Don't zero trust architectures often require secure boot as well as a functioning TPM-like secure enclave to do attestation on the client device before allowing the user to logon to some resource?
I would say thats a bonus. Zero trust should be based on strong identity (e.g., x509) and authentication/authorisation-before-connect, ideally that identity would come from HWRoT/TPM. Unfortunately, many vendors say they are zero trust while only implementing some aspects/principles. I wrote a blog on this topic earlier in the year - https://netfoundry.io/demystifying-the-magic-of-zero-trust-w...
