The thing you're looking for is called remote attestation.
That means there is a direct channel from the hardware to the user that attests the confidentiality and integrity of the VM.
Such attestation statement is signed by a key burned into the CPU at production time. The remaining attack vector is leaking that key from the hardware itself. There is academic research on this topic. In essence, while technically possible, it is considered not practical, especially not at scale.
No comments yet.