> If an attacker is able to control the hypervisor (necessary to load > rogue microcode) and the processor microcode, how can the VM trust that > it is actually verifying that attestation and not being sent down a "oh > yes it is exactly what you want it to be" garden path?
Attestations are cryptographically signed by the cpu, and meant to be sent elsewhere and verified remotely. The key used to sign (VCEK) are dependent on the microcode version, so it shouldn't be possible to forge new-looking signature with old microcodes (i would hope this hold would someone be able to decrypt a microcode, though i couldn't find information on that subject).
