Abstract
Although confidential virtual machines ( CVMs) offer strong isolation in untrusted cloud environments, their attestation mechanisms are restricted to static boot-time measurements. This means they cannot capture the detailed post-boot state necessary for real-world deployments. Modern workloads demand context-specific trust decisions that vary across verifiers, operational stages and workloads, like software supply chains or cloud-native workload deployments. In this paper, we present a flexible policy-driven attestation and configuration architecture that enables verifier-specific evidence generation across different stages of a CVM’s lifecycle, without requiring changes to the guest OS or container workflows as previous approaches. Our system uses eBPF and Linux Security Module hooks to capture in-guest signals under dynamic policies, allowing flexible and context-aware attestation of runtime properties or post-boot configuration state. We demonstrate its utility in two use cases: (i) attesting confidential build pipelines with cryptographically linked Software Bill of Materials and artifacts, and (ii) enabling verifiable post-boot contextualization for multi-tenant CVMs. Built on AMD SEV-SNP, our prototype achieves low overhead and seamless integration, offering a practical trust layer that advances attestation for secure software supply chains and dynamic cloud workloads.
Anna Galanou
Florian Lubitz
Hajeong Jeon, M.Sc.
Researcher
Christof Fetzer