[kmeisthax]

More or less, yes. The exact details vary from system to system: TPMs were built for PCs where firmware and OSes are diverse, so TPM works off boot measurements and hash functions. On phones all the attestation stuff runs on a separate processor with only one kind of firmware and it gets told by the main processor whether or not the user installed a custom ROM (in which case, no attestation for you).

This is because the people in the "need attestation yesterday" camp specifically do not want a system in which device owners can lie about their attestation status, because:

- For streaming video platforms, the whole point of trusting attestation is to prevent owner tampering, because they want to ensure that you aren't retaining any video past your subscription end date

- For banks, they want to protect you from hackers, rather than themselves from you, so an owner override "should" be tolerable. However, banks also work entirely off of risk assessments and probabilities. And the number of owners genuinely overriding their own attestations so they can run custom ROMs is lower than the number of hackers who would attack the override so they can steal credit card numbers. So in practice the attestation is a fraud signal[0], and allowing overrides at all is like allowing hackers to falsify your fraud data.

[0] Specifically a signal that something is NOT fraudulent, since all the correct, unmodified software was run