Aren't all device attestation schemes underpinned by authenticated boot which itself is underpinned by a TPM? This is certainly the case for Android - AVB is implemented on top of secure boot on all the devices I've ever owned (and Play Integrity, if I had ever permitted it to run, on top of that). Do I have some misunderstanding about the stack?

> Conversely, DRM is alive and well on almost universally TPM-less devices.

You mean software DRM I assume? Because the only TPM free hardware backed DRM that comes to mind is GPU based encrypted streams where the GPU does the decoding and final compositing locally. And even then the TPM-equivalent exists, it just isn't accessible to the end user.

SGX can be used to do various interesting things without attesting the state of the broader system, but none of the examples that immediately come to mind feel much like DRM to me.

> comments in this thread end up dead

Thanks for letting me know. I guess I should email them?