The "replaced laptop" scenario is a full MITM on the hardware. TOTP generally does not protect against MITM. The required TOTP code is, in this scenario, generated by the device in the attackers hand. So the fake could also display it.
It's never unsealed. `tpm2-totp` does an encrypted session to the TPM and runs `TPM2_HMAC` on the TPM shielded key, you can also include PCRs to add further authentication to this entire exchange.
What do you mean with "relay"?
(All of this is trivially solved with glitter nail polish anyway.)
The same way the fake laptop can relay your password to me, i could also relay the generated TOTP code from the stolen laptop to the fake in front of you. As tried to convey, the fake laptop is basically a full MITM on your screen/keyboard.
Making a machine visuals non-reproducible helps that, but only if the attacker cannot easily switch the exterior parts (chassis, keyboard) between the two machines.
> The same way the fake laptop can relay your password to me, i could also relay the generated TOTP code from the stolen laptop to the fake in front of you. Also any authentication to generate that TOTP in the first place. As tried to convey, the fake laptop is basically a full MITM on your screen/keyboard.
This is a hollywood level threat scenario.
It involves the attacker having intimate familiarity with the operating system, and having to break inn twice to even get this attack done.
If you do put inn the effort then I deserve to be hacked and can pick up sheep farming in the country side.