Seth has posted further, in-depth notes about our meeting with Microsoft's Palladium team, going into great detail about the technical workings and intentions of the system — and there's no Latin in sight this time! The closer you look at Palladium, the more civil liberties implications begin to surface. Again, Seth is the likely most technical person to have received a briefing like this without signing an NDA; his notes are lucid, accurate and well-informed.
When you want to start a Palladium PC in trusted mode (note that it doesn't have to start in trusted mode, and, from what Microsoft said, it sounds like you could even imagine booting the same OS in either trusted or untrusted mode, based on a user's choice at boot time), the system hardware performs what's called an "authenticated boot", in which the system is placed in a known state and a nub is loaded. A hash (I think it's SHA-1) is taken of the nub which was just loaded, and the 160-bit hash is stored unalterably in the PCR, and remains there for as long as the system continues to operate in trusted mode. Then the operating system kernel can boot, but the key to the trust in the system is the authentication of the nub. As long as the system is up, the SCP knows exactly which nub is currently running; because of the way the CPU works, it is not possible for any other software to modify the nub or its memory or subvert the nub's policies. The nub is in some sense in charge of the system at a low level, but it doesn't usually do things which other software would notice unless it's asked to.