Re: Anti roll back ...
Most BIOSs store a backup of the firmware before writing the new one. I'm no CPU guru, but couldn't something similar be done securely? A chip that only ME can access, where it writes the old firmware, flashes the new, if the ME fails to come up, re-write the backup?
So long as only the ME can access this "backup chip", it should be safe as for something nefarious to mess with the backup chip, it'd have to first compromise the ME, and you're hosed anyway.