The chain of trust always has a software layer. I don’t believe what you want is possible.

I find the bank talking point strange, why are they special, are they even targeted more. It just feels like a boogeyman “think of your money!”

For all practical purposes it's possible to do this. The boot ROM only boots a vendor-signed bootloader, the bootloader verifies the OS kernel, etc., until you have a fully verified boot chain. A secure enclave, which is completely separated from the main CPU and OS performs the attestation using a private key in its tamper-resistant storage and embeds the results of verification by the bootloader. There may be some vulnerabilities, but most of them can be fixed in updates, with exception of the boot ROM.

The reason why the system gets broken in Android occasionally is that most Android phones have terrible security and do not use a secure enclave/processor, etc. (which the iPhone had since 5s + Google/Samsung for quite some years through Titan M/Knox Vault). Instead they use TrustZone, which set up a TEE on the same CPU/RAM as the main OS. Of course, it uses memory protection for separation, but is often vulnerable to side-channel attacks. This is also the reason many Android phones will be cracked by Cellebrite in seconds (recently such a Mediatek TEE vulnerability was made public [1]).

[1] https://www.malwarebytes.com/blog/news/2026/03/this-android-...

The software layer in age verification is not necessary to trust though. The worst that could happen is that a compromised software layer steals your age credential, but it is by design anonymous so you don't risk getting your money or account stolen or anything. This makes it a different threat model from the banking case.

You can store key material in hardware-backed enclaves without involving remote attestation. If someone has a modified device/client that stores the keys elsewhere, that's on them - they're only weakening their own security.