alt Hacker NewsFrom the paper: https://github.com/Layr-Labs/d-inference/blob/master/papers/...
> Apple’s attestation servers will only generate the FreshnessCode for a genuine device that checks in via APNs. A software-only adversary cannot forge the MDA certificate chain (Assumption 3). Com- bined with SIP enforcement (preventing binary replace- ment) and Secure Boot (preventing bootloader tampering), this provides strong evidence that the signing key resides in genuine Apple hardware.
I am not entirely sure they understand that System Integrity Protection and Secure Boot can be turned off.