I think the requirement here is that the owner of the user account needs to be able to register their own attestation keys. The owner of the account may be an employer or an end user.
Note, this makes the system more secure, because the manufacturer is no longer a single point of failure, and a compromised key can be rotated by the account owner.
As long as the system is fully auditable and open source, I’d be happy. Having the keys be external is a big plus, assuming that is fully auditable as well. Having no “management engine” is a big plus too.
It must not be a hardware manufacturer.