[kibwen]

In the case of the above, you're not trusting the server, you're only trusting the CPU manufacturer. Attestation happens within the secure enclave inside the CPU, at which point having physical access to the machine doesn't (well, shouldn't, if it's correctly implemented) give you any insight into what code it's running or what data it's operating upon.

[worldsavior]

How can you know which CPU is running? Also, the software could easily change the output of the security chip (secure enclave is only on apple devices).

[kibwen]

Part of the attestation process involves receiving a cryptographic signature from the CPU vendor. They can only fake it if they break the cryptography. And enclaves (or "trusted execution environments") aren't only on Apple chips, AMD and Intel have their own implementations.

[worldsavior]

But the CPU is first sending the signature to the OS, thuse enabling the OS to send you something else.