Secure computing mechanism

What is claimed is: 1. A system comprising: a memory; and a processor configured to run service logic in a guest operating system of a virtual machine and a hosting service, wherein the processor runs the hosting service to perform: providing, to a trusted entity on a central processing unit of the processor, a command for a launch of the virtual machine; assigning, to the virtual machine, at least a portion of the memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the virtual machine to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by a user for the service logic, wherein the policy for the service logic defines a rule for the service logic, wherein the rule indicates which container may run in the guest operating system; hashing the policy for the service logic to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy for the service logic; and completing the launch of the virtual machine. 2. The system as claimed in claim 1 , wherein the hash digest of the policy for the service logic and the measurement digest of the address space of the guest operating system are used by the system as immutable fields in any attestation reports for the virtual machine. 3. The system as claimed in claim 1 , wherein the policy for the service logic comprises at least one of: a definition for the service logic as to which containers are permitted to run in the guest operating system of the virtual machine; a set of hashes of container image layer file systems of the containers which are permitted to run in the guest operating system of the virtual machine; a command line rule for the containers which are permitted to run in the guest operating system of the virtual machine; or a set of encrypted filesystems of the user that will be mounted during execution of the containers which are permitted to run in the guest operating system of the virtual machine. 4. The system as claimed in claim 3 , wherein the processor runs the hosting service to send the configuration object to the service logic; wherein the processor runs the service logic to perform, in response to receiving the configuration object: storing the configuration object; extracting the policy for the service logic from the configuration object; hashing the extracted policy for the service logic to generate a hash digest of the extracted policy; retrieving an attestation report from the trusted entity; checking if a hash digest of the policy for the service logic in the attestation report matches the hash digest of the extracted policy of the service logic; and storing the policy for the service logic to be enforced by the service logic in the guest operating system of the virtual machine. 5. The system as claimed in claim 4 , wherein the processor runs the service logic to perform: during an attempt to run a container: making a read-write temporary encrypted filesystem for the container, wherein the filesystem is integrity-protected; mounting an integrity-protected filesystem of the container; and only running the container if a hash of a filesystem layer of the container is the same as an expected hash reported in the policy for the service logic. 6. The system as claimed in claim 1 , wherein the processor runs the service to perform: checking if a run command line recorded in the policy for the service logic corresponds to a runtime specification of a container; executing a container workload of the container when the run command line recorded in the policy for the service logic corresponds to the runtime specification of the container; and not executing the container workload of the container when the runtime specification of the container does not correspond to the run command line recorded in the policy for the service logic. 7. The system as claimed in claim 1 , wherein the processor is configured to run preparation logic, wherein the processor runs the preparation logic to perform: generating a symmetric key used for encrypting a filesystem for a container workload; generating, in response to user input, a key release policy for releasing the symmetric key; and sending the symmetric key and the key release policy to a secure key store. 8. The system as claimed in claim 7 , wherein the processor runs the preparation logic to perform: encrypting the filesystem using the symmetric key and storing the encrypted filesystem in a storage. 9. The system as claimed in claim 8 , wherein the processor runs the service logic to perform: provisioning a wrapping key for releasing user information from a secure key store, wherein the wrapping key includes a public key and a private key; generating key information based on the public key of the wrapping key; hashing the key information to provide a hash digest of the key information; and requesting an attestation report from the trusted entity using the hash digest of the key information. 10. The system as claimed in claim 9 , wherein the processor runs the service logic to perform: retrieving certificate information of hardware running the virtual machine; sending the attestation report, certificate information, key information and the policy for the service logic to an attestation platform for attestation report verification, wherein the key information includes the public key of the wrapping key; and upon the attestation report verification succeeding, receiving a signed token from the attestation platform that includes information extracted from the attestation report, key information, and the policy for the service logic. 11. The system as claimed in claim 10 , wherein the processor runs the service logic to perform: sending the signed token to the secure key store requesting the symmetric key is released, wherein the secure key store releases the symmetric key if claims in the token meet the key release policy; upon the claims meeting the key release policy, receiving from the secure key store, the symmetric key wrapped with the public key of the wrapping key; unwrapping the symmetric key using the private key of the wrapping key; and using the symmetric key to decrypt the encrypted filesystem of the container workload. 12. A computer-implemented method comprising: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine; assigning, to the virtual machine, at least a portion of memory for a guest operating system; submitting, to the trusted entity, a request to measure an address space of the virtual machine to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by a user for service logic in a guest operating system of the virtual machine, wherein the policy for the service logic defines a rule for the service logic, wherein the indicates which container may run in the guest operating system; hashing the policy for the service logic to provide a hash digest of the policy for the service logic; submitting, to the trusted entity, the hash digest of the policy for the service logic; and completing the launch of the virtual machine. 13. The method as claimed in claim 12 , wherein the hash digest of the policy for the service logic and the measurement digest of the address space of the guest operating system are used as immutable fields in any attestation reports for the virtual machine. 14. The method as claimed in claim 12 , wherein the pol