We have briefly discussed HSM some more, but as you are the first to ask about it we haven't made it a priority. We would certainly be interested in a contribution towards it. It's a fairly big task and we would also need decent test coverage for it.
In essence the work would be to create a Encryption SPI and a default implementation. The default implementation would rely on the keys stored in the database. I'm not aware of any standard or libraries that can be used to communicate with HSM devices so I would imagine implementations for specific HSM vendors would have to be done by users themselves.
As well as encryption/signature methods you would also have to deal with how to retrieve the public key to display in the admin console and the providers would also have to be able to tell Keycloak if they can generate new keys or not. For providers that can generate new keys we would have the option on the admin console to generate new realm keys, but for others not.
If you are interested let us know. As a heads up this could not be included until 2.x.