Each CPU can have a readable unique identifier, and that CPU can only be unlocked with a corresponding secret key...
If there is a unique per-CPU identifier intel could create a signed 'feature enabling' certificate tied to any given CPU by including the that CPU's serial number in the certificate. All such certificates for all CPUs could be signed with the same intel feature-enabling private key (whose corresponding public key could be embedded in the CPU's microcode to enable certificates to be verified securely).
There is no need for per-CPU secret keys, which would be a massive administrative overhead for intel.
(Note that I'm not saying that this is a good idea, or that I want to see such a 'feature' implemented.)
Biting the hand that feeds IT
