But the TPM is just a chip on the LPC bus, right? Couldn't you do a man-in-the-middle and have the TPM think it's talking to real hardware when in reality it's talking to an emulated system?
I think the idea is if TPM is enabled, the ROM bootstrap code only gives control to a signed trusted bootloader, which only gives control to a signed trusted kernel, which carefully prevents untrusted code from making requests to the TPM hardware. Like DRM, it's Game Over when the first vulnerability in this trusted code is found, though it'll continue to inconvenience legitimate users (because vendors have little incentive to ensure the machine is practically usable with TPM disabled or trusted signers according to the user).
