I describe in my own words the attestation protocol described in section 3.3 of this paper. I had not understood it before.

The chip manufacturer has a RSA key pair that they use as root CA. As a chip is manufactured a new key pair is created for that chip and the new public key is signed by the root CA. That signature is called the chip cert here (“Endorsement Certificate” there). The chip also remembers its secret RSA in tamper resistant hardware within the chip. It also remembers, its chip cert and its public key which are not secret. Hopefully the manufacturer forgets the whole kay pair for the new chip. Hollywood (caller the “verifier” there) trusts the manufacturer and knows the public key for the root CA. When the chip takes the initiative it sends Hollywood its public key and the corresponding chip cert. Hollywood, knowing the public key for the root CA, verifies the signature and for a while knows that said public key is from some chip by said manufacturer. Hollywood can now verify messages signed by the chip. Presumably there is by this time code in the enclave trusted by Hollywood. Asynchronously these two things happen:

All of this before any code in the enclave has run. Hollywood now verifies each hash in that message, concluding that the enclave is properly initialized, and now Hollywood and the chip have an agreed symmetric key, gAB; Hollywood knows the code it is talking to with that key.
Chip certs are now subject to reputation. If the secret key of some chip were extracted and abused then it becomes increasingly likely that that public key will be blacklisted.