[tremon]

A TPM is much more than "just a bit of memory". It is a cryptographic coprocessor, with its own microcode and its own security domain.

And I don't think a fully-secured future for PC's is as impossible as you think. The primary reason this is impossible right now is because TPM's aren't ubiquitous (none of my machines came with one installed). That problem will be solved by Windows 11.

[cmxch]

Secured for the benefit of Microsoft or DRM providers, not necessarily for the benefit of the end user.

Unless they're willing to allow the end user to override the wishes of the vendor (and without any diminished functionality), TPM is just another way to turn computers into appliances.

[jandrese]

The fundamental problem with the secure enclave on PC is that to make it work you have to basically lock out all of the untrusted hardware on the box, which is pretty much all of it. So while you are doing your secure computation nobody is servicing the PCIe bus. The graphics card drivers aren't getting any CPU cycles. Ring buffers on your network cards aren't emptied. From the perspective of everything else on the machine the whole thing just crashed.

If your computation is quick you might be able to get away with this sometimes, but the potential for problems is almost unlimited. The fact that the TPM itself is pretty slow throws another monkeywrench into the plan.

In order for it to work the whole system needs to be designed from the bottom up to support it, which means you need to touch every layer of the PC stack. It's a lot of work. It is a lot easier on something like a cellphone where you can control the hardware from top to bottom and don't have to consider the case where someone installs additional hardware to suit their needs.