My understanding is that one of the primary reasons why https://www.opencompute.org/ formed was to collaboratively design hardware which can't be compromised in-band by its users. The Elastic Secure Infrastructure effort happening in OpenInfra Labs is also attempting to template and document repeatable solutions for the first half of the problem (centrally detecting tainted BIOS/firmware via signature verification and attestation): https://www.bu.edu/rhcollab/projects/esi/ -- Jeremy Stanley
Thanks Jeremy! I have some reading to do. It seems that, instead of detecting tainted "anything", it would be better to assume zero trust in the hardware after use, and instead reset/re-flash everything upon re-provisioning. I can understand that re-flashing can be hard on the flash, but now that most (all?) firmware has digital signature checks, this can be used to avoid re-flashing when the signature matches. However, the issue still remains that typical server hardware (I need to check OpenCompute's hardware) requires jumpers to be changed for re-flashing/resetting configs, which is a real pain. So, even if you did detect something bad, this needs to be done to fix the issue. Eric