It is tough reading the TCG specs. I am beginning to see thru them to the goals. I do not criticize the lack of explicit goals for they may be very difficult to ennunciate. I think that I can state a few here and suggest what may be a simpler proposal that meets the short list of goals.

There seems to be at least two nested degrees of protection:

The TPM is charged with shielding (veiling, hiding) the secret key from even the TSS. The TSS can abuse the private key but not see it. (The TSS can decode arbitrary data encrypted to the private key.) The TPM is charged with providing means for the TSS to In short: defend and veil itself.

An abreviated mechanism must be evaluated on what signals go over the memory bus even while in super-privileged mode. The memory bus is probably not “shielded” in their sense.