
-$(HTTPD_TRUSTED_LIBS)
-
-# Apache configuration (trusted)
-sgx.trusted_files.conf1 = "file:$(INSTALL_DIR)/conf/httpd-graphene.conf"
-sgx.trusted_files.conf2 = "file:$(INSTALL_DIR)/conf/extra/httpd-ssl-graphene.conf"
-sgx.trusted_files.conf3 = "file:$(INSTALL_DIR)/conf/mime.types"
-
-# Apache SSL/TLS files (trusted)
-sgx.trusted_files.server_cert = "file:$(INSTALL_DIR)/conf/server.crt"
-sgx.trusted_files.server_key  = "file:$(INSTALL_DIR)/conf/server.key"
-
-# Apache HTTP documents (trusted)
-# We only specify those documents used in our tests/benchmarks.
-sgx.trusted_files.htdocs1 = "file:$(INSTALL_DIR)/htdocs/index.html"
-sgx.trusted_files.htdocs2 = "file:$(INSTALL_DIR)/htdocs/random/10K.1.html"
+sgx.trusted_files.arch_libdir = "file:$(ARCH_LIBDIR)/"
+sgx.trusted_files.usr_arch_libdir = "file:/usr/$(ARCH_LIBDIR)/"
+
+# Apache data (trusted)
+sgx.trusted_files.conf = "file:$(INSTALL_DIR)/conf"
+sgx.trusted_files.htdocs = "file:$(INSTALL_DIR)/htdocs"
+sgx.trusted_files.modules = "file:$(INSTALL_DIR)/modules"
 
 # Apache logs directory (untrusted and allowed, since log files are not security-critical)
 sgx.allowed_files.logs = "file:$(INSTALL_DIR)/logs"

Examples/bash/Makefile

@@ -25,21 +25,12 @@ endif
 
 include ../../Scripts/Makefile.configs
 
-# Generate manifest rules for Bash dependencies.
-# We'll duplicate some Glibc libraries (which Graphene provides in a customized version), but
-# there's no harm in this.
-PROGRAMS = bash ls cat rm cp date
-.INTERMEDIATE: trusted-libs
-trusted-libs: ../common_tools/get_deps.sh
-	../common_tools/get_deps.sh $(foreach exec,$(PROGRAMS),$(shell which $(exec))) > $@
-
-bash.manifest: manifest.template trusted-libs
-	(sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
-	     -e 's|$$(GRAPHENE_LOG_LEVEL)|'"$(GRAPHENE_LOG_LEVEL)"'|g' \
-	     -e 's|$$(EXECDIR)|'"$(shell dirname $(shell which bash))"'|g' \
-	     -e 's|$$(ARCH_LIBDIR)|'"$(ARCH_LIBDIR)"'|g' \
-	     $<; \
-	cat trusted-libs) > $@
+bash.manifest: manifest.template
+	sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
+	    -e 's|$$(GRAPHENE_LOG_LEVEL)|'"$(GRAPHENE_LOG_LEVEL)"'|g' \
+	    -e 's|$$(EXECDIR)|'"$(shell dirname $(shell which bash))"'|g' \
+	    -e 's|$$(ARCH_LIBDIR)|'"$(ARCH_LIBDIR)"'|g' \
+	    $< >$@
 
 # Generating the SGX-specific manifest (*.manifest.sgx), the enclave signature,
 # and the token for enclave initialization.
@@ -86,7 +77,7 @@ regression: all
 
 .PHONY: clean
 clean:
-	$(RM) *.manifest *.manifest.sgx *.token *.sig trusted-libs pal_loader OUTPUT scripts/testdir/*
+	$(RM) *.manifest *.manifest.sgx *.token *.sig pal_loader OUTPUT scripts/testdir/*
 
 .PHONY: distclean
 distclean: clean

Examples/bash/manifest.template

@@ -53,28 +53,11 @@ sgx.thread_num = 4
 
 # SGX trusted files
 
-sgx.trusted_files.bash = "file:$(EXECDIR)/bash"
-sgx.trusted_files.ls = "file:$(EXECDIR)/ls"
-sgx.trusted_files.cat = "file:$(EXECDIR)/cat"
-sgx.trusted_files.rm = "file:$(EXECDIR)/rm"
-sgx.trusted_files.cp = "file:$(EXECDIR)/cp"
-sgx.trusted_files.date = "file:$(EXECDIR)/date"
-sgx.trusted_files.readlink = "file:$(EXECDIR)/readlink"
+sgx.trusted_files.execs = "file:$(EXECDIR)/"
+sgx.trusted_files.runtime = "file:$(GRAPHENEDIR)/Runtime/"
+sgx.trusted_files.arch_libdir = "file:$(ARCH_LIBDIR)/"
+sgx.trusted_files.usr_arch_libdir = "file:/usr/$(ARCH_LIBDIR)/"
 
-# Glibc libraries
-sgx.trusted_files.ld = "file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2"
-sgx.trusted_files.libc = "file:$(GRAPHENEDIR)/Runtime/libc.so.6"
-sgx.trusted_files.libm = "file:$(GRAPHENEDIR)/Runtime/libm.so.6"
-sgx.trusted_files.libdl = "file:$(GRAPHENEDIR)/Runtime/libdl.so.2"
-sgx.trusted_files.librt = "file:$(GRAPHENEDIR)/Runtime/librt.so.1"
-sgx.trusted_files.libutil = "file:$(GRAPHENEDIR)/Runtime/libutil.so.1"
-sgx.trusted_files.libpthread = "file:$(GRAPHENEDIR)/Runtime/libpthread.so.0"
-
-# Name Service Switch (NSS) libraries (Glibc dependencies)
-sgx.trusted_files.libnsscompat = "file:$(ARCH_LIBDIR)/libnss_compat.so.2"
-sgx.trusted_files.libnssfiles = "file:$(ARCH_LIBDIR)/libnss_files.so.2"
-sgx.trusted_files.libnssnis = "file:$(ARCH_LIBDIR)/libnss_nis.so.2"
-
-sgx.allowed_files.scripts = "file:scripts"
+sgx.allowed_files.scripts = "file:scripts/"
 
 sgx.nonpie_binary = 1

Examples/blender/Makefile

@@ -45,19 +45,14 @@ $(BLENDER_DIR)/blender:
 $(RUN_DIR):
 	mkdir -p $@
 
-.INTERMEDIATE: trusted-libs
-trusted-libs: ../common_tools/get_deps.sh $(BLENDER_DIR)/blender
-	../common_tools/get_deps.sh $(BLENDER_DIR)/blender > $@
-
-blender.manifest: blender.manifest.template trusted-libs | $(RUN_DIR)
-	(sed -e 's|$$(GRAPHENE_DIR)|'"$(GRAPHENE_DIR)"'|g' \
-	     -e 's|$$(GRAPHENE_LOG_LEVEL)|'"$(GRAPHENE_LOG_LEVEL)"'|g' \
-	     -e 's|$$(DATA_DIR)|'"$(DATA_DIR)"'|g' \
-	     -e 's|$$(BLENDER_DIR)|'"$(BLENDER_DIR)"'|g' \
-	     -e 's|$$(BLENDER_VER)|'"$(BLENDER_VER)"'|g' \
-	     -e 's|$$(ARCH_LIBDIR)|'"$(ARCH_LIBDIR)"'|g' \
-	     $<; \
-    cat trusted-libs) > $@
+blender.manifest: blender.manifest.template | $(RUN_DIR)
+	sed -e 's|$$(GRAPHENE_DIR)|'"$(GRAPHENE_DIR)"'|g' \
+	    -e 's|$$(GRAPHENE_LOG_LEVEL)|'"$(GRAPHENE_LOG_LEVEL)"'|g' \
+	    -e 's|$$(DATA_DIR)|'"$(DATA_DIR)"'|g' \
+	    -e 's|$$(BLENDER_DIR)|'"$(BLENDER_DIR)"'|g' \
+	    -e 's|$$(BLENDER_VER)|'"$(BLENDER_VER)"'|g' \
+	    -e 's|$$(ARCH_LIBDIR)|'"$(ARCH_LIBDIR)"'|g' \
+	    $< >$@
 
 # Make on Ubuntu <= 20.04 doesn't support "Rules with Grouped Targets" (`&:`),
 # we need to hack around.
@@ -89,7 +84,7 @@ check: all
 .PHONY: clean
 clean:
 	$(RM) -r $(RUN_DIR) $(DATA_DIR)/images blender.manifest blender.manifest.sgx blender.sig \
-	         blender.token trusted-libs
+	         blender.token
 
 .PHONY: distclean
 distclean: clean

Examples/blender/blender.manifest.template

@@ -56,17 +56,7 @@ sgx.thread_num = 64
 sgx.nonpie_binary = 1
 
 sgx.trusted_files.blender = "file:$(BLENDER_DIR)/blender"
-sgx.trusted_files.ld = "file:$(GRAPHENE_DIR)/Runtime/ld-linux-x86-64.so.2"
-sgx.trusted_files.libc = "file:$(GRAPHENE_DIR)/Runtime/libc.so.6"
-sgx.trusted_files.libdl = "file:$(GRAPHENE_DIR)/Runtime/libdl.so.2"
-sgx.trusted_files.libm = "file:$(GRAPHENE_DIR)/Runtime/libm.so.6"
-sgx.trusted_files.libpthread = "file:$(GRAPHENE_DIR)/Runtime/libpthread.so.0"
-sgx.trusted_files.libutil = "file:$(GRAPHENE_DIR)/Runtime/libutil.so.1"
-sgx.trusted_files.librt = "file:$(GRAPHENE_DIR)/Runtime/librt.so.1"
-
-# Loaded in runtime, ldd doesn't list them.
-sgx.trusted_files.libnuma = "file:/usr/$(ARCH_LIBDIR)/libnuma.so.1"
-sgx.trusted_files.libGL = "file:$(BLENDER_DIR)/lib/libGL.so.1"
-sgx.trusted_files.libglapi = "file:$(BLENDER_DIR)/lib/libglapi.so.0"
-sgx.trusted_files.libz = "file:$(ARCH_LIBDIR)/libz.so.1"
-sgx.trusted_files.libstdcpp = "file:/usr/$(ARCH_LIBDIR)/libstdc++.so.6"
+sgx.trusted_files.libGL = "file:$(BLENDER_DIR)/lib/"
+sgx.trusted_files.runtime = "file:$(GRAPHENE_DIR)/Runtime/"
+sgx.trusted_files.arch_libdir = "file:$(ARCH_LIBDIR)/"
+sgx.trusted_files.usr_arch_libdir = "file:/usr/$(ARCH_LIBDIR)/"

Examples/busybox/busybox.manifest.template

@@ -87,30 +87,9 @@ fs.mount.etc.uri = "file:/etc"
 # this happens on the client machine.
 
 sgx.trusted_files.busybox = "file:busybox"
-
-# Glibc libraries.
-sgx.trusted_files.ld = "file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2"
-sgx.trusted_files.libc = "file:$(GRAPHENEDIR)/Runtime/libc.so.6"
-sgx.trusted_files.libresolv = "file:$(GRAPHENEDIR)/Runtime/libresolv.so.2"
-sgx.trusted_files.libm = "file:$(GRAPHENEDIR)/Runtime/libm.so.6"
-
-# libcrypt is an explicit dependency of Busybox. We choose to install it on
-# host OS instead of downloading the sources, building, and linking Busybox
-# against the built library (which is possible but would require more effort).
-sgx.trusted_files.libcrypt = "file:$(ARCH_LIBDIR)/libcrypt.so.1"
-
-# Name Service Switch (NSS) libraries. Glibc calls these libraries as part of
-# name-service information gathering. libnss_{compat,files,nis} are the
-# most widely used libraries, at least on Ubuntu.
-# For more info, see 'man nsswitch.conf'.
-sgx.trusted_files.libnsscompat = "file:$(ARCH_LIBDIR)/libnss_compat.so.2"
-sgx.trusted_files.libnssfiles = "file:$(ARCH_LIBDIR)/libnss_files.so.2"
-sgx.trusted_files.libnssnis = "file:$(ARCH_LIBDIR)/libnss_nis.so.2"
-
-# libNSL is a dependency of libnss_compat above. It is a good example of nested
-# library dependencies required by Graphene-SGX.
-sgx.trusted_files.libnsl = "file:$(ARCH_LIBDIR)/libnsl.so.1"
-
+sgx.trusted_files.runtime = "file:$(GRAPHENEDIR)/Runtime/"
+sgx.trusted_files.arch_libdir = "file:$(ARCH_LIBDIR)/"
+sgx.trusted_files.usr_arch_libdir = "file:/usr/$(ARCH_LIBDIR)/"
 
 # Trusted non-library files include configuration files, read-only files, and
 # other static files. It is useful to specify such files here to make sure

Examples/capnproto/Makefile

@@ -53,20 +53,12 @@ $(SRCDIR)/addressbook: $(SRCDIR)/addressbook.c++ $(SRCDIR)/addressbook.capnp
 	cd $(SRCDIR) && c++ -std=c++14 -Wall addressbook.c++ addressbook.capnp.c++ \
 	                    `pkg-config --cflags --libs capnp` -o addressbook
 
-# Generate manifest rules for Addressbook dependencies.
-# We'll duplicate some Glibc libraries (which Graphene provides in a customized version), but
-# there's no harm in this.
-.INTERMEDIATE: trusted-libs
-trusted-libs: ../common_tools/get_deps.sh $(SRCDIR)/addressbook
-	../common_tools/get_deps.sh $(SRCDIR)/addressbook > $@
-
-
-addressbook.manifest: addressbook.manifest.template trusted-libs
-	(sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
-		-e 's|$$(GRAPHENE_LOG_LEVEL)|'"$(GRAPHENE_LOG_LEVEL)"'|g' \
-		-e 's|$$(ARCH_LIBDIR)|'"$(ARCH_LIBDIR)"'|g' \
-		$<; \
-	cat trusted-libs) > $@
+
+addressbook.manifest: addressbook.manifest.template
+	sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
+	    -e 's|$$(GRAPHENE_LOG_LEVEL)|'"$(GRAPHENE_LOG_LEVEL)"'|g' \
+	    -e 's|$$(ARCH_LIBDIR)|'"$(ARCH_LIBDIR)"'|g' \
+	    $< >$@
 
 addressbook.manifest.sgx: addressbook.manifest addressbook
 	$(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-sign \

Examples/capnproto/addressbook.manifest.template

@@ -44,11 +44,6 @@ sgx.enclave_size = "256M"
 sgx.thread_num = 8
 
 sgx.trusted_files.addressbook = "file:addressbook"
-
-# Glibc libraries
-sgx.trusted_files.ld = "file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2"
-sgx.trusted_files.libc = "file:$(GRAPHENEDIR)/Runtime/libc.so.6"
-sgx.trusted_files.libm = "file:$(GRAPHENEDIR)/Runtime/libm.so.6"
-sgx.trusted_files.libpthread = "file:$(GRAPHENEDIR)/Runtime/libpthread.so.0"
-sgx.trusted_files.libstdcpp = "file:$(GRAPHENEDIR)/Runtime/libstdc++.so.6"
-sgx.trusted_files.libgcc_s = "file:$(GRAPHENEDIR)/Runtime/libgcc_s.so.1"
+sgx.trusted_files.runtime = "file:$(GRAPHENEDIR)/Runtime/"
+sgx.trusted_files.arch_libdir = "file:$(ARCH_LIBDIR)/"
+sgx.trusted_files.usr_arch_libdir = "file:/usr/$(ARCH_LIBDIR)/"