Confidential Virtual Machines (CVMs) protect data in use by running workloads within hardware-enforced Trusted Execution Environments (TEEs). However, existing CVM attestation mechanisms only certify what code is running, not where it is running. Commercial TEEs mitigate passive physical attacks through memory encryption but explicitly exclude active hardware tampering (memory interposers, physical side channels, ...). Yet current attestations provide no cryptographic evidence that a CVM executes on hardware residing within a trusted data center where such attacks would not take place. This gap enables proxy attacks in which valid attestations are combined across machines to falsely attest trusted execution. To bridge this gap, we introduce Data Center Execution Assurance (DCEA), a design that generates a cryptographic Proof of Cloud by binding CVM attestation to platform-level Trusted Platform Module (TPM) evidence. DCEA combines two independent roots of trust. First, the TEE manufacturer, and second, the infrastructure provider, by cross-linking runtime TEE measurements with the vTPM-measured boot CVM state. This binding ensures that CVM execution, vTPM quotes, and platform provenance all originate from the same physical chassis. We formalize the environment's provenance and show that DCEA prevents advanced relay attacks, including a novel mix-and-match proxy attack. Using the AGATE framework in the Universal Composability model, we prove that DCEA emulates an ideal location-aware TEE even under a malicious host software stack. We implement DCEA on Google Cloud bare-metal Intel TDX instances using Intel TXT and evaluate its performance, demonstrating practical overheads and deployability. DCEA refines the CVM threat model and enables verifiable execution-location guarantees for privacy-sensitive workloads.

翻译：机密虚拟机通过将工作负载运行在硬件强制的可信执行环境中，从而保护使用中的数据。然而，现有的CVM认证机制仅能验证运行何种代码，而无法确认其运行位置。商用TEE通过内存加密缓解被动物理攻击，但明确排除了主动硬件篡改（内存中间件、物理侧信道等）。然而，当前的认证并未提供密码学证据，证明CVM在可信数据中心内的硬件上执行，而此类攻击在该环境中不会发生。这一缺陷使得代理攻击成为可能，即通过跨机器组合有效认证来虚假证明可信执行。为弥补这一缺陷，我们提出了数据中心执行保障，该设计通过将CVM认证与平台级可信平台模块证据绑定，生成密码学的云证明。DCEA结合了两个独立的信任根：第一是TEE制造商，第二是基础设施提供商，通过将运行时TEE度量与vTPM度量的启动CVM状态交叉链接实现。这种绑定确保了CVM执行、vTPM证明和平台来源均源自同一物理机箱。我们形式化了环境的来源证明，并证明DCEA能够防范高级中继攻击，包括一种新颖的混合匹配代理攻击。通过在通用可组合性模型中使用AGATE框架，我们证明即使存在恶意主机软件栈，DCEA也能模拟理想的位置感知TEE。我们在Google Cloud裸金属Intel TDX实例上使用Intel TXT实现了DCEA，并评估其性能，展示了实际的开销和可部署性。DCEA完善了CVM威胁模型，并为隐私敏感工作负载提供了可验证的执行位置保证。