Can you not simply enroll your own keys in your TPM and still boot with custom-signed drivers that circumvent all this? I mean, yeah, it's a lot more work but it would still work I guess?
This is where measured boot and remote attestation come in. You can run whatever software you like; but will only be able to attest to running what you're at actually running (baring an attack on the TPM or some other trusted component earlier in the chain).
The remote game server would then need to decide if it wants to let you connect given your inability to attest to running a trusted configuration.
I've seen this setup work in very controlled conditions. But given how diverse the ecosystem is, someone is going to put out a buggy system, and too many legitimate users will buy it for most games to be willing to blacklist it.
that would also happen when a Windows 11 update comes along, or a driver update (or when I change my GPU). How would they differentiate between those scenarios?
Easy, you can see whats "inside" the secure fingerprints, you can see there is an unknown trusted key in there in the user custom key example, while for Windows 11/driver updates all the keys would be known ones from Microsoft.
