1. In what way does VC3 rely on attestation? More precisely, what goes wrong if an attacker can generate a valid quote that is *not* running on a legitimate SGX processor?

2. What does an attacker that controls the software stack on all machines (e.g., hypervisor and OS) and the network, but not the SGX enclaves, learn about the user’s computation? (Assume that the attacker does not run attacks listed as out-of-scope in the “adversary model” section.)