The WEI standard does not prescribe this, as far as I can tell. One way to do this would be to use something like Secure Boot (broadly speaking), which can make "independent" measurements of what is being executed and sign that with a private key that never leaves (something like) a TPM.