Because of this I appreciated that the article stressed the importance of open-source firmware and called out companies like Intel for user-hostile approaches.
I don't think open-source is really all that important, and the article is being very misleading in that respect; in fact, if we don't have the keys, all that being open-source does is to allow us to easily see how they're oppressing us. (Of course, there's also the Ken Thompson Hack --- inspecting the binary is the real way to determine if there's anything unusual.)
This is a related article which everyone interested in this topic should read:
The real problem here IMHO is that just as the OS is horrendously complex and cannot be left to the user to configure properly, trusted hardware is also broken! For a very recent example, visit https://tpm.fail . The TPMs mentioned in that disclosure passed rigorous CC EAL4+ and FIPS 140-2 certifications. So, even the certifications fail to protect against the very flaws they are testing for. (I haven't studied the matter in detail to determine if the testing regime itself is weak, or if there's a Boeing/FAA level of corruption, or something in between.)
For another recent example, javacard has been proven weak in certain use cases.
The big problem with these hardware flaws is, you end up putting your absolute faith in them since they form the TCB. When the hardware is eventually (and almost certainly) found to contain a flaw, the entire rest of your security tends to fall apart, and generally you are unable to repair it without replacing the device entirely. This might be ok (you will eventually replace the hardware through normal obsolescence) or not (embedded [in your body] medical devices).
What I like about the HP proliant platform is the the TPM chip is an add-on card.
For example, forcing automatic updates with no postponement because users simply won't apply security updates otherwise. Taking freedom away from users? Yeah, kinda. Increasing security? Absolutely.
I think Google offers a good compromise with the screws in their chromebooks that allow overriding the bootloader.
One of the drivers of all this technology is that big business wants to be able to sue providers when everything breaks and avoid the “your users did that” excuse.