I have access to a bare metal TDX host machine. Access is remote but I am able to reboot into the BIOS and make changes at that level. I am in contact with someone (trusted) who has direct physical access to this machine.
I have a TDX-capable .qcow2 image generated using the TDX Canonical repo. which I have run on both this bare metal TDX host, and on a Google Cloud machine. The image, for debugging purposes, has SSH access and I have generated an attestation report with:

report=/sys/kernel/config/tsm/report/report0
mkdir $report
dd if=binary_userdata_plus_nonce > $report/inblob
cat $report/outblob > attestation.bin

I have then extracted the measurement values from this report as generated on Google Cloud and on the bare metal VM. All values except for the Vendor ID and nil values are different. Explicitly, MRSEAM, MRTD, RTMR[0:2] are all different.
How do I configure a bare metal machine so that it produces the same attestation values I get for this image on a c3-standard-4 Google Cloud instance?
Note that I am looking to confirm that Google are in fact running the image I have submitted, without modification and without a firmware backdoor. I am not looking to prove to third-parties that an attestation came from Google Cloud firmware.