I failed to learn how this exactly works, but you're looking for the term 'remote attestation'. This aims to prove that your computer is only running the approved software by having the TPM look into the computer's memory, hash the running software and its configuration and signing the hash with a unique private key burned into the TPM that is impossible to extract without physically invading the chip.