> Once again, let me describe my algorithm.
> 1. I first put several data archives into a folder on HDD, e.g., "/data"
> 2. Second, I specify the whole "/data" folder (not a list of individual files, because files can be added to this folder in the runtime) in the manifest within sgx.allowed_files section
> 3. Next, inside the enclave I run "cp /data/* /tmpfs -R"
> 4. Finally, I run apps inside the enclave with these files being passed as inputs.
>
> Could you please confirm that this would work?
Yes, this flow looks good to me. I'm assuming that data archives under
`/data/` are all encrypted with your secret key. I'm also assuming
that somewhere at step 3, you copy the contents of each of the
`/data/` files in enclave memory, decrypt the contents, and then
create files under `/tmp/` and write the decrypted contents into them
(in other words, a simple `cp /data/* /tmp/` makes no sense because it
copies encrypted contents to another encrypted contents).
With all these details in mind, yes, your flow makes perfect sense and
is doable in Gramine-SGX (bar some bugs, but in this case report them
and we'll fix). Also, see Borys's reply which basically tells the
same.
By the way, your Gramine manifest file must contain something like this then:
```
fs.mounts = [
...
{ type = "chroot", path = "/data/", uri = "file:/data/" },
{ type = "tmpfs", path = "/tmp" },
]
sgx.allowed_files = [
...
"file:/data/",
]
```
On Tue, Jul 5, 2022 at 1:48 PM Stanislav Iablokov
> To view this discussion on the web visit
https://groups.google.com/d/msgid/gramine-users/CAM_SVPPKKo-5RUXFb%2BZrK%3DOzvFWnvZ4uN0GVc9ffE3S0cqxU2Q%40mail.gmail.com.