This issue was always taken very seriously in other circles, including recognizing that virtualization is no cure-all.<p>Physical separation of the resource pools into equivalence classes or trust zones is just about the only sane way to recycle equipment. You might shelve and reuse equipment for the same customer or set of customers bound by mutually-covering legal agreements and mutual existential risks. You really have to think twice before putting non-trusting tenants together and consider the worst case. A proper service offering for sensitive workloads should involve decommissioning plans.<p>Promoting or demoting hardware between classes is difficult. You have to be very confident in scrubbing writable storage to demote hardware to a less trusted class, so you don't leak privileged information. But you have to be even more confident to go the other way, so you don't allow injection of malware as postulated in the blog post.<p>There was a time when the provider might be able to strip a machine to its bare bones, re-flashing firmware and replacing peripherals which couldn't be sanely verified, to reinitialize it as a new trusted machine. But, there are so many bits of writable firmware storage and different embedded controllers in modern machines, so it becomes futile to imagine scrubbing it all.