A Cloudy View on Trust Relationships of CVMs : How Confidential Virtual Machines are Falling Short in Public Cloud

Eisoldt, Jana and Galanou, Anna and Ruzhanskiy, Andrey and Küchenmeister, Nils and Baburkin, Yewgenij and Dai, Tianxiang and Gudymenko, Ivan and Köpsell, Stefan and Kapitza, Rüdiger (2026) A Cloudy View on Trust Relationships of CVMs : How Confidential Virtual Machines are Falling Short in Public Cloud. In: 2025 IEEE Annual Computer Security Applications Conference (ACSAC) :. IEEE. ISBN 9798331557195

Abstract

Confidential computing in the public cloud intends to safeguard workload privacy while outsourcing infrastructure management to a cloud provider. This is achieved by executing customer workloads within so called Trusted Execution Environments, such as Confidential Virtual Machines (CVMs), which protect them from unauthorised access by cloud administrators and privileged system software. At the core of confidential computing lies remote attestation—a mechanism that enables workload owners to verify the initial state of their workload and authenticate the underlying hardware. This paper critically examines the confidential computing offerings of market-leading cloud providers to assess whether they genuinely adhere to its core principles. We develop a taxonomy based on carefully selected criteria to systematically evaluate these offerings, enabling us to analyse the components responsible for remote attestation, the evidence provided at each stage, the extent of cloud provider influence and whether this undermines the threat model of confidential computing. Specifically, we investigate how CVMs are deployed in public cloud infrastructures, the extent to which customers can request and verify attestation evidence, and their ability to define and enforce configuration and attestation requirements. This analysis provides insight into whether confidential computing guarantees—namely confidentiality and integrity—are genuinely upheld. Our findings reveal that major cloud providers retain control over critical parts of the trusted software stack and, in some cases, intervene in the standard remote attestation process. This directly contradicts their claims of delivering confidential computing, as the model fundamentally excludes the cloud provider from the set of trusted entities.