So this just...moves the risk upstream past the OS vendor to the chip vendor, where there is zero chance for a mere mortal to be able to demand that the vendor fix anything security-wise, and where a stellar track record for bad code already exists (Intel ME, etc.)...
Sounds like some rear-end-covering for RedHat, and another win for the ever-growing Orwellian spy apparatus (do you really think Intel is going to fight NSLs or publish secret information requests?). Plus, some extra cash to the vendors for another pay-as-you-go blind trust scheme ala SSL certificates.