Some conceptual ancestors run in VMS, or used to.
I implemented a system with an encrypted virtual disk whose driver tested a number of things to be as sure as it could that it was being accessed by the startup process only, soon after hard boot, with some other limitations. Idea was this could be used to mount other crypto-disks or do other initialization. You'd keep a special unrestricted driver on removable media, take it out of the safe and use to set the thing up. It could have done whatever you like, including doing crypto hash of system images etc.
Not as useful for real paranoid environments, particularly since it was published in source code...but interesting for circa 1990.
Getting something that keeps secrets at boot time is harder...
Note though that the Microsoft stuff has its holes too; designers have mentioned there are ways to get the system to spill its guts and reveal keys. Maybe some of that is fixed now. (The issue exists with HSMs too, in that there are generally ways they can be commanded to re-key or export data and whatever is allowed to give them commands needs to be limited as well, so these kinds of things only occur where legitimately needed.)
Just thought it won't hurt to mention what was done awhile back and would be easy now...
Glenn Everhart
ever...@gce.name
302 373 5382