That doesn't solve the greater issue. Let's say you bought an Intel CPU because your company requires remote attestation. Then a researcher publishes an exploit. Then Intel pushes an update that revokes keys from your model of CPU. What would you do, go happily spend $500 on a new one? Should we landfill millions of CPUs everytime the mouse pulls ahead of the cat?

I disagree. This seems like fantasy. First, I don't think Intel has even done this -- "pushes an update that revokes keys from your model of CPU". If they did, there would be an enormous class action lawsuit. Remember that most CPUs are bought by large corporations, with extremely deep pockets. Even if Intel were to miraculously win the case, surely their reputation would irreparably harmed.

If that were the case, spectre, meltdown and similar vulnerabilities would surely have similar class actions?

This is pretty common FWIW.

Google revokes attestation keys for Android hardware a lot, especially Widevine Level 1 keys.

Ten years into that, the public doesn't seem very excised about it.

IIRC this is the first time a fused key was leaked; keys were leaked before but those were firmware keys which were encrypted with the root fused key which as it’s name suggests is literally fused into the silicon through programmable fuses.

It’s unclear if Intel has enough fuses to push a new key and if there is a mechanism to do it in software without a specialized programming station.

If the latter two are possible and they can fix the leak vector with a ucode update then they can likely revoke the key and patch this over.