Topic: Need advice on building a secure Bitcoin Node at motherboard foundation level (Read 259 times)

Have you checked Debian? On page https://wiki.debian.org/RISC-V, they claim they support few more board.


That's mostly true. Although Bitcoin Core has RISC-V support, check it's download page at https://bitcoincore.org/en/download/.

eXch.cc,
After researching everything you mentioned I have a question I hope you can answer. What motherboard model in your opinion is the least complicated to disable the IME on using Coreboot? I ask because the IPMI on my Supermicro X11 series motherboard complicates things a lot for a newbie like me. Therefore, I would really appreciate it a lot if you can recommend a motherboard that comes close to matching the specifications listed below and which you think provides the most straight forward approach to installing Coreboot:

• Micro-ATX form factor or ITX form Factor
• Core i5 or i7 performance
• Supports a minimum of 32GB of RAM
• Supports Ubuntu Server OS
• Open to AMD alternative motherboard if the PSP is less complicated to disable compared to IME.

Thank you for your time.

I did quick research and surprised that Docker actually can run OS/image which use different CPU architecture. Anyway, have you consider software called Box64? Few news report it can run some x86-64 software/game on RISC-V device with relative good performance[1-2].

[1] https://riscv.org/news/2023/08/new-emulator-lets-some-x86-64-games-run-on-risc-v-dev-board/
[2] https://hackaday.com/2023/03/12/efficient-x86_64-emulation-with-box86/

ETFbitcoin,
Thank you for correcting my mistake. It is great to see Bitcoin Core offers a RISC-V version for download. Additionally, I have been looking into the Debian on RISC-V option you mention. The most robust RISC-V board I could find is the Lichee Pi 4A board which is reviewed in the link below:

https://www.youtube.com/watch?v=1apoFXZ9ad8

Unlike the Raspberry Pi 4 with its closed-source components this Lichee Pi 4A board has open-source components. So that may be in line with my back door security concerns I have for Intel, AMD, and ARM motherboards. If it could support a 4TB SSD drive that will be icing on the cake because the Raspberry Pi 4 is only capable of supporting an SSD up to a 2TB capacity.

Lastly, I am thinking a possible work around to the problem with not having all the apps I need in a RISC-V format could possibly be resolved by using Docker and Portainer. From the little I know about Docker the apps are containerized so they are capable of running on any CPU platform. I would have to research this Docker option some more to confirm if it will actually work or not on a RISC-V board.  Thanks again for correcting my mistake.

Nothing to worry about yet! How long will it take before every device has it's own (low bandwidth) data connection to "phone home" even when the user doesn't connect it? €2.50 is all it takes:

I myself do not really consider it a conspiracy but I'm just highlighting the general opinion of people on other sites e.g. Reddit, Hacker News if you ask them about this kind of thing.

It would be better to ditch Intel completely if only ARM was ready for mainstream. Bitcoin Core can run on it, Macs run with it now and I'm going to assume all the other manufacturers are going to follow suit. Or at least try to.

Thank you to everybody for your excellent postings.  Below I have replied to each post organized alphabetically by username:

AF_newbie:
Thank you for the machine vendor links which by the way I already contacted before creating this forum post.  After researching System76 I learned they only specialize in laptops with IME disabled. Additionally, I learned they are considering developing a Mini PC that could be used as a server because their laptop has heating issues when used as a server that is on 24/7.  Same thing with Novacustom. They only specialize in Corebooted laptops and offer no mini-PCs.  I also researched Purism, which do offer a Librebooted mini-PC but it is currently in back order and very pricey at close to $3,000 fully spec’d out.   Nevertheless, thanks for the pfSense/OPNsense,  wireshark  advice which I plan to look into because it is the first time I hear about these network related apps. Maybe installing such apps on my Bitcoin Node server may help out in making it that much more secure.  As for the link you provided, I did manage to watch the Brian Milliron video. The method he shows on how to disable the IME using a Raspberry Pi is the complicated way of doing it. Below I have included some YouTube video links that show a less complicated approach using NeoProgrammer software and a CH341a v1.6 programmer.

DaveF:
To answer your question the reason I avoid the Raspberry PI is due to the closed-source components it uses. If this SBC was open source I would have it at top of the list for the purpose of running a Bitcoin Node server 24/7. Especially now that the Raspberry PI 5 has been released which I hear is more robust compared to the Raspberry 4.  Additionally, I learned the MEDS-5000 PC does not have the IME disabled. What it does offer is a way to disable the ATM which is a system that is subordinate to the IME on this motherboard.   I also spent some time researching the 3.5" SBC IAD70 motherboard but I couldn’t find anybody that sells it.  It would be fantastic if somebody in this forum could post a micro-ATX / ITX motherboard by model name that already has the IME disabled or non-existent. I am certain a lot of people in this forum would be interested in such information.

ETFbitcoin:
To echo your ARM TrustZone comment, I have the following analogy. Setting up a Bitcoin Node server on a motherboard with a PSP or IME back door on it is tantamount to buying a hardware wallet with a back door integrated into the circuit board.  It would be foolish to trust that storing a bunch of Bitcoin on such a hardware wallet is secure.  And the same reasoning applies to building a Bitcoin Node server built on top of a motherboard foundation that includes an IME or PSP back door. That makes for a real substandard foundation in my opinion. In short, I do not trust ARM TrustZone due to how it cannot be verified. 

eXch.cc:
As you mentioned, I took a look at RISC-V by first visiting the Ubuntu Server download page at the link below:
https://ubuntu.com/download/risc-v
It seems like currently there are only seven boards compatible to the Ubuntu Server OS. And outside of the OS, I also need a variety of apps such as Fulcrum, Sparrow Wallet, Mempool, Bitcoin Core, etc. to also be available in a downloadable RISC-V format which currently are not.  In short, I think it is too early to consider a RISC-V motherboard as a viable option to run a Bitcoin Node on. Additionally, thank you very much for all of the links you provided relating to Corebooting my Supermicro X11SSH-F motherboard. I found the links you provided to be very helpful. You obviously have a lot of experience relating to disabling IME. In contrast, I am a newbie at it who does not have all of the jigsaw puzzle pieces together associated to disabling the IME.  Nevertheless, listed below is some of the instructional material I have assembled to guide me through my “IME Neutering” task. Please feel free to recommend any additional instructional material you think may be helpful: 
Phase 1:
Practice on an old AsRock motherboard to get familiar using the NeoProgrammer Software and CH341a  v1.6 programmer covered in links below:
https://khandishnetwork.com/dl/neoprogrammer-software-2021-v2-2-0-8-22-06-2021/
https://www.youtube.com/watch?v=7_mnuuXyPiI
https://www.youtube.com/watch?v=lmYXiE2fQ6E
https://www.youtube.com/watch?v=r8f-3syiFSc
Phase 2:
Download Supermicro X11SSH-F Coreboot 4.13 Source TAR file and BLOB files from the link below and GPG authenticate them followed by performing the IME Neutering procedure on my Supermicro X11SSH-F motherboard:
https://www.coreboot.org/downloads.html

NotATether:
Thanks for opening my eyes to High-Assurance Platform (HAP) mode with the link you provided.  I was not aware of this HAP feature on some motherboards.  It would be great if there was some way to actually verify for yourself if the High-Assurance Platform mode completely switches off the IME. Because otherwise it is no different than the ARM TrustZone technology mentioned above.

Xtests:
Your opinion on High-Assurance Platform mode is a valid point. One must trust Intel actually switches off completely the IME using HAP. I guess it comes down to whether you trust Intel telling you “Trust Me Bro”. Personally, I think it would be great if HAP was configured in such a way that enabled one to actually verify the IME is completely switched off.  In my opinion, "trust but verify" is a good motto to follow when setting up a Bitcoin node server.

In closing, as I mentioned I am new at Corebooting a motherboard. Therefore, the possibility exists I may brick my Supermicro X11SSH-F motherboard by taking on this task myself. In short, I would appreciate a lot if anybody in this forum could recommend a solid micro-ATX or ITX motherboard by model name and manufacturer to serve as a backup motherboard just in case I end up bricking my Supermicro X11SSH-F motherboard. :-)  Any good motherboard recommendations with the IME already neutered or non-existent will be greatly welcome.  Thank you for your time.

It was more about complaining that some products like those DON'T have it enabled properly and the lack of it working could cause issues later.

Not so much as IME good vs IME bad but a IME is broken here and the manufactures are not admitting it and if Intel does something that matters with it later you could own a paperweight. I don't use those products normally, they would just be an emergency buy for a customer so I jotted down a note and 100% forgot about it till this came up.

But from what I remember a lot of the industrial SBC do not have it enabled / working properly.

Since when I am sourcing these kinds of things for customers it's usually more of a WE ARE DOWN WHAT CAN WE GET NOW situation, as opposed to lets figure out what is good here situation, none of it was really important to me at the time. I'll check if I have anything else about them, but I doubt it.

-Dave

Off the top of my head this one had no IME:
https://portwell.com/products/detail.php?CUSTCHAR1=MEDS-5000

or did this one

https://www.directindustry.com/prod/winmate-inc/product-35784-2552463.html

Not sure if revisions and changes have happened or if things are different. But, they were discussed in another forum about not having it.
Didn't care so I didn't pay much attention, but that's what my notes say.

-Dave

To be realistic - Intel ME is a separate microcontroller running its own OS independently from CPU that is on the same bus with ethernet, which means it can do anything a normal OS can do once there is uplink. It also has a dedicated MAC address.


Not the OP's case already. They don't plan to have an airgapped computer at all.

Note that the OP's objectives for that machine are also "store bitcoin, earn bitcoin, spend bitcoin, Bisq to buy Bitcoin and Lightning network software. ".


The HAP bit only tells Intel ME to switch off which won't guarantee it's actually switched off. You must trust Intel to assume it's switched off completely.


Since when being skeptical about closed-source firmware and software that can't be verified is considered "conspiracy"?

Is assuming that some custodial closed-source Bitcoin wallet can steal your funds also a conspiracy theory?

By the way, do you mean having a potential ring -3 rootkit produced by an NSA contractor embedded into your system should be trusted and raise no questions?

Well, I know there's a lot of conspiracy about Intel Management Engine, but let's be realistic:

Even in the event that it is proven that the IME is collecting telemetry and has all these spy capabilities, how do you think it's going get traffic out to the internet?

Particularly if the computer is airgapped then there is nothing to worry about.

But I don't see the IME having the throughput to divert 100Mbps block and transaction traffic from a full node to it's own little MINIX drivers.

If you still need the ME disabled then it can be done by activating High-Assurance Platform mode: https://en.wikipedia.org/wiki/Intel_Management_Engine#%22High_Assurance_Platform%22_mode

   
Haven't tried this specific board but I have experience disabling IME on a considerable variety of both desktop and server motherboards and the rule of thumb that applies generally is checking for two conditions:

(a) you need IPMI or any other OOB management options enabled, because disabling IME will break them since they depend on it
(b) your current ROM has Intel Boot Guard fully enabled by a combination of both Measured Boot and Verified Boot modes, which may result into a bricked board after removing IME unless it was done by toggling the HAP/AltMeDisable bit (which will still prevent you from flashing Coreboot)
(c) measuring whether you need Coreboot or running the vendor's BIOS with IME disabled is enough depending on the amount of closed-source firmware blobs Coreboot will require for your board to run (https://github.com/coreboot/blobs)

It seems Coreboot lists your MB in https://doc.coreboot.org/security/vboot/list_vboot.html which means they have found a workaround to bypass chipset's protection and properly sign the ROM, making it an exception for (b) and meaning it should work. Apparently they also report it as an officially supported board here https://doc.coreboot.org/mainboard/supermicro/x11-lga1151-series/x11ssh-f/x11ssh-f.html therefore everything should work fine. The only question here is whether BMC will continue working or not if you disable Intel ME. It seems, disabling Intel ME doesn't affect BMC on Supermicro boards, according to https://doc.coreboot.org/mainboard/supermicro/flashing_on_vendorbmc.html#flashing-with-disabled-me, which is not the case for most boards from other manufacturers, according to my experience.

For devices not listed as supported by Coreboot, I recommend checking me_cleaner's report thread https://github.com/corna/me_cleaner/issues/3 where most of the reported boards where ME can be fully disabled supposedly will allow you to flash Coreboot .



1) Yes, if your threat model includes law enforcement or hypothetical 0-days targeting IME or your BIOS ROM. 2) No


Other questions were already fully answered by others.

Great points on considering RISC-V and ARM instead, although, in some cases efforts to disable IME and flash Coreboot on an Intel board might be advantageous. In your specific case, not sure if it's very advantageous considering CPUs your board supports are not extraordinarily performant (Intel® Xeon® Processor E3 v6 Family, 7th Generation Intel® Core™ i3 Processors), however if you don't plan to use virtualization and plan to run everything you mentioned within the same kernel space, it might be enough.

Also take into a consideration that most Coreboot-supported boards depend on a variety of closed-source firmware blobs which might be not less dangerous than Intel ME. For example, originally, Coreboot is a downstream of GNU Libreboot that had a very strict binary blob inclusion policy (none allowed), which changed some time after the RMS-related drama that lead Libreboot to become a downstream of Coreboot.

As far as I know and I am probably wrong, they never fully supported it on the Pi. So I don't think it's much of a worry.
You also have things like the RockPro64 and others that are based on different but similar hardware.

There are also a lot of industrial SBC PCs that do not have any of the IME stuff but they are far from cheap so you would probably be better off getting one of the machines that @af_newbie mentioned.

You can also still find older boards / CPUs out there that will work, but now you are putting decade+ hardware into 24/7 production.

-Dave

Any reason you're avoiding the Raspberry Pi or other arm based SBC's? You will lose some performance, but most of them are more than capable of running a node and bisq and lightning. No you're not going to have the raw performance oh what year looking at now, but they are inexpensive and they do work.


-Dave

Just buy a machine with coreboot and ME disabled.

https://novacustom.com/
https://system76.com/

Install whatever OS you want and whatever software you want. Front it with a coreboot device running pfSense/OPNsense and
watch the network traffic with wireshark on a third, clean device. If everything checks out, install your bisq, bitcoin core node etc.

Re-writing your BIOS chip is not trivial but is doable.
https://yewtu.be/watch?v=WJo8RsJeqxU

There are several script or tool to either remove or disable Intel ME? Have you tried any of those?


AFAIK no. Even one of NSA project remove Intel ME due to security reason, assuming you somewhat trust NSA.


No, you can consider device which use RISC-V CPU. You can get newer and more powerful CPU at cost of limited software and OS support. Although FWIW there are few laptop/PC brand which claim their device has either disabled or removed Intel ME. But i


No, AMD have something similar with Intel ME called AMD PSP.

I am researching setting up a Bitcoin Node that includes software tools to explore the bitcoin blockchain, store bitcoin, earn bitcoin, spend bitcoin, Bisq to buy Bitcoin and Lightning network software. However, a bump in the road I have encountered relates to disabling the Intel Management Engine (IME) on my Supermicro X11SSH-F motherboard using Coreboot. Listed below are some questions I have:

• Has anybody out there disabled the IME and if yes what motherboard model did you apply the Coreboot to? I ask just in case I end up bricking my Supermicro motherboard.
• Does disabling the IME with Coreboot really make a Bitcoin Hub more secure? Or are there tradeoffs that actually make the Bitcoin Hub less secure after installing Coreboot?
• What Intel chip generation is the correct one to buy so IME is no longer a factor to consider which means no longer having to mess with Coreboot?
• Is buying an Intel motherboard manufactured before 2006 the only way to 100% totally avoid IME? If yes doesn't such an old motherboard lack the required horsepower needed to operate a robust Bitcoin hub?
• Is an AMD motherboard a better foundation level security alternative to building a Bitcoin Node? If yes what particular AMD CPU generation / motherboard manufactured year should I be looking at?

As I mentioned, I am researching the task of disabling the IME on a motherboard and not 100% certain if I should continue down this path.  I would appreciated any opinions that will help me figure out the best approach to building a secure Bitcoin node at the motherboard foundation level .  Thank you for your time.