Edit: to be clear, this would still be vulnerable to mitm attacks without a user entered password on top but at least you can’t just read the secrets from the bus. E2: And having a password wouldn’t be secure without such a scheme neither, so I highly doubt there isn’t one available.
What do you mean by that? Generate a new private/public key pair every time you setup a new TPM? Or when you boot the system or something?
On each connection. Or boot. Whenever you need
Edit: to be clear, this would still be vulnerable to mitm attacks without a user entered password on top but at least you can’t just read the secrets from the bus. E2: And having a password wouldn’t be secure without such a scheme neither, so I highly doubt there isn’t one available.