I don't really understand why I can't also force my device to _lie_ to any app that demands that. Is it somehow checking the exact combination of my firmware against a database of allowed root certs?
More or less, yes. The exact details vary from system to system: TPMs were built for PCs where firmware and OSes are diverse, so TPM works off boot measurements and hash functions. On phones all the attestation stuff runs on a separate processor with only one kind of firmware and it gets told by the main processor whether or not the user installed a custom ROM (in which case, no attestation for you).
This is because the people in the "need attestation yesterday" camp specifically do not want a system in which device owners can lie about their attestation status, because:
- For streaming video platforms, the whole point of trusting attestation is to prevent owner tampering, because they want to ensure that you aren't retaining any video past your subscription end date
- For banks, they want to protect you from hackers, rather than themselves from you, so an owner override "should" be tolerable. However, banks also work entirely off of risk assessments and probabilities. And the number of owners genuinely overriding their own attestations so they can run custom ROMs is lower than the number of hackers who would attack the override so they can steal credit card numbers. So in practice the attestation is a fraud signal[0], and allowing overrides at all is like allowing hackers to falsify your fraud data.
[0] Specifically a signal that something is NOT fraudulent, since all the correct, unmodified software was run
To lie you need to have control of the TPM or trick it somehow - otherwise the remote service will know you are a liar.
This is still possible on Android for instance but it gets more and more difficult - I have a health tacking app that complains daily about the fact that my device is rooted - I will have to see what setting i have to block from it so it stops doing that.
My understanding is that there is something like a system call that a program can use to query the TPM for the current system state. The TPM will then reply with some sort of hash representing the state and also a signature for that hash using a private key stored inside the TPM.
The program (i.e. the netflix app or a browser) can then pass on that data structure to netflix' servers, which will then decide if they permit 4K content or not.
To circumvent this, you'd have to know two things:
1) what kind of hash for a "non-rooted" system netflix is expecting in the first place.
2) the private key to sign the hash with.
To get the former, you'd have to eavesdrop on a connection on a non-rooted device. To get the letter you'd have to extract the key from a TPM, which is likely specifically built to make this hard.
This is because the people in the "need attestation yesterday" camp specifically do not want a system in which device owners can lie about their attestation status, because:
- For streaming video platforms, the whole point of trusting attestation is to prevent owner tampering, because they want to ensure that you aren't retaining any video past your subscription end date
- For banks, they want to protect you from hackers, rather than themselves from you, so an owner override "should" be tolerable. However, banks also work entirely off of risk assessments and probabilities. And the number of owners genuinely overriding their own attestations so they can run custom ROMs is lower than the number of hackers who would attack the override so they can steal credit card numbers. So in practice the attestation is a fraud signal[0], and allowing overrides at all is like allowing hackers to falsify your fraud data.
[0] Specifically a signal that something is NOT fraudulent, since all the correct, unmodified software was run