This paper systematically evaluates whether mainstream public cloud Confidential Virtual Machines (CVMs) genuinely satisfy the core tenet of confidential computing—namely, that the cloud provider is untrusted. Method: We introduce the first multidimensional trust boundary taxonomy and combine it with rigorous analysis of remote attestation protocols, TEE architecture reverse engineering, threat model consistency verification, and cross-cloud empirical comparison. Contribution/Results: We uncover systematic deviations across all major cloud providers: each retains control over critical components of the trusted software stack and either intervenes in or bypasses standard remote attestation procedures. Consequently, customers cannot autonomously define attestation policies nor fully verify system boot state. Our findings demonstrate that current CVM deployments fail to deliver substantive confidentiality and integrity guarantees, exposing a fundamental gap between industrial practice and theoretical commitments in confidential computing.

Confidential computing in the public cloud intends to safeguard workload privacy while outsourcing infrastructure management to a cloud provider. This is achieved by executing customer workloads within so called Trusted Execution Environments (TEEs), such as Confidential Virtual Machines (CVMs), which protect them from unauthorized access by cloud administrators and privileged system software. At the core of confidential computing lies remote attestation -- a mechanism that enables workload owners to verify the initial state of their workload and furthermore authenticate the underlying hardware. hile this represents a significant advancement in cloud security, this SoK critically examines the confidential computing offerings of market-leading cloud providers to assess whether they genuinely adhere to its core principles. We develop a taxonomy based on carefully selected criteria to systematically evaluate these offerings, enabling us to analyse the components responsible for remote attestation, the evidence provided at each stage, the extent of cloud provider influence and whether this undermines the threat model of confidential computing. Specifically, we investigate how CVMs are deployed in the public cloud infrastructures, the extent to which customers can request and verify attestation evidence, and their ability to define and enforce configuration and attestation requirements. This analysis provides insight into whether confidential computing guarantees -- namely confidentiality and integrity -- are genuinely upheld. Our findings reveal that all major cloud providers retain control over critical parts of the trusted software stack and, in some cases, intervene in the standard remote attestation process. This directly contradicts their claims of delivering confidential computing, as the model fundamentally excludes the cloud provider from the set of trusted entities.