You can validate the system is in a known, good state at boot-time, but that does not apply at run-time. You can use Intel Trusted Execution Technology (TXT) to measure the system is in a known, good state and store those measurements in the Trusted Platform Module (TPM). When you attest remotely, if the whitelist values do not match, you do not admit the system into your infrastructure. This approach can take measurements up to the VM-layer (hardware/firmware/BIOS/hypervisor). There are solutions to attest at boot-time (PrivateCore vCage), but run-time is another matter.

There are foundation technologies to address this - Intel Trusted Execution Technology (TXT) and Trusted Platform Modules (TPMs). You can take measurements with TXT and store them securely in TPMs. Attesting remotely will tell you whether or not you have a good/valid/trusted system that has good/valid/trusted measurements from the TPM. This is not a lost cause, and there are companies out there taking advantage of TXT & TPMs to establish trust. This can shrink the perimeter down to the CPU. If your CPU is backdoored, all bets are off. But you have to establish a root of trust somewhere.