Attestationd is a ChromeOS daemon responsible for attestation of identity and device state by interacting with HSM (Hardware Security Module), verified boot, PCA (Privacy Certification Authority) and VA (Verified Access).
ChromeOS firmware, coreboot, at booting updates the current boot mode (Normal/ Dev/...) and the HWID (Hardware ID) in HSM, and ensures they could not be changed afterwards.
When using TPM (Trusted Platform Module), this is implemented by extending PCR (Platform Configuration Register): new PCR = Digest(old PCR || data to extend). Once the PCR is extended, it's infeasible to be extended to another valid value.
In this way, we can ensure the integrity of the current boot mode and HWID of the device.
In OOBE, Attestationd prepares several things for enrollment. By using HSM, Attestationd fetches the Endorsement Certificate and creates AIK (Attestation Identity Key) and quotes (signs) the PCRs by AIK.
When enrolling, the followings are sent to PCA in general:
PCA verifies the above and then gives the AIK certification back to attestationd. Thus, the enrollment is completed.