One of things I was taught is that you can't really protect if there is a physical access. Yes, you can make it harder, but that's pretty much it. That's why anyone who is serious have multiple layers of security.
Take for example Google data centers, you need access to enter the facility and access to whatever you supposed to work. There are security guards which will follow and stay with you while you are performing your work.
The mechanisms in the CPUs are there to protect CPUs from their users. Let say again you are a Google and are planning to use this technology. Why would you trust a third party to decide (by signing) what can run and cannot run on the CPU. What if that 3rd party happens to be your competitor. The issue is that person/company who owns the CPU doesn't have full control over it, they can't load their own certificates and use them for signing. They need to trust 3rd party with it.
Take for example Google data centers, you need access to enter the facility and access to whatever you supposed to work. There are security guards which will follow and stay with you while you are performing your work.
The mechanisms in the CPUs are there to protect CPUs from their users. Let say again you are a Google and are planning to use this technology. Why would you trust a third party to decide (by signing) what can run and cannot run on the CPU. What if that 3rd party happens to be your competitor. The issue is that person/company who owns the CPU doesn't have full control over it, they can't load their own certificates and use them for signing. They need to trust 3rd party with it.