It’ll be cryptographic chain-of-trust based, with it sending a fingerprint, probably encrypted/signed with a per device key stored in something like a TPM, to the attestor, who will say if the fingerprint is valid or not.
They’ll inevitably only attest to the state of apps running under this full chain - so full secure boot, no unsigned drivers, only signed/approved apps - probably with a requirement to be installed via the platform’s App Store.
No one will be attesting for Linux because there’s no chain of trust and no control over what runs.
It’s a recipe for eliminating user choice and freedoms.
The current spec has a holdback mechanism. It actually gets implemented, I don’t expect that holdback mechanism to actually be part of the final implementation - because it makes the whole idea useless.
It's unbelievably frustrating to see Google saying "oh, we wouldn't abuse this, trust us, you just have to meet the requirements (that we conveniently haven't specified)" -- frustrating because we know what attestation and chain-of-trust looks like for Google and it's already abused today, and there's zero reason to believe this is going to be different.
Telling us that they're not going to abuse us or limit user freedom while they're actively holding back user freedom. But we're supposed to just not look at that. There are so many examples of Google abusing gatekeeper status, we went through this with Widevine. But even if we ignore all the past abuses (not that Widevine is a past abuse, as far as I know it's still not available today in a generally accessible form for new browsers) -- even if we ignore all of that we still have Play Integrity on Android today, currently, that is currently being abused.
We're supposed to not only ignore the past, we're also supposed to ignore the present and to ignore Google's current attestation policies on Android and just assume that Google still has good intentions here.