TPM 2.0 allows communications over the bus to be encrypted specifically to prevent this attack, though Windows apparently does not actually use this feature[0].
Newer CPUs (since about 5 years ago) have the TPM embedded in the CPU. Intel calls this PTT and AMD calls it fTPM.
The main problem is that you don't have a strong way of establishing that you're talking to the real TPM. It does raise the bar from passive interception to hardware MITM, but it doesn't absolutely solve the problem
A public key for a fixedTPM+fixedParent primary on the TPM could be stored "securely" (i.e., read-only) on the host side, and then you can do key exchange with the TPM using RSA key transport or ECDH.
You can also use a shared secret, but storing a secret on the host side is even harder than storing a write-once (at factory), read-only PK.
On intel systems at least the "firmware" tpm is really implemented in the PCH. It'd probably still be possible to sniff the i/o lines between the cpu & pch but still way more complex than between the tpm and cpu.
The process for establishing an encrypted session goes like this:
0: Know the public key of a fixedTPM+fixedParent primary key (e.g., the "endorsement key") on the TPM ahead of time[0].
1: call TPM2_CreatePrimary() in the clear to "create" that key (this is deterministic given a public template and factory seed secret to the TPM) -- you need the "handle" for this key
2: call TPM2_StartAuthSession() with that handle as the bindKey, and various other parameters
3: use that session in all subsequent commands.
Note: only one parameter of every command can be encrypted: the first parameter (command or response parameter) of type TPM2B_PRIVATE. The rest can be authenticated but are otherwise exchanged in plaintext. This is mostly just fine.
[0] Well, you could validate the EK's certificate, and then you only need to know the trust anchors for the TPM's vendor. It's roughly the same thing, but with more steps, and it lets you replace the TPM w/o having to re-learn a public key for it (which might be important).
This is complete speculation, but it could be like TLS.
That would make it much harder as you'd have to MITM the communication, not just sniff it. Maybe impossible to decrypt if both the TPM and the chip it's communicating with use keys signed by the manufacturer.
I don't think it checks what the CPU is doing at all. It just makes software able to check if the platform is signed by the manufacturer.
The way I understand it is that the keys are burned into the TPM at time of manufacture, and there is no way to extract those keys, software can only ask the TPM to encrypt/decrypt/sign/verify certain data using the keys.
The TPM can then be used to verify certain operations, eg to retrieve the key for an encrypted hard drive.
But it's all a trojan horse because the manufacturer is the one who controls the keys, not the user.
It's "trusted" in the sense that the platform is "trusted" by the manufacturer, not the user.
Newer CPUs (since about 5 years ago) have the TPM embedded in the CPU. Intel calls this PTT and AMD calls it fTPM.
[0] https://pulsesecurity.co.nz/articles/TPM-sniffing