> Here you are assuming that the main purpose of the system is access to some (single!) remote service, which can perform the attestation often enough to matter. But this isn't the case for most modern uses, especially when even connected devices often use cellular (= intermittent) connections.
If a firewall is setup to check the security of severs or desktops siting behind it, it can take them offline as soon as they fail a trust check. A mobile device like an Android integrates with online systems such as the update system that could in theory perform such checks for you (alerting your by email perhaps). A lot is possible if the software can be sorted properly...
> > The idea is that the signing process continues after boot and no code is run without first being checked
> This assumes a completely closed software ecosystemwhich, again, is far from the normal case in almost all modern use-cases.
Really? Don't many distros and Anrdoid already only download correctly signed code updates by default? Linux is already much more "closed" or at least "centralized" in one sense than Windows in that most software is installed via apt-get or whatever.
It's not hard to imagine extending this framework to include the TPM, so that your system can attest it is running the code as provided by the update servers, not some code compromised in transit or after it was installed on your machine.