Possibly TPM backed remote attestation. Having said that, once you are at the point of being worried about hardware DMA attacks, TPM attestation is not as full proof as you might think.