diff --git a/Documentation/.gitignore b/Documentation/.gitignore
new file mode 100644
index 00000000..e35d8850
--- /dev/null
+++ b/Documentation/.gitignore
@@ -0,0 +1 @@
+_build
diff --git a/Documentation/Doxyfile b/Documentation/Doxyfile
new file mode 100644
index 00000000..5ab3f354
--- /dev/null
+++ b/Documentation/Doxyfile
@@ -0,0 +1,18 @@
+PROJECT_NAME = "gsc"
+OUTPUT_DIRECTORY = _build/doxygen
+INPUT = ../src
+
+GENERATE_XML = YES
+XML_PROGRAMLISTING = NO
+XML_OUTPUT = xml
+
+GENERATE_HTML = NO
+GENERATE_LATEX = NO
+
+WARN_NO_PARAMDOC = YES
+WARN_AS_ERROR = NO
+OPTIMIZE_OUTPUT_FOR_C = YES
+EXTRACT_STATIC = YES
+
+ALIASES = "rst=\verbatim embed:rst:leading-asterisk"
+ALIASES += "endrst=\endverbatim"
diff --git a/Documentation/Makefile b/Documentation/Makefile
new file mode 100644
index 00000000..165d0976
--- /dev/null
+++ b/Documentation/Makefile
@@ -0,0 +1,22 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS =
+SPHINXBUILD = sphinx-build
+SOURCEDIR = .
+BUILDDIR = _build
+
+# Put it first so that "make" without argument is like "make help".
+help:
+ @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+clean:
+ $(RM) -r "$(BUILDDIR)"
+
+.PHONY: help Makefile Doxyfile clean
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+ @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
diff --git a/Documentation/_static/css/gramine.css b/Documentation/_static/css/gramine.css
new file mode 100644
index 00000000..3e6922a2
--- /dev/null
+++ b/Documentation/_static/css/gramine.css
@@ -0,0 +1,3 @@
+.rst-content dl:not(.docutils)>dt {
+ font-family: SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;
+}
diff --git a/Documentation/_templates/.gitignore b/Documentation/_templates/.gitignore
new file mode 100644
index 00000000..e69de29b
diff --git a/Documentation/conf.py b/Documentation/conf.py
new file mode 100644
index 00000000..b833060a
--- /dev/null
+++ b/Documentation/conf.py
@@ -0,0 +1,143 @@
+# pylint: skip-file
+#
+# Configuration file for the Sphinx documentation builder.
+#
+# This file does only contain a selection of the most common options. For a
+# full list see the documentation:
+# http://www.sphinx-doc.org/en/master/config
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+# import os
+# import sys
+# sys.path.insert(0, os.path.abspath('.'))
+
+import collections
+import pathlib
+import subprocess
+
+# -- Project information -----------------------------------------------------
+
+project = 'GSC Contributions'
+copyright = '2021, GSC Contributors'
+author = 'GSC Contributors'
+
+# The short X.Y version
+version = ''
+# The full version, including alpha/beta/rc tags
+release = ''
+
+
+# -- General configuration ---------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+ 'sphinx.ext.autodoc',
+ 'sphinx.ext.todo',
+ 'breathe',
+ 'sphinx_rtd_theme',
+]
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix(es) of source filenames.
+source_suffix = {
+ '.rst': 'restructuredtext',
+}
+
+# The master toctree document.
+master_doc = 'index'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path.
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = None
+
+highlight_language = 'python3'
+primary_domain = 'py'
+
+rst_prolog = '''
+.. |~| unicode:: 0xa0
+ :trim:
+'''
+
+breathe_projects = {
+ 'gsc': '_build/doxygen/xml',
+}
+
+def generate_doxygen(app):
+ subprocess.check_call(['doxygen', 'Doxyfile'])
+
+def setup(app):
+ app.add_stylesheet('css/gramine.css')
+ app.connect('builder-inited', generate_doxygen)
+
+breathe_domain_by_extension = {
+ 'h': 'c',
+}
+
+todo_include_todos = True
+
+nitpicky = True
+
+# -- Options for HTML output -------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages. See the documentation for
+# a list of builtin themes.
+#
+html_theme = 'sphinx_rtd_theme'
+html_theme_options = {
+ 'logo_only': True,
+}
+html_logo = 'gramine_logo.svg'
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+
+# Custom sidebar templates, must be a dictionary that maps document names
+# to template names.
+#
+# The default sidebars (for documents that don't match any pattern) are
+# defined by theme itself. Builtin themes are using these templates by
+# default: ``['localtoc.html', 'relations.html', 'sourcelink.html',
+# 'searchbox.html']``.
+#
+# html_sidebars = {}
+
+
+# -- Options for manual page output ------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+]
+
+# barf if a page is not included
+assert (collections.Counter(str(p.with_suffix(''))
+ for p in pathlib.Path().glob('manpages/*.rst')
+ if not p.stem == 'index')
+ == collections.Counter(source
+ for source, *_ in man_pages))
diff --git a/Documentation/gramine_logo.svg b/Documentation/gramine_logo.svg
new file mode 100644
index 00000000..80fff2ae
--- /dev/null
+++ b/Documentation/gramine_logo.svg
@@ -0,0 +1,37 @@
+
+
diff --git a/Documentation/img/.gitignore b/Documentation/img/.gitignore
new file mode 100644
index 00000000..e69de29b
diff --git a/Documentation/index.rst b/Documentation/index.rst
new file mode 100644
index 00000000..303e07bf
--- /dev/null
+++ b/Documentation/index.rst
@@ -0,0 +1,518 @@
+.. program:: gsc
+
+=============================================
+:program:`gsc` -- Gramine Shielded Containers
+=============================================
+
+.. warning::
+ GSC is still under development and must not be used in production! Please
+ see `issue #13 `__ for a
+ description of missing features and security caveats.
+
+Synopsis
+========
+
+:command:`gsc` *COMMAND* [*OPTIONS*] ...
+
+Description
+===========
+
+Docker containers are widely used to deploy applications in the cloud. Using
+Gramine Shielded Containers (GSC) we provide the infrastructure to deploy Docker
+containers protected by Intel SGX enclaves using the Gramine Library OS.
+
+The :program:`gsc` tool transforms a Docker image into a new image
+(called ``gsc-``) which includes the Gramine Library OS, manifest
+files, Intel SGX related information, and executes the application inside an
+Intel SGX enclave using the Gramine Library OS. It follows the common Docker
+approach to first build an image and subsequently run a container of an image.
+At first a Docker image has to be graminized via the :command:`gsc build`
+command. When the graminized image should run within an Intel SGX enclave, the
+image has to be signed via a :command:`gsc sign-image` command. Subsequently,
+the image can be run using :command:`docker run`.
+
+Prerequisites
+=============
+
+The installation descriptions of prerequisites are for Ubuntu 18.04 and may
+differ when using a different Ubuntu version or Linux distribution.
+
+Software packages
+-----------------
+
+Please install the ``docker.io``, ``python3``, ``python3-pip`` packages. In
+addition, install the Docker client, Jinja2, TOML, and YAML python packages via
+pip. GSC requires Python 3.6 or later.
+
+.. code-block:: sh
+
+ sudo apt-get install docker.io python3 python3-pip
+ pip3 install docker jinja2 toml pyyaml
+
+SGX software stack
+------------------
+
+To run with Intel SGX, please install the corresponding software stack as
+described in https://gramine.readthedocs.io/en/latest/building.html.
+
+Host configuration
+------------------
+
+To create Docker images, the user must have access to Docker daemon.
+
+.. warning::
+ Please use this step with caution. By granting the user access to the Docker
+ group, the user may acquire root privileges via :command:`docker run`.
+
+.. code-block:: sh
+
+ sudo adduser $USER docker
+
+Create a configuration file called :file:`config.yaml` or specify a different
+configuration file via :program:`gsc` option. Please see the documentation on
+configuration options below and use the :file:`config.yaml.template` as
+reference.
+
+Command line arguments
+======================
+
+.. option:: --help
+
+ Display usage.
+
+.. program:: gsc-build
+
+:command:`gsc build` -- build graminized image
+-----------------------------------------------
+
+Builds an unsigned graminized Docker image of an application image called
+``gsc--unsigned`` by compiling Gramine or relying on a prebuilt
+Gramine image.
+
+:command:`gsc build` [*OPTIONS*] <*IMAGE-NAME*> <*APP.MANIFEST*>
+
+.. option:: -d
+
+ Compile Gramine with debug flags and debug output. If configured to use a
+ prebuilt Gramine image, the image has to support this option.
+
+.. option:: -L
+
+ Compile Gramine with Linux PAL in addition to Linux-SGX PAL. If configured
+ to use a prebuilt Gramine image, the image has to support this option.
+
+.. option:: --insecure-args
+
+ Allow untrusted arguments to be specified at :command:`docker run`. Otherwise
+ any arguments specified during :command:`docker run` are ignored.
+
+.. option:: --no-cache
+
+ Disable Docker's caches during :command:`gsc build`. This builds the
+ unsigned graminized image from scratch.
+
+.. option:: --rm
+
+ Remove intermediate Docker images created by :command:`gsc build`, if the
+ image build is successful.
+
+.. option:: --build-arg
+
+ Set build-time variables during :command:`gsc build` (same as `docker build
+ --build-arg`).
+
+.. option:: -c
+
+ Specify configuration file. Default: :file:`config.yaml`.
+
+.. option:: IMAGE-NAME
+
+ Name of the application Docker image.
+
+.. option:: APP.MANIFEST
+
+ Manifest file (Gramine configuration).
+
+.. program:: gsc-sign-image
+
+:command:`gsc sign-image` -- signs a graminized image
+------------------------------------------------------
+
+Signs the enclave of an unsigned graminized Docker image and creates a new
+Docker image called ``gsc-``. :command:`gsc sign-image` always
+removes intermediate Docker images, if successful or not, to ensure the removal
+of the signing key in them.
+
+:command:`gsc sign-image` [*OPTIONS*] <*IMAGE-NAME*> <*KEY-FILE*>
+
+.. option:: -c
+
+ Specify configuration file. Default: :file:`config.yaml`
+
+.. option:: IMAGE-NAME
+
+ Name of the application Docker image
+
+.. option:: KEY-FILE
+
+ Used to sign the Intel SGX enclave
+
+.. program:: gsc-build-gramine
+
+:command:`gsc build-gramine` -- build Gramine-only Docker image
+-----------------------------------------------------------------
+
+Builds a base Docker image including the Gramine sources and compiled runtime.
+This base image can be used as input for :command:`gsc build` via configuration
+parameter `Gramine.Image`.
+
+:command:`gsc build-gramine` [*OPTIONS*] <*IMAGE-NAME*>
+
+.. option:: -d
+
+ Compile Gramine with debug flags and debug output. Allows :command:`gsc
+ build` commands to include debug runtime using :option:`-d `.
+
+.. option:: -L
+
+ Compile Gramine with Linux PAL in addition to Linux-SGX PAL. Allows
+ :command:`gsc build` commands to include the Linux PAL using :option:`-L
+ `.
+
+.. option:: --no-cache
+
+ Disable Docker's caches during :command:`gsc build-gramine`. This builds the
+ unsigned graminized image from scratch.
+
+.. option:: --rm
+
+ Remove intermediate Docker images created by :command:`gsc build-gramine`,
+ if the image build is successful.
+
+.. option:: --build-arg
+
+ Set build-time variables during :command:`gsc build-gramine` (same as
+ `docker build --build-arg`).
+
+.. option:: -c
+
+ Specify configuration file. Default: :file:`config.yaml`
+
+.. option:: -f
+
+ Stop after Dockerfile is created and do not build the Docker image.
+
+.. option:: IMAGE-NAME
+
+ Name of the resulting Gramine Docker image
+
+.. program:: gsc-info-image
+
+:command:`gsc info-image` -- retrieve information about graminized Docker image
+--------------------------------------------------------------------------------
+
+Retrieves Intel SGX relevant information about the graminized Docker image such
+as the ``MRENCLAVE`` and ``MRSIGNER`` measurements for each application in the
+Docker image.
+
+Synopsis:
+
+:command:`gsc info-image` <*IMAGE-NAME*>
+
+.. option:: IMAGE-NAME
+
+ Name of the graminized Docker image
+
+Using Gramine's trusted command line arguments
+----------------------------------------------
+
+Most executables aren't designed to run with attacker-controlled arguments.
+Allowing an attacker to control executable arguments can break the security of
+the resulting enclave.
+
+:command:`gsc build` uses the existing Docker image's entrypoint and cmd fields
+to identify the trusted arguments. These arguments are stored in
+:file:`trusted_argv`. This file is only generated when :option:`--insecure-args
+` is *not* specified. As a result any arguments
+specified during :command:`docker run` are ignored.
+
+To be able to provide arguments at runtime, the image build has to enable this
+via the option :option:`--insecure-args `.
+
+Stages of building graminized SGX Docker images
+------------------------------------------------
+
+The build process of a graminized Docker image from image ````
+follows three main stages and produces an image named ``gsc-``.
+:command:`gsc build-gramine` performs only the first stage,
+:command:`gsc build` performs the first two stages, and finally
+:command:`gsc sign-image` performs the last stage.
+
+#. **Building Gramine.** The first stage builds Gramine from sources based on
+ the provided configuration (see :file:`config.yaml`) which includes the
+ distribution (e.g., Ubuntu 18.04), Gramine repository, and the Intel SGX
+ driver details. This stage can be skipped if :command:`gsc build` uses a
+ pre-built Gramine Docker image.
+
+#. **Graminizing the application image.** The second stage copies the important
+ Gramine artifacts (e.g., the runtime and signer tool) from the first stage
+ (or if the first stage was skipped, it pulls a prebuilt Docker image defined
+ via the configuration file). It then prepares image-specific variables such
+ as the executable path and the library path, and scans the entire image to
+ generate a list of trusted files. GSC excludes files and paths starting with
+ :file:`/boot`, :file:`/dev`, :file:`.dockerenv`, :file:`.dockerinit`,
+ :file:`/etc/mtab`, :file:`/etc/rc`, :file:`/proc`, :file:`/sys`, and
+ :file:`/var`, since checksums are required which either don't exist or may
+ vary across different deployment machines. GSC combines these variables and
+ list of trusted files into a new manifest file. In a last step the entrypoint
+ is changed to launch the :file:`apploader.sh` script which generates an Intel
+ SGX token and starts the :program:`gramine-sgx` loader. Note that the
+ generated image (``gsc--unsigned``) cannot successfully load an
+ Intel SGX enclave, since essential files and the signature of the enclave are
+ still missing (see next stage).
+
+#. **Signing the Intel SGX enclave.** The third stage uses Gramine's signer
+ tool to generate SIGSTRUCT files for SGX enclave initialization. This tool
+ also generates an SGX-specific manifest file. The required signing key is
+ provided by the user via the :command:`gsc sign-image` command and copied
+ into this Docker build stage. The generated image is called
+ ``gsc-`` and includes all necessary files to start an Intel SGX
+ enclave.
+
+In the future we plan to provide prebuilt Gramine images for popular
+cloud-provider offerings.
+
+Generating a signed graminized Docker image
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The last stage combines the graminized Docker image with the signed enclave and
+manifest files. Therefore it copies the SIGSTRUCT files and the SGX-specific
+manifest file from the previous stage into the graminized Docker image from the
+second stage.
+
+Configuration
+=============
+
+GSC is configured via a configuration file called :file:`config.yaml` or
+specified as a :program:`gsc` option. A template configuration file is provided
+in :file:`config.yaml.template`.
+
+.. describe:: Distro
+
+ Defines Linux distribution to be used to build Gramine in. Currently the
+ only supported value is ``ubuntu18.04``.
+
+.. describe:: Gramine.Repository
+
+ Source repository of Gramine. Default value:
+ `https://github.com/gramineproject/gramine.git
+ `__.
+
+.. describe:: Gramine.Branch
+
+ Use this branch of the repository. Default value: master.
+
+.. describe:: Gramine.Image
+
+ Builds graminized Docker image based on a prebuilt Gramine Docker image.
+ These images are prepared via :command:`gsc build-gramine` and will be
+ provided for popular cloud-provider environments. `Gramine.Repository` and
+ `Gramine.Branch` are ignored in case `Gramine.Image` is specified.
+
+.. describe:: SGXDriver.Repository
+
+ Source repository of the Intel SGX driver. Default value: ""
+ (in-kernel driver)
+
+.. describe:: SGXDriver.Branch
+
+ Use this branch of the repository. Default value: ""
+ (in-kernel driver)
+
+Run graminized Docker images
+=============================
+
+Execute :command:`docker run` command via Docker CLI and provide gsgx and
+isgx/sgx devices and the PSW/AESM socket. Additional Docker options and
+executable arguments may be supplied to the :command:`docker run` command.
+
+.. warning::
+ Forwarding devices to a container lowers security of the host. GSC should
+ never be used as a sandbox for applications (i.e. it only shields the app
+ from the host but not vice versa).
+
+.. program:: docker
+
+:command:`docker run` [*OPTIONS*] gsc-<*IMAGE-NAME*> [<*ARGUMENTS*>]
+
+.. option:: OPTIONS
+
+ :command:`docker run` options. Common options include ``-it`` (interactive
+ with terminal), ``-d`` (detached), ``--device`` (forward device). Please see
+ `Docker manual `__
+ for details.
+
+.. option:: IMAGE-NAME
+
+ Name of original image (without GSC build).
+
+.. option:: ARGUMENTS
+
+ Arguments to be supplied to the executable launching inside the Docker
+ container and Gramine. Such arguments may only be provided when
+ :option:`--insecure-args ` was specified during
+ :command:`gsc build`.
+
+
+Execute with Linux PAL instead of Linux-SGX PAL
+-----------------------------------------------
+
+When specifying :option:`-L ` during GSC :command:`gsc build`,
+you may select the Linux PAL at Docker run time instead of the Linux-SGX PAL by
+specifying the environment variable :envvar:`GSC_PAL` as an option to the
+:command:`docker run` command. When using the Linux PAL, it is not necessary to
+sign the image via a :command:`gsc sign-image` command.
+
+.. envvar:: GSC_PAL
+
+ This environment variable specifies the pal loader.
+
+.. code-block:: sh
+
+ docker run ... --env GSC_PAL=Linux gsc- ...
+
+Example
+=======
+
+.. warning::
+ Example below relies on insecure arguments to be able to run Python with
+ arbitrary arguments. This is not intended for production environments.
+
+The example below shows how to graminize the public Docker image of Python3.
+This example assumes that all prerequisites are installed and configured.
+
+#. Create a configuration file:
+
+ .. code-block:: sh
+
+ cp config.yaml.template config.yaml
+ # Manually adopt config.yaml to the installed Intel SGX driver and desired
+ # Gramine repository/version.
+
+#. Generate the signing key (if you don't already have a key):
+
+ .. code-block:: sh
+
+ openssl genrsa -3 -out enclave-key.pem 3072
+
+#. Pull public Python image from Dockerhub:
+
+ .. code-block:: sh
+
+ docker pull python
+
+#. Graminize the Python image using :command:`gsc build`:
+
+ .. code-block:: sh
+
+ ./gsc build --insecure-args python test/generic.manifest
+
+#. Sign the graminized Docker image using :command:`gsc sign-image`:
+
+ .. code-block:: sh
+
+ ./gsc sign-image python enclave-key.pem
+
+#. Retrieve SGX-related information from graminized image using :command:`gsc info-image`:
+
+ .. code-block:: sh
+
+ ./gsc info-image gsc-python
+
+#. Test the graminized Docker image (change ``--device=/dev/sgx_enclave`` to
+ your version of the Intel SGX driver if needed):
+
+ .. code-block:: sh
+
+ docker run --device=/dev/sgx_enclave \
+ -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
+ gsc-python -c 'print("HelloWorld!")'
+
+#. You can also start a Bash interactive session in the graminized Docker
+ image (useful for debugging):
+
+ .. code-block:: sh
+
+ docker run --device=/dev/sgx_enclave \
+ -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
+ -it --entrypoint /bin/bash gsc-python
+
+Limitations
+===========
+
+This document focuses on the most important limitations of GSC. `Issue #13
+`__ provides the complete list
+of known limitations and serves as a discussion board for workarounds.
+
+Dependency on Ubuntu 18.04
+--------------------------
+
+Docker images not based on Ubuntu 18.04 may not be compatible with GSC. GSC
+relies on Gramine to execute Linux applications inside Intel SGX enclaves and
+the installation of prerequisites depends on package manager and package
+repositories. GSC can simply be extended to support other distributions by
+providing a template for this distribution in :file:`templates/`.
+
+Trusted data in Docker volumes
+------------------------------
+
+Data mounted as Docker volumes at runtime is not included in the general search
+for trusted files during the image build. As a result, Gramine denies access to
+these files, since they are neither allowed nor trusted files. This will likely
+break applications using files stored in Docker volumes.
+
+Workaround
+^^^^^^^^^^
+
+Trusted files can be added to image-specific manifest file (first argument to
+:command:`gsc build` command) at build time. This workaround does not allow
+these files to change between build and run, or over multiple runs. This only
+provides integrity for files and not confidentiality.
+
+Allowing dynamic file contents via Gramine protected files
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Docker volumes can include Gramine protected files. As a result Gramine can
+open these protected files without knowing the exact contents as long as the
+protected file was configured in the manifest. The complete and secure use of
+protected files may require additional steps.
+
+Integration of Docker Secrets
+-----------------------------
+
+Docker Secrets are automatically pulled by Docker and the results are stored
+either in environment variables or mounted as files. GSC is currently unaware of
+such files and hence, cannot mark them trusted. Similar to trusted data, these
+files may be added to the manifest.
+
+Access to files in excluded paths
+---------------------------------
+
+The manifest generation excludes all files and paths starting with :file:`/boot`
+, :file:`/dev`, :file:`.dockerenv`, :file:`.dockerinit`, :file:`/etc/mtab`,
+:file:`/etc/rc`, :file:`/proc`, :file:`/sys`, and :file:`/var` from the list of
+trusted files. If your application relies on some files in these directories,
+you must manually add them to the manifest::
+
+ sgx.trusted_files = [ "file:file1", "file:file2" ]
+ or
+ sgx.allowed_files = [ "file:file3", "file:file4" ]
+
+Docker images with non-executables as entrypoint
+------------------------------------------------
+
+Docker images may contain a script entrypoint which is not an ELF executable.
+:program:`gsc` fails to recognize such entrypoints and fails during the image
+build. A workaround relies on creating an image from the application image which
+has an entrypoint of the script interpreter with the script as an argument. This
+allows :program:`gsc` to start the interpreter instead of the script.
diff --git a/Documentation/requirements.txt b/Documentation/requirements.txt
new file mode 100644
index 00000000..e0b27586
--- /dev/null
+++ b/Documentation/requirements.txt
@@ -0,0 +1,3 @@
+sphinx==1.8.0
+breathe<4.13.0
+sphinx_rtd_theme<1
diff --git a/test/generic.manifest b/test/generic.manifest
new file mode 100644
index 00000000..187b2fc1
--- /dev/null
+++ b/test/generic.manifest
@@ -0,0 +1,2 @@
+sgx.enclave_size = "4G"
+sgx.thread_num = 8