[throwaway7679]

The ideal is the owner being able to use TPM/SecureBoot/etc to ensure that the device is in the configuration they want. That means resisting tampering, and making any successful tampering become obvious.

The problem is third parties using TPM/SecureBoot/etc as a weapon against the owner via remote attestation, by preventing them from configuring their own device, with the threat of being cut off from critical services.

Having the upside without the downside would be nice, but how could it work? Is a technical solution feasible, or would it need a law/regulation?

[dietr1ch]

Not a crypto expert, but given how both, bad players seeking control and people seeking to verify their cloud machines are both remote it seems that the technology will rollout without problem and will end up being force fed into all consumer devices with bullshit excuses.