Existing remote attestation mechanisms cannot verify whether confidential virtual machines (CVMs) execute on physically trusted TEE platforms, causing CVM deployment to diverge from established TEE threat models (e.g., Intel TDX). This work proposes Datacenter Execution Assurance (DCEA), the first framework to tightly bind vTPM-anchored measurements to physical platform identity, enabling unified verification of CVM boot evidence and chassis-level hardware identity. DCEA integrates vTPM, discrete TPM, Intel TDX, and TXT within a cloud provider–controlled software stack to establish an end-to-end trusted boot and remote attestation pipeline, effectively mitigating replay and proxy attacks. We implement and evaluate DCEA on Google Cloud with Intel TDX, demonstrating verifiable proofs of both CVM physical provenance and runtime integrity. DCEA delivers the first deployment solution for high-assurance confidential computing in low-trust environments that fully aligns with TEE threat models.

Confidential Virtual Machines (CVMs) protect data in use by running workloads inside hardware-isolated environments. In doing so, they also inherit the limitations of the underlying hardware. Trusted Execution Environments (TEEs), which enforce this isolation, explicitly exclude adversaries with physical access from their threat model. Commercial TEEs, e.g., Intel TDX, thus assume infrastructure providers do not physically exploit hardware and serve as safeguards instead. This creates a tension: tenants must trust provider integrity at the hardware layer, yet existing remote attestation offers no way to verify that CVMs actually run on physically trusted platforms, leaving today's CVM deployments unable to demonstrate that their guarantees align with the TEE vendor's threat model. We bridge this confidence gap with Data Center Execution Assurance (DCEA), a design generating "Proofs of Cloud". DCEA binds a CVM to its underlying platform using vTPM-anchored measurements, ensuring CVM launch evidence and TPM quotes refer to the same physical chassis. This takes advantage of the fact that data centers are often identifiable via TPMs. Our approach applies to CVMs accessing vTPMs and running on top of software stacks fully controlled by the cloud provider, as well as single-tenant bare-metal deployments with discrete TPMs. We trust providers for integrity (certificate issuance), but not for the confidentiality of CVM-visible state. DCEA enables remote verification of a CVM's platform origin and integrity, mitigating attacks like replay and attestation proxying. We include a candidate implementation on Google Cloud and Intel TDX that leverages Intel TXT for trusted launch. Our design refines CVMs' threat model and provides a practical path for deploying high-assurance, confidential workloads in minimally trusted environments.