[EvanAnderson]

I think your article is unfairly characterizing the Nitrokey HSM and the underlying SmartCardHSM applet as "defeated". Your reasoning feels like a tautology to me. Of course having all the cryptographic keys used to protect a secret will enable you access the secret.

A legitimate attack would allow access to the secret without first having all the necessary cryptographic keys protecting the secret.

As you describe it any HSM that allows for the transfer of keys between devices is "defeated" by design. An HSM without any ability to trasnfer keys would be much less suitable for any application where disaster recovery is required (which, to my mind, is most real-world applications).

We selected the Nitrokey HSM last year for a Customer's firmware signing project specifically to have this functionality. It was difficult and/or more expensive to obtain this functionality from the "big name" HSM vendors. With a product lifecycle of 20 years, my Customer required being able to, in a worst-case scenario, recover the plaintext of the signing keys to move to a new HSM platform. The "big name" players were quick to say that we could transfer keys between their hardware platforms (because they have a "behind the scenes" root of trust), but extracting keys to move to another platform was met with resistance.

Secure procedures for creating and handling the PINs and DKEKs can mitigate every part of the 'attack' you describe. I feel much more confident in handling those procedures myself versus relying on a root of trust held by a "big name" HSM vendor. I consider this a major advantage of the SmartCardHSM platform.