> You can authenticate to a TPM via HMAC and a shared secret key, ...
> The catch is that the other elements need to be able to store the secret...
Yes, that catch is the problem.
You can also authenticate the TPM to the host w/o authenticating the host to the TPM -- all you need is to be able to record the public key of a suitable primary (say, the EK) on the TPM that has fixedTPM and fixedParent set. Less messy than having to store a secret on the host, but not really enough to solve the reset issue.
> The catch is that the other elements need to be able to store the secret...
Yes, that catch is the problem.
You can also authenticate the TPM to the host w/o authenticating the host to the TPM -- all you need is to be able to record the public key of a suitable primary (say, the EK) on the TPM that has fixedTPM and fixedParent set. Less messy than having to store a secret on the host, but not really enough to solve the reset issue.