diff --git a/blender/.gitignore b/blender/.gitignore
new file mode 100644
index 0000000..ce6cb4b
--- /dev/null
+++ b/blender/.gitignore
@@ -0,0 +1,3 @@
+blender_dir/
+blender.tar.xz
+run_dir/
diff --git a/blender/Makefile b/blender/Makefile
new file mode 100644
index 0000000..495ca8d
--- /dev/null
+++ b/blender/Makefile
@@ -0,0 +1,81 @@
+# assumes this makefile lies in cwd
+PWD := $(shell pwd)
+
+GRAPHENE_DIR = $(PWD)/../../../../..
+
+BLENDER_DIR = $(PWD)/blender_dir
+BLENDER_URL ?= https://ftp.nluug.nl/pub/graphics/blender/release/Blender2.82/blender-2.82-linux64.tar.xz
+BLENDER_SHA256 ?= b13600fa2ca23ea1bba511e3a6599b6792acde80b180707c3ea75db592a9b916
+BLENDER_VER = 2.82
+
+DATA_DIR = $(PWD)/data
+RUN_DIR = $(PWD)/run_dir
+
+UBUNTU_VER = $(shell lsb_release --short --id)$(shell lsb_release --short --release)
+
+ifeq ($(UBUNTU_VER), Ubuntu18.04)
+else ifeq ($(UBUNTU_VER), Ubuntu16.04)
+else
+$(error This example requires Ubuntu 16.04 or 18.04)
+endif
+
+ifeq ($(DEBUG),1)
+GRAPHENE_DEBUG = inline
+else
+GRAPHENE_DEBUG = none
+endif
+
+
+.PHONY: all
+all: $(BLENDER_DIR)/blender $(RUN_DIR)/blender.manifest $(RUN_DIR)/pal_loader $(DATA_DIR)/images
+ifeq ($(SGX),1)
+all: $(RUN_DIR)/blender.manifest.sgx
+endif
+
+$(BLENDER_DIR)/blender:
+	$(GRAPHENE_DIR)/Scripts/download --output blender.tar.xz \
+		--sha256 $(BLENDER_SHA256) --url $(BLENDER_URL)
+	mkdir $(BLENDER_DIR)
+	tar -C $(BLENDER_DIR) --strip-components=1 -xf blender.tar.xz
+
+$(RUN_DIR):
+	mkdir -p $@
+
+$(RUN_DIR)/blender.manifest: blender.manifest.template $(RUN_DIR)
+	sed -e 's|$$(GRAPHENE_DIR)|'"$(GRAPHENE_DIR)"'|g' \
+		-e 's|$$(GRAPHENE_DEBUG)|'"$(GRAPHENE_DEBUG)"'|g' \
+		-e 's|$$(DATA_DIR)|'"$(DATA_DIR)"'|g' \
+		-e 's|$$(BLENDER_DIR)|'"$(BLENDER_DIR)"'|g' \
+		-e 's|$$(BLENDER_VER)|'"$(BLENDER_VER)"'|g' \
+		-e 's|# \['"$(UBUNTU_VER)"'\] ||g' \
+		$< > $@
+
+$(RUN_DIR)/blender.manifest.sgx: $(BLENDER_DIR)/blender $(RUN_DIR)/blender.manifest $(GRAPHENE_DIR)/Runtime/libpal-Linux-SGX.so $(RUN_DIR)
+	$(GRAPHENE_DIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-sign \
+		-output $@ \
+		-libpal $(GRAPHENE_DIR)/Runtime/libpal-Linux-SGX.so \
+		-key $(GRAPHENE_DIR)/Pal/src/host/Linux-SGX/signer/enclave-key.pem \
+		-manifest $(RUN_DIR)/blender.manifest \
+		-exec $<
+	$(GRAPHENE_DIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-get-token \
+		-output $(RUN_DIR)/blender.token \
+		-sig $(RUN_DIR)/blender.sig
+
+$(RUN_DIR)/pal_loader:
+	ln -s $(GRAPHENE_DIR)/Runtime/pal_loader $@
+
+$(DATA_DIR)/images:
+	mkdir -p $@
+
+.PHONY: check
+check: all
+	cd $(RUN_DIR) && DATA_DIR=$(DATA_DIR) sh $(PWD)/test_all_scenes.sh
+
+.PHONY: clean
+clean:
+	$(RM) -r $(RUN_DIR) $(DATA_DIR)/images
+
+.PHONY: distclean
+distclean: clean
+	$(RM) -r $(BLENDER_DIR) blender.tar.xz
+
diff --git a/blender/blender.manifest.template b/blender/blender.manifest.template
new file mode 100644
index 0000000..09bfb73
--- /dev/null
+++ b/blender/blender.manifest.template
@@ -0,0 +1,82 @@
+# INSECURE!!!
+# These 3 lines are insecure by design and should never be used in production environments.
+# There is a lot of files that Blender uses (e.g. bundled Python) and listing them here would
+# be counter productive, as they may change between Blender releases and this is just a testing
+# manifest.
+# Additionally, Blender scenes could allow for code execution (e.g. via bundled scripts), so
+# running untrusted scenes should not be allowed. This can be achieved for example by adding scenes
+# to trusted files or uploading them to a running and attested enclave via secured connection.
+sgx.allowed_files.blender_dir = file:$(BLENDER_DIR)/$(BLENDER_VER)/
+sgx.allowed_files.blender_input = file:$(DATA_DIR)/scenes/
+sgx.allowed_files.blender_output = file:$(DATA_DIR)/images/
+
+
+loader.exec = file:$(BLENDER_DIR)/blender
+loader.execname = blender
+
+loader.preload = file:$(GRAPHENE_DIR)/Runtime/libsysdb.so
+loader.debug_type = $(GRAPHENE_DEBUG)
+
+loader.env.LD_LIBRARY_PATH = /graphene_lib:/blender_lib:/usr/lib/x86_64-linux-gnu:/lib/x86_64-linux-gnu
+# Graphene implicitly copies host environment variables - overwriting troublesome one
+loader.env.PWD =
+
+fs.mount.graphene_lib.type = chroot
+fs.mount.graphene_lib.path = /graphene_lib
+fs.mount.graphene_lib.uri = file:$(GRAPHENE_DIR)/Runtime
+
+fs.mount.blender_lib.type = chroot
+fs.mount.blender_lib.path = /blender_lib
+fs.mount.blender_lib.uri = file:$(BLENDER_DIR)/lib
+
+fs.mount.usr_lib.type = chroot
+fs.mount.usr_lib.path = /usr/lib/x86_64-linux-gnu
+fs.mount.usr_lib.uri = file:/usr/lib/x86_64-linux-gnu
+
+fs.mount.lib.type = chroot
+fs.mount.lib.path = /lib/x86_64-linux-gnu
+fs.mount.lib.uri = file:/lib/x86_64-linux-gnu
+
+fs.mount.scenes.type = chroot
+fs.mount.scenes.path = /data
+fs.mount.scenes.uri = file:$(DATA_DIR)
+
+fs.mount.blender.type = chroot
+fs.mount.blender.path = /blender
+fs.mount.blender.uri = file:$(BLENDER_DIR)
+
+
+sys.stack.size = 8M
+
+
+sgx.enclave_size = 2048M
+sgx.thread_num = 28
+
+
+sgx.trusted_files.ld = file:$(GRAPHENE_DIR)/Runtime/ld-linux-x86-64.so.2
+sgx.trusted_files.libc = file:$(GRAPHENE_DIR)/Runtime/libc.so.6
+sgx.trusted_files.libdl = file:$(GRAPHENE_DIR)/Runtime/libdl.so.2
+sgx.trusted_files.libm = file:$(GRAPHENE_DIR)/Runtime/libm.so.6
+sgx.trusted_files.libpthread = file:$(GRAPHENE_DIR)/Runtime/libpthread.so.0
+sgx.trusted_files.libutil = file:$(GRAPHENE_DIR)/Runtime/libutil.so.1
+sgx.trusted_files.librt = file:$(GRAPHENE_DIR)/Runtime/librt.so.1
+
+sgx.trusted_files.libGL = file:$(BLENDER_DIR)/lib/libGL.so.1
+sgx.trusted_files.libglapi = file:$(BLENDER_DIR)/lib/libglapi.so.0
+
+sgx.trusted_files.libX11 = file:/usr/lib/x86_64-linux-gnu/libX11.so.6
+sgx.trusted_files.libXi = file:/usr/lib/x86_64-linux-gnu/libXi.so.6
+sgx.trusted_files.libXxf86vm = file:/usr/lib/x86_64-linux-gnu/libXxf86vm.so.1
+sgx.trusted_files.libXfixes = file:/usr/lib/x86_64-linux-gnu/libXfixes.so.3
+sgx.trusted_files.libXrender = file:/usr/lib/x86_64-linux-gnu/libXrender.so.1
+sgx.trusted_files.libgcc_s = file:/lib/x86_64-linux-gnu/libgcc_s.so.1
+sgx.trusted_files.libz = file:/lib/x86_64-linux-gnu/libz.so.1
+sgx.trusted_files.libXext = file:/usr/lib/x86_64-linux-gnu/libXext.so.6
+sgx.trusted_files.libxcb = file:/usr/lib/x86_64-linux-gnu/libxcb.so.1
+sgx.trusted_files.libXau = file:/usr/lib/x86_64-linux-gnu/libXau.so.6
+sgx.trusted_files.libXdmcp = file:/usr/lib/x86_64-linux-gnu/libXdmcp.so.6
+sgx.trusted_files.libstdcpp = file:/usr/lib/x86_64-linux-gnu/libstdc++.so.6
+sgx.trusted_files.libnuma = file:/usr/lib/x86_64-linux-gnu/libnuma.so.1
+
+# Ubuntu version specific files
+# [Ubuntu18.04] sgx.trusted_files.libbsd = file:/lib/x86_64-linux-gnu/libbsd.so.0
diff --git a/blender/data/.gitignore b/blender/data/.gitignore
new file mode 100644
index 0000000..47241b6
--- /dev/null
+++ b/blender/data/.gitignore
@@ -0,0 +1 @@
+images/
diff --git a/blender/data/scenes/simple_scene.blend b/blender/data/scenes/simple_scene.blend
new file mode 100644
index 0000000..12757d0
Binary files /dev/null and b/blender/data/scenes/simple_scene.blend differ
diff --git a/blender/test_all_scenes.sh b/blender/test_all_scenes.sh
new file mode 100644
index 0000000..ea70d25
--- /dev/null
+++ b/blender/test_all_scenes.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+for i in `ls "$DATA_DIR"/scenes/`;
+do
+    rm -f "$DATA_DIR"/images/"$i"0001.png
+    ./pal_loader ./blender.manifest -b /data/scenes/$i -t 4 -F PNG -o /data/images/$i -f 1
+    # TODO add a better test, probably some diff with a precomputed image
+    [ -f "$DATA_DIR"/images/"$i"0001.png ]
+done