I work at AWS on these systems. We do fund research on Graviton. But our main approach to "Confidential Computing" has always been very different and based on the Nitro system. We run our virtualization on dedicated Nitro cards, with their own CPUs and memory, that are separate from the hardware running customer's EC2 instances. The Nitro system is hermetic and doesn't grant us access to a customer's memory or operations, and the simple design and interface is there to minimize the surface area for any potential issues. (We also put all this in our terms of service).

All customers on Nitro get that enhanced confidentiality between their instance and us as a cloud provider, but for customers who want to run workloads that are confidential from themselves, we do also offer AMD SEV based instances as well as our own Nitro Enclaves product.