Allow to skip SGX token generation

Documentation/index.rst

@@ -101,6 +101,11 @@ Gramine image.
    Allow untrusted arguments to be specified at :command:`docker run`. Otherwise
    any arguments specified during :command:`docker run` are ignored.
 
+.. option:: --skip-token-generation
+
+   Allows to skip SGX token generation (via :command:`gramine-sgx-get-token`).
+   Useful for DCAP platforms and read-only filesystems.
+
 .. option:: --no-cache
 
    Disable Docker's caches during :command:`gsc build`. This builds the

gsc.py

@@ -425,6 +425,9 @@ def gsc_info_image(args):
 sub_build.add_argument('--insecure-args', action='store_true',
     help='Allow to specify untrusted arguments during Docker run. '
          'Otherwise arguments are ignored.')
+sub_build.add_argument('--skip-token-generation', action='store_true',
+    help='Allows to skip SGX token generation (via `gramine-sgx-get-token`). '
+         'Useful for DCAP platforms and read-only filesystems.')
 sub_build.add_argument('-nc', '--no-cache', action='store_true',
     help='Build graminized Docker image without any cached images.')
 sub_build.add_argument('--rm', action='store_true',

templates/apploader.common.template

@@ -8,7 +8,9 @@ set -ex
 # Default to Linux-SGX if no PAL was specified
 if [ -z "$GSC_PAL" ] || [ "$GSC_PAL" == "Linux-SGX" ]
 then
+    {% if not skip_token_generation %}
     gramine-sgx-get-token --sig /entrypoint.sig --output /entrypoint.token
+    {% endif %}
     gramine-sgx /entrypoint {% if insecure_args %}{{binary_arguments}} "${@}"{% endif %}
 else
     gramine-direct /entrypoint {{binary_arguments}} "${@}"