Re: Too complex to be true
'Not even examination of the silicon would make it immediately apparent, because the bogus silicon could be marked with the correct chip ID and a bogus "new revision" number.'
Many moons ago I worked for the Semiconductor Control Facility of Sperry Univac. Our incoming inspection/failure analysis lab routinely de-lidded integrated circuits and looked at them under an electron microscope, and also subjected them to scanning by a secondary ion mass spectrometer (SIMS). Any such undisclosed modification would have been flagged and a full and frank discussion with the supplier would shortly ensue. It did happen on occasion that there was a die shrink or a design change that was not communicated to us beforehand, and such behavior was explicitly against the purchase agreements we made with our suppliers. Violations could and did result in suppliers being struck off the approved vendor list of the part control drawing.
Since that time, the state of the art in quality assurance has shifted, with more trust placed in suppliers, and incoming inspection has been mostly replaced by supplier audits, sending component engineers out to the fabs or simply reviewing data provided by the manufacturer. So I would not be surprised if a counterfeit IC could be inserted into the supply chain by a nation-state spy agency.
Another comment about this paragraph from the story:
'It claims that its system is "designed so that no single Supermicro employee, single team, or contractor has unrestricted access to the complete motherboard design."'
As someone who does this for a living: I'm almost certain that the engineers who develop the functional and in-circuit tests for these motherboards do in fact have unfettered access to the complete motherboard design at the IC interconnect level, since they need the netlist, the bill of materials, FPGA programming images, firmware images, boundary scan vectors, physical board layout (Gerber files), schematics, etc.