[Retr0id]

> Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.

It only attests that the device booted normally (locked bootloader, factory firmware, etc.). Any kind of post-boot compromise (whether it's from malware or something user-initiated) goes completely undetected and does not impact attestation status.

[jon-wood]

Sure, it’s one element in a defense in depth. You ensure that post boot it’s not possible to manipulate what’s being loaded, and then you ensure that during boot the OS in the expected state for that to be true. It’s not a panacea but it is an important part of the process.