Re: D'oh!
Actually, I hadn't realised that the TPM actually gives the CPU software the keys which is inherently insecure even using ephemeral keys. I'd rather assumed that the CPU would pass cipher/plaintext on-the-fly to the TPM and the TPM would return it converted but I guess doing that over the sort of bus they're using would be prohibitively slow.
I used to work on sat-TV boxes and they have a device called a crypto DMA controller on the system bus with access to the main RAM.
Instead of the CPU decrypting the data stream from the dish, each chunk in RAM containing both the audo/video & ancilliary crypto TP stream packets that prevent replay attack is passed to the cryptoDMA which decrypts in place if it passes muster. The cryptoDMA has to be periodically unlocked with information both from the TP streams & the user's credentials otherwise it stops playing.
The point is that symmetric encryption/decryption keys and PKI private keys are generated within the crypto DMA and never, ever leave it. If it's designed suitably tamperproof, there's no way to get those keys simply by getting hold of the device.
Satellite service provides are very serious when it comes to protecting their content! :-)