Current CVM threat models exhibit a critical disconnect from real-world deployments: their remote attestation mechanisms are not bound to specific cloud providers, preventing users from verifying whether trusted execution environments (TEEs) operate on physically trusted infrastructure. Consequently, physical attack risks remain unquantifiable, and end-to-end security guarantees cannot be established. This paper identifies and systematically analyzes this fundamental flaw for the first time. We propose a cross-vendor verifiable attestation extension framework grounded in the Protected Platform Identifier (PPID), which abstracts and standardizes attestation workflows and interfaces to anchor trust at the physical layer. Our portable verification framework supports major TEE platforms—including Intel TDX and AMD SEV-SNP—significantly enhancing the assessability of physical attack risks and deployment trustworthiness for external users. It further enables decentralized attestation and facilitates secure cross-cloud workload migration.

Confidential Virtual Machines (CVMs) provide isolation guarantees for data in use, but their threat model does not include physical level protection and side-channel attacks. Therefore, current deployments rely on trusted cloud providers to host the CVMs' underlying infrastructure. However, TEE attestations do not provide information about the operator hosting a CVM. Without knowing whether a Trusted Execution Environment (TEE) runs within a provider's infrastructure, a user cannot accurately assess the risks of physical attacks. We observe a misalignment in the threat model where the workloads are protected against other tenants but do not offer end-to-end security assurances to external users without relying on cloud providers. The attestation should be extended to bind the CVM with the provider. A possible solution can rely on the Protected Platform Identifier (PPID), a unique CPU identifier. However, the implementation details of various TEE manufacturers, attestation flows, and providers vary. This makes verification of attestations, ease of migration, and building applications without relying on a trusted party challenging, highlighting a key limitation that must be addressed for the adoption of CVMs. We discuss two points focusing on hardening and extensions of TEEs' attestation.