> Needing the entire OS to be secure to protect a key is also a dumb idea in general.

This is the final step in the road to full remote attestation, thankfully PCs already come with Microsoft Pluton chips[1] to make it easier.

[1] https://learn.microsoft.com/en-us/windows/security/hardware-...