Apparatus, method and non-transitory machine-readable storage medium

What is claimed is: 1 . An apparatus comprising interface circuitry, machine-readable instructions and processing circuitry to execute the machine-readable instructions to: generate an attestation evidence for verifying the integrity of a first confidential computing environment, the first confidential computing environment executing a workload; obtain a collection of attestation evidence associated with the workload, the collection of attestation evidence comprising attestation evidence for verifying the integrity of each confidential computing environment that the workload was deployed to during its lifecycle. generate a migration image comprising the workload, the generated attestation evidence and the collection of attestation evidence; transmit the migration image to a second confidential computing environment, the second confidential computing environment going to execute the workload. 2 . The apparatus of claim 1 , wherein the processing circuitry is further to execute the machine-readable instructions to transmit the migration image to the second confidential computing environment only if a migration policy corresponding to the workload is satisfied. 3 . The apparatus of claim 1 , wherein the processing circuitry is further to execute the machine-readable instructions to transmit the migration image to the second confidential computing environment only if a security level of the second confidential computing environment as is exceeding a threshold as defined in a migration policy corresponding to the workload. 4 . The apparatus of claim 1 , wherein the attestation evidence for verifying the integrity of the first confidential computing environment and the collection of attestation evidence associated with the workload are available in a wrapper data structure. 5 . The apparatus of claim 4 , wherein the wrapper data structure is a JavaScript Object Notation (JSON) array, a Concise Binary Object Representation, CBOR, array, or a CBOR tagged data structure. 6 . The apparatus of claim 4 , wherein the wrapper data structure is embedded into a secure data container. 7 . The apparatus of claim 6 , wherein secure data container is at least one of the following: JSON Web Token (JWT), CBOR Web Token (CWT), SPDM transcript, X.509 certificate, and XML-Digital Signature document. 8 . The apparatus of claim 1 , wherein the generating of the attestation evidence for verifying the integrity of the first confidential computing environment comprises generating a plurality of measurements, wherein the plurality of measurements is proving the integrity of a plurality of layered environments of the first confidential computing environment. 9 . The apparatus of claim 8 , wherein first confidential computing environment comprise at least one of the following layered environments: a root of trust, a firmware environment, a trusted platform manager environment, a quoting environment, a tenant environment and a migration environment. 10 . The apparatus of claim 9 , wherein at least one of the following trust dependencies applies: a signed measurement of the tenant environment has a trusted dependency on the quoting environment, a signed measurement of the quoting environment has a trust dependency on the trusted platform environment, a signed measurement of the trusted platform has a trust dependency on the package firmware environment, and a signed measurement of the firmware environment has a trust dependency on the root of trust of a processor executing the first confidential computing environment. 11 . The apparatus of claim 1 , wherein the migration image further comprises configuration data and/or meta data. 12 . The apparatus of claim 1 , wherein the processing circuitry is further to execute the machine-readable instructions to obtain a signature key and/or an encryption key for the migration image. 13 . The apparatus of claim 12 , wherein the processing circuitry is further to execute the machine-readable instructions to sign, encrypt, or sign and encrypt the migration image with the obtained signature key and/or encryption key. 14 . The apparatus of claim 1 , wherein the processing circuitry is further to execute the machine-readable instructions to convert the workload to be executable by a processor architecture running the second confidential computing environment. 15 . The apparatus of claim 1 , wherein the generating the attestation evidence for verifying the integrity of a first confidential computing environment comprises signing one or more measurements of the first confidential computing environment. 16 . A method comprising: generating an attestation evidence for verifying the integrity of a first confidential computing environment, the first confidential computing environment executing a workload; obtaining a collection of attestation evidence associated with the workload, the collection of attestation evidence comprising attestation evidence for verifying the integrity of each confidential computing environment that the workload was deployed to during its lifecycle. generating a migration image comprising the workload, generated attestation evidence and the collection of attestation evidence; transmitting the migration image to a second confidential computing environment, the second confidential computing environment going to execute the workload. 17 . The method of claim 16 , further comprising transmitting the migration image to the second confidential computing environment only if a migration policy corresponding to the workload is satisfied. 18 . The method of claim 16 , further comprising transmitting the migration image to the second confidential computing environment only if a security level of the second confidential computing environment as is exceeding a threshold as defined in a migration policy corresponding to the workload. 19 . The method of claim 16 , wherein the attestation evidence for verifying the integrity of the first confidential computing environment and the collection of attestation evidence associated with the workload are available in a wrapper data structure. 20 . A non-transitory machine-readable storage medium including program code, when executed, to cause a machine to perform the method of claim 16 .