The author brings up many reasonable points but seems to mix issues of HSMs & Smart Cards not providing a generic open hardware platform with possible security problems of a platform.
There is no question that there would be value in having a hardware platform that has certain security features, but that alone doesn't meet the requirements of most users of HSMs and Smart cards. The primary use cases I've seen are allowing a third party to have assurance of protection of data stored in the device and assurance of the rules for accessing the data. In most cases this assurance comes from a combination of the hardware itself and the software/firmware running on the hardware. A hardware platform only solves half the problem that most purchasers of HSMs and smart cards are asking vendors to solve.
"A hardware platform only solves half the problem that most purchasers of HSMs and smart cards are asking vendors to solve."
A hardware platform alone solves less than half the problem for many HSM buyers, myself included. There's also software, then there's support. HSMs, at least the kind we use, are niche products because relatively few people have reasons to operate them (they're not cheap either). There aren't a lot of people who know how to use them well. We need to be able to get support on the phone 24/7/365 to deal with problems that come up because like most people who own HSMs, they are critical to the functioning of our systems.
Just throwing this out there to remind people interested in open HSMs (a fine idea) that at least when it comes to most people buying HSMs today, there needs to be an organization backing the product with good support. Otherwise it's probably a non-starter for critical systems.
These are valid concerns, but they're not good reasons not to provide general-purpose compute HSMs. If you want an external company to have certified the software, the policy which goes on a general-purpose HSM, that may be entirely sensible from a business perspective; I'm sure if general-purpose HSMs were a thing, with standard HSM platforms, such certified programs would be available on the market. Many would probably be made by the manufacturers of the HSMs themselves, providing a vertically integrated solution, support-wise.
Fulfilling this market, with the need for the outsourcing of liability, etc. is not mutually exclusive with providing general-purpose HSMs.
There is no question that there would be value in having a hardware platform that has certain security features, but that alone doesn't meet the requirements of most users of HSMs and Smart cards. The primary use cases I've seen are allowing a third party to have assurance of protection of data stored in the device and assurance of the rules for accessing the data. In most cases this assurance comes from a combination of the hardware itself and the software/firmware running on the hardware. A hardware platform only solves half the problem that most purchasers of HSMs and smart cards are asking vendors to solve.