Secure public cloud with protected guest-verified host control

What is claimed is: 1. At least one non-transitory computer-readable medium comprising instructions that, when executed, cause a processor to facilitate operations comprising: creating a first key domain, the first key domain comprising a region of a memory to be encrypted by a key domain key; launching a first guest virtual machine within the first key domain; intercepting an interrupt; saving processor register information to a protected location of the memory in response to the interrupt or an exception thrown when the first guest virtual machine causes an exit condition; clearing a first processor register if the first processor register is not needed by an untrusted host virtual machine monitor managing execution of the first guest virtual machine; conditionally exposing a second processor register if the second processor register is needed by the untrusted host virtual machine monitor; invoking the untrusted host virtual machine monitor; and exiting the first guest virtual machine when the untrusted host virtual machine monitor is invoked. 2. The at least one computer-readable medium of claim 1 , wherein the operations further comprise: receiving an encrypted key domain key, an encrypted guest code image encrypted by a key domain key, and an encrypted guest control structure encrypted by the key domain key; verifying the encrypted guest control structure; receiving an encrypted updated guest control structure, install the encrypted updated guest control structure in the memory, and verify the encrypted updated guest control structure; and entering the first guest virtual machine using an updated guest control structure in response to verifying the encrypted updated guest control structure, the updated guest control structure produced by the processor decrypting the encrypted updated guest control structure. 3. The at least one computer-readable medium of claim 2 , wherein the operations further comprise: receiving an encrypted updated guest code image; and installing the encrypted updated guest code image in the memory. 4. The at least one computer-readable medium of claim 1 , wherein the operations further comprise: determining whether a change to the guest control structure is needed; verifying, by the first guest virtual machine, that the change to the guest control structure does not compromise security of the first guest virtual machine; producing, by the first guest virtual machine, an encrypted updated guest control structure incorporating the change using the key domain key; and sending, by the first guest virtual machine, the encrypted updated guest control structure to an untrusted host virtual machine monitor via a shared region of the memory shared by the untrusted host virtual machine monitor and the first guest virtual machine. 5. The at least one computer-readable medium of claim 4 , wherein the operations further comprise: installing the encrypted updated guest control structure in the memory; verifying the encrypted updated guest control structure; and entering the first guest virtual machine using an updated guest control structure in response to verifying the encrypted updated guest control structure, the updated guest control structure produced by the processor decrypting the encrypted updated guest control structure. 6. The at least one computer-readable medium of claim 1 , wherein the operations further comprise: verifying an agent control structure included within the encrypted guest control structure; and launching a second guest virtual machine within the first key domain using the agent control structure, the second guest virtual machine to provide an agent to act on behalf of the untrusted host virtual machine monitor within the first key domain. 7. The at least one computer-readable medium of claim 6 , wherein the operations further comprise: communicating a request to modify the guest control structure of the first guest virtual machine to the agent via a shared region of memory shared with the agent; modifying, by the agent, the guest control structure of the first guest virtual machine within the first key domain to produce a modified guest control structure of the first guest virtual machine in response to reading the request from the shared region of memory; verifying the modified guest control structure of the first guest virtual machine; and entering the first guest virtual machine within the first key domain using the modified guest control structure upon verifying the modified guest control structure. 8. An apparatus comprising: a processor coupled to a memory, the processor to: create a first key domain, the first key domain comprising a region of the memory to be encrypted by a key domain key; launch a first guest virtual machine within the first key domain; intercept an interrupt; save processor register information to a protected location of the memory in response to the interrupt or an exception thrown when the first guest virtual machine causes an exit condition; clear a first processor register if the first processor register is not needed by an untrusted host virtual machine monitor managing execution of the first guest virtual machine; conditionally expose a second processor register if the second processor register is needed by the untrusted host virtual machine monitor; invoke the untrusted host virtual machine monitor; and exit the first guest virtual machine when the untrusted host virtual machine monitor is invoked. 9. The apparatus of claim 8 , wherein the processor to: receive an encrypted key domain key, an encrypted guest code image encrypted by the key domain key, and an encrypted guest control structure encrypted by the key domain key; verify the encrypted guest control structure; receive an encrypted updated guest control structure, install the encrypted updated guest control structure in the memory, and verify the encrypted updated guest control structure; and enter the first guest virtual machine using an updated guest control structure in response to verifying the encrypted updated guest control structure, the updated guest control structure produced by the processor decrypting the encrypted updated guest control structure. 10. The apparatus of claim 9 , wherein the processor to: receive an encrypted updated guest code image; and install the encrypted updated guest code image in the memory. 11. The apparatus of claim 8 , wherein the processor to: determine whether a change to the guest control structure is needed; verify, by the first guest virtual machine, that the change to the guest control structure does not compromise security of the first guest virtual machine; produce, by the first guest virtual machine, an encrypted updated guest control structure incorporating the change using the key domain key; and send, by the first guest virtual machine, the encrypted updated guest control structure to an untrusted host virtual machine monitor via a shared region of the memory shared by the untrusted host virtual machine monitor and the first guest virtual machine. 12. The apparatus of claim 11 , wherein the processor to: install the encrypted updated guest control structure in the memory; verify the encrypted updated guest control structure; and enter the first guest virtual machine using an updated guest control structure in response to verifying the encrypted updated guest control structure, the updated guest control structure produced by the processor decrypting the encrypted updated guest control structure. 13. The apparatus of claim 8 , wherein the processor to: verify an agent control structure included within