Thank you to everybody for your excellent postings. Below I have replied to each post organized alphabetically by username:
AF_newbie: Thank you for the machine vendor links which by the way I already contacted before creating this forum post. After researching System76 I learned they only specialize in laptops with IME disabled. Additionally, I learned they are considering developing a Mini PC that could be used as a server because their laptop has heating issues when used as a server that is on 24/7. Same thing with Novacustom. They only specialize in Corebooted laptops and offer no mini-PCs. I also researched Purism, which do offer a Librebooted mini-PC but it is currently in back order and very pricey at close to $3,000 fully spec’d out. Nevertheless, thanks for the pfSense/OPNsense, wireshark advice which I plan to look into because it is the first time I hear about these network related apps. Maybe installing such apps on my Bitcoin Node server may help out in making it that much more secure. As for the link you provided, I did manage to watch the Brian Milliron video. The method he shows on how to disable the IME using a Raspberry Pi is the complicated way of doing it. Below I have included some YouTube video links that show a less complicated approach using NeoProgrammer software and a CH341a v1.6 programmer.
DaveF: To answer your question the reason I avoid the Raspberry PI is due to the closed-source components it uses. If this SBC was open source I would have it at top of the list for the purpose of running a Bitcoin Node server 24/7. Especially now that the Raspberry PI 5 has been released which I hear is more robust compared to the Raspberry 4. Additionally, I learned the MEDS-5000 PC does not have the IME disabled. What it does offer is a way to disable the ATM which is a system that is subordinate to the IME on this motherboard. I also spent some time researching the 3.5" SBC IAD70 motherboard but I couldn’t find anybody that sells it. It would be fantastic if somebody in this forum could post a micro-ATX / ITX motherboard by model name that already has the IME disabled or non-existent. I am certain a lot of people in this forum would be interested in such information.
ETFbitcoin:To echo your ARM TrustZone comment, I have the following analogy. Setting up a Bitcoin Node server on a motherboard with a PSP or IME back door on it is tantamount to buying a hardware wallet with a back door integrated into the circuit board. It would be foolish to trust that storing a bunch of Bitcoin on such a hardware wallet is secure. And the same reasoning applies to building a Bitcoin Node server built on top of a motherboard foundation that includes an IME or PSP back door. That makes for a real substandard foundation in my opinion. In short, I do not trust ARM TrustZone due to how it cannot be verified.
eXch.cc:As you mentioned, I took a look at RISC-V by first visiting the Ubuntu Server download page at the link below:
https://ubuntu.com/download/risc-vIt seems like currently there are only seven boards compatible to the Ubuntu Server OS. And outside of the OS, I also need a variety of apps such as Fulcrum, Sparrow Wallet, Mempool, Bitcoin Core, etc. to also be available in a downloadable RISC-V format which currently are not. In short, I think it is too early to consider a RISC-V motherboard as a viable option to run a Bitcoin Node on. Additionally, thank you very much for all of the links you provided relating to Corebooting my Supermicro X11SSH-F motherboard. I found the links you provided to be very helpful. You obviously have a lot of experience relating to disabling IME. In contrast, I am a newbie at it who does not have all of the jigsaw puzzle pieces together associated to disabling the IME. Nevertheless, listed below is some of the instructional material I have assembled to guide me through my “IME Neutering” task. Please feel free to recommend any additional instructional material you think may be helpful:
Phase 1: Practice on an old AsRock motherboard to get familiar using the NeoProgrammer Software and CH341a v1.6 programmer covered in links below:
https://khandishnetwork.com/dl/neoprogrammer-software-2021-v2-2-0-8-22-06-2021/https://www.youtube.com/watch?v=7_mnuuXyPiIhttps://www.youtube.com/watch?v=lmYXiE2fQ6Ehttps://www.youtube.com/watch?v=r8f-3syiFScPhase 2: Download Supermicro X11SSH-F Coreboot 4.13 Source TAR file and BLOB files from the link below and GPG authenticate them followed by performing the IME Neutering procedure on my Supermicro X11SSH-F motherboard:
https://www.coreboot.org/downloads.htmlNotATether:Thanks for opening my eyes to High-Assurance Platform (HAP) mode with the link you provided. I was not aware of this HAP feature on some motherboards. It would be great if there was some way to actually verify for yourself if the High-Assurance Platform mode completely switches off the IME. Because otherwise it is no different than the ARM TrustZone technology mentioned above.
Xtests:Your opinion on High-Assurance Platform mode is a valid point. One must trust Intel actually switches off completely the IME using HAP. I guess it comes down to whether you trust Intel telling you “Trust Me Bro”. Personally, I think it would be great if HAP was configured in such a way that enabled one to actually verify the IME is completely switched off. In my opinion, "trust but verify" is a good motto to follow when setting up a Bitcoin node server.
In closing, as I mentioned I am new at Corebooting a motherboard. Therefore, the possibility exists I may brick my Supermicro X11SSH-F motherboard by taking on this task myself. In short, I would appreciate a lot if anybody in this forum could recommend a solid micro-ATX or ITX motherboard by model name and manufacturer to serve as a backup motherboard just in case I end up bricking my Supermicro X11SSH-F motherboard. :-) Any good motherboard recommendations with the IME already neutered or non-existent will be greatly welcome. Thank you for your time.