Remote attestation is the true enemy of your freedom. The power of the authoritarian corporatocracy to force you to use only the (entire) systems they control. It's worth reading https://www.gnu.org/philosophy/right-to-read.en.html again just to see how prescient Stallman was.
RA is a technology that has its fair use, and can be desired for other systems, like in Linux. With a pure RA system your services can decide to trust or not those devices on your network that can be compromised, and report to other devices that there is something suspicious.
As anything, this can be used properly to increase the security of your edge architecture, or wrongly to limit the users actions.
Let me put another example. With RA I should be able to authorize validated systems in my R&D VPN. If you are using your own laptop with the company certificate, and the verifier tag the systems as "unknown" or "unhealthy", it will not allow the access to the internal network, but sure you can still use your laptop for anything else. This, IMHO, is a fair use of this technology.
Because god forbid you have control of your own PC?
Of course, the system for it is rudimentary, and puts a disproportionate amount of control in the hands of providers. And that works very well for them too.
And it is a pretty terrible solution to the problem.
- It is also keeping the good guys outside too: Anyone that want to analyse and understand the security of the system for good reasons cannot. Excepted if explicitly allowed by the corporation X and that is a terrible security property.
- No root access also means very little control or ability to scan the system itself if your are not the X corporation controlling it. That means no possibility to mandate reviewer corporation Y to check that corporation X is doing the right thing. TPMs currently make that even worst by design, they are undocumented and complex, therefore rely on blind trust that company X do the rthe ight thing. And since the Intel management engine fiasco, we do know they are not doing the right thing.
- Bonzi Buddy and toolbar type of problem can be easily avoided by separating properly the normal user account from any admin account(the unix way). It should be painful to be admin but not impossible, just to make sure your grandma do not install a rootkit by mistake when she want her 20% coupon.
In summary: That is mainly bullshit from company X to keep full control on the entire user device, and not for their own good.
Regarding Bonzi Buddy, I disagree. I think user data is as important, if not more important, than root access - which is why I'm dumbfounded when ancient server security features, like Linux's sudo system, are applied to the consumer device like a PC or a smartphone. These contexts are much better server by a sandboxing, permission-based whatever that seems to pick up steam, like the current permission systems on smartphones. Grandma's logins and bank data will be stolen from her own user account just the same as an admin account. Related XKCD[1]