But how will the virtual machine verify its host?

Yes, one of the main points (based on my understanding) is that the cloud provider can feel relieved, now that they're not on the hook anymore — because: "Hey, it's all encrypted; _you_ have the keys. So even to run a binary we need your (the guest owner) involvement."

And indeed, since the "trusted entity" is the hardware, so you're placing trust in the CPU/SoC. I'll let more clueful people than me to correct me or add further details.