Comment 17 for bug 1456228

The trusted check runs as a filter in Nova's scheduler. It only runs when a VM is launched and automatically scheduled. In addition to powering on, you can also migrate a trusted VM to an untrusted host after it is scheduled. The trust check involves sending a request to an external trust attestation service. The Nova team will likely not accept any patches that add a check like that to any other operation.