Comment 8 for bug 1456228

The TrustedFilter filter actually doesn't check by itself but rather calls the Attestation API to know if the destination host is correct or not. That way, it's just when the instance is scheduled that it goes to the scheduler, then finds an acceptable destination (so calls the Attestation API for each host to see if it's compromised or not) and then calls the corresponding compute node to spawn that VM.

Once the VM is spawned, the scheduler is no longer involved unless a migration, a resize or an evacuation is asked for that VM.
That means that having a valid host, running a VM, stopping it, compromising the host, then restarting the VM is something that Nova doesn't check, because it's not its responsibility.

To be clear, Nova doesn't want to support that feature.