Again it isn't clear how much value does attestation have, we are assuming arbitrary restrictions on the attacker such as inability to trigger exits at random times, why not assume it can't attack guest during boot? IOW it seems reasonable to just ignore the need for attestation completely as the first step. Get the other stuff merged first.
Thanks for feedbacks. In v2, I will try to remove the attestation code and we can revisit it later.