alt Hacker News>how Amazon and other hyperscalers can promise you virtual machines whose memory cannot be touched even in the case the host is compromised (and, by extension, also if the feds arrive to v& your server).
Even if we take those promises at face value, it practically doesn't mean much because every server still needs to handle reboots, which is when they can inject their evil code.
MK-TME allows having memory encrypted at run time, and the platform TPM signs an attestation saying the memory was not altered.
Malicious code can't be injected at boot without breaking that TPM.