João Henriques Sereno

Co-advisor: N. Santos


A Unified Framework for Attested Confidential VM Workloads in Public Clouds


Tese submetida para provas de mestrado em Engenharia Informática e de Computadores Instituto Superior Técnico, Universidade de Lisboa.

Abstract

Confidential Virtual Machines (VMs) backed by AMD Secure Encrypted Virtualization–Secure Nested Paging (SEV-SNP) allow workloads to execute on public cloud infrastructure while excluding the infras- tructure operator from accessing the VM memory or execution state. Remote attestation makes this protection verifiable, but in practice the verification is rarely performed independently. The tools and provider-specific interfaces needed to derive expected measurements exist in fragments, and no co- herent pipeline assembles them into a workflow that a verifying party can use to predict and verify the measurements of an arbitrary workload across providers.

This thesis analyzes the attestation properties of AMD SEV-SNP confidential VM offerings from Ama- zon Web Services, Microsoft Azure, and Google Cloud Platform, and classifies the software verification depth assurance each provider makes achievable according to a proposed taxonomy. It then introduces Evident, a lifecycle management framework that integrates and extends tooling into a single pipeline spanning image construction, measurement derivation, deployment, and cross-provider remote attesta- tion. The verifying party derives expected measurements directly from the VM image artifacts, removing the dependency on externally supplied reference values. The framework requires no modifications to the deployed workload. Evaluation through a confidential inference use case confirmed the predicted measurements match, with remote attestation completing under two or eight seconds, depending on the cloud provider, and the accompanying server component posing little to no interference with the workload execution.


Publicações

A Unified Framework for Attested Confidential VM Workloads in Public Clouds
João Henriques Sereno
MSc Thesis. Instituto Superior Técnico, Universidade de Lisboa.
May 2026.
Available BibTeX, MSC Thesis, and extended abstract, and mid-term report.
Secure Lifecycle Management of Confidential Virtual Machines in Public Clouds (poster).
J. Sereno, D. Castro, N. Santos and L. Rodrigues.
Proceedings of the 23rd IEEE International Symposium on Network Computing and Applications (NCA), Lisbon, Portugal, Nov 2025.

Luís Rodrigues