Virtual machine assurances

What is claimed is: 1. A method, implemented at a computer system that includes one or more processors, for securely instantiating a virtual machine, the method comprising: starting a host that includes a virtual environment for hosting a virtual machine, the virtual environment including a virtual security component associated with the virtual machine; performing a boot process to instantiate the virtual environment; at pre-defined states during the boot process, providing measurements of the host to a host security component, the measurements identifying a state of the host that satisfies a policy for hosting the virtual machine; obtaining a first cryptographic key based on the state of the host, including: providing the measurements to a key distribution service external to the host; receiving sealed data that is sealed to a state of the host; and unsealing the sealed data via the host security component, the host security component configured to unseal the sealed data only when the host security component receives evidence that the host is currently in a state that satisfies the policy for hosting the virtual machine; using the first cryptographic key to decrypt the virtual security component associated with the virtual machine; from the decrypted virtual security component, obtaining a second cryptographic key associated with a virtual hard drive that is associated with the virtual machine; using the second cryptographic key to decrypt the virtual hard drive associated with the virtual machine; and instantiating the virtual machine via the associated decrypted virtual hard drive. 2. The method of claim 1 , wherein obtaining the first cryptographic key based on the state of the host also includes: providing evidence that a current state of the host satisfies a policy for obtaining the first cryptographic key; and receiving sealed data only when the evidence satisfies the policy. 3. The method of claim 2 , further comprising obtaining the evidence from the host security component, the host security component implemented as a discrete hardware device that is integrated with the host and that has protected memory to which only the host security component is allowed to write. 4. The method of claim 3 , wherein obtaining the evidence from the host security component comprises obtaining data that has been signed by a secret key of the host security component, the data derived by hashing volatile registers of the host security component, the volatile registers indicative of measurements provided to the host security component. 5. The method of claim 2 , further comprising obtaining the evidence from the host security component, the host security component implemented via firmware and a processor of the host. 6. The method of claim 2 , further comprising prior to starting the host: configuring the host into a state that satisfies the policy; in conjunction with configuring the host, providing other measurements of the host to the host security component; obtaining security data from the host security component, the security data indicative of a state of the host, the security data derived from the other measurements; and providing the security data to the key distribution service for subsequent use in determining when the evidence does in fact satisfy the policy. 7. The method of claim 1 , wherein the key distribution service is controlled by a tenant associated with the virtual machine. 8. The method of claim 1 , wherein the key distribution service is controlled by one or more entities of a cloud operator that controls the host. 9. The method of claim 1 , further comprising obtaining an attestation from the host security component, the host security component comprising a trusted platform module, the attestation based on matching a current state of the host to the state of the host identified in the measurements provided at the pre-defined states during the boot process, the attestation signed by a private key of the trusted platform module. 10. The method of claim 9 , further comprising providing the attestation in response to a policy of a tenant associated with the virtual machine. 11. A computer system, comprising: a system memory for storing data of a host; one or more processors; and one or more computer readable storage media having stored thereon computer-executable instructions that are executable by the one or more processors to cause the computer system to securely instantiate a virtual machine, the computer-executable instructions including instructions that are executable to cause the computer system to perform at least the following: start the host, the host including a virtual environment for hosting a virtual machine, the virtual environment including a virtual security component; perform a boot process to instantiate the virtual environment; at pre-defined states during the boot process, provide measurements of the host to a host security component, the measurements identifying a state of the host that satisfies a policy for hosting the virtual machine; obtain a first cryptographic key from the host security component based on the state of the host, including: providing the measurements to a key distribution service external to the host; receiving sealed data that is sealed to a state of the host; and unsealing the sealed data via the host security component, the host security component configured to unseal the sealed data only when the host security component receives evidence that the host is currently in a state that satisfies the policy for hosting the virtual machine; use the first cryptographic key to decrypt the virtual security component associated with the virtual machine; from the decrypted virtual security component, obtain a second cryptographic key associated with a virtual hard drive that is associated with the virtual machine; use the second cryptographic key to decrypt the virtual hard drive associated with the virtual machine; and instantiate the virtual machine via the associated decrypted virtual hard drive. 12. The system of claim 11 , wherein the first cryptographic key is contained in the sealed data. 13. The system of claim 11 , wherein the host security component comprises firmware and at least one of the one or more processors. 14. The system of claim 11 , wherein the host security component comprises a discrete trusted platform module device. 15. The system of claim 11 , wherein only a hypervisor of the host has write access to the system memory. 16. A computer program product comprising one or more hardware storage devices having stored thereon computer-executable instructions that are executable by one or more processors to securely instantiate a virtual machine, the computer-executable instructions including instructions that are executable to cause the computing device to perform at least the following: start a host that includes a virtual environment for hosting a virtual machine, the virtual environment including a virtual security component; perform a boot process to instantiate the virtual environment; at pre-defined states during the boot process, provide measurements of the host to a host security component, the measurements identifying a state of the host that satisfies a policy for hosting the virtual machine; obtain a first cryptographic key based on the state of the host, including: providing the measurements to a key distribution service external to the host; receiving sealed data that is sealed to a state of the host; and unsealing the sealed data via the host security component, the host sec