Haven't tried this specific board but I have experience disabling IME on a considerable variety of both desktop and server motherboards and the rule of thumb that applies generally is checking for two conditions:

(a) you need IPMI or any other OOB management options enabled, because disabling IME will break them since they depend on it
(b) your current ROM has Intel Boot Guard fully enabled by a combination of both Measured Boot and Verified Boot modes, which may result into a bricked board after removing IME unless it was done by toggling the HAP/AltMeDisable bit (which will still prevent you from flashing Coreboot)
(c) measuring whether you need Coreboot or running the vendor's BIOS with IME disabled is enough depending on the amount of closed-source firmware blobs Coreboot will require for your board to run (https://github.com/coreboot/blobs)

It seems Coreboot lists your MB in https://doc.coreboot.org/security/vboot/list_vboot.html which means they have found a workaround to bypass chipset's protection and properly sign the ROM, making it an exception for (b) and meaning it should work. Apparently they also report it as an officially supported board here https://doc.coreboot.org/mainboard/supermicro/x11-lga1151-series/x11ssh-f/x11ssh-f.html therefore everything should work fine. The only question here is whether BMC will continue working or not if you disable Intel ME. It seems, disabling Intel ME doesn't affect BMC on Supermicro boards, according to https://doc.coreboot.org/mainboard/supermicro/flashing_on_vendorbmc.html#flashing-with-disabled-me, which is not the case for most boards from other manufacturers, according to my experience.

For devices not listed as supported by Coreboot, I recommend checking me_cleaner's report thread https://github.com/corna/me_cleaner/issues/3 where most of the reported boards where ME can be fully disabled supposedly will allow you to flash Coreboot .



1) Yes, if your threat model includes law enforcement or hypothetical 0-days targeting IME or your BIOS ROM. 2) No


Other questions were already fully answered by others.

Great points on considering RISC-V and ARM instead, although, in some cases efforts to disable IME and flash Coreboot on an Intel board might be advantageous. In your specific case, not sure if it's very advantageous considering CPUs your board supports are not extraordinarily performant (Intel® Xeon® Processor E3 v6 Family, 7th Generation Intel® Core™ i3 Processors), however if you don't plan to use virtualization and plan to run everything you mentioned within the same kernel space, it might be enough.

Also take into a consideration that most Coreboot-supported boards depend on a variety of closed-source firmware blobs which might be not less dangerous than Intel ME. For example, originally, Coreboot is a downstream of GNU Libreboot that had a very strict binary blob inclusion policy (none allowed), which changed some time after the RMS-related drama that lead Libreboot to become a downstream of Coreboot.