Help CentrePandora’s Box: The Intel Management Engine
We’re often asked about the Intel Management Engine (ME) — what it is, what it does, and most importantly, how we handle it at Star Labs.
This guide explains the background, how we disable it, and how you can check whether it’s disabled on your own system.
What Is the Intel Management Engine?
The Intel Management Engine is a small, independent subsystem that exists inside all modern Intel Core processors. It has its own processor and runs Intel’s proprietary firmware, separate from your operating system. In newer Intel platforms, it’s officially called the Converged Security and Manageability Engine (CSME). Its core purpose is to perform the Bring-Up Process (BUP) — essentially powering on and initialising the CPU — so it can’t be completely removed.
Over the years, a lot of confusion has surrounded what the Management Engine actually does. It’s often mixed up with Intel Active Management Technology (AMT) — a remote-management tool designed for enterprise systems that can wake computers, access networks, and perform updates remotely. However, AMT only exists on Intel vPro processors, which we do not use in any Star Labs devices.
As for CSME itself, only Intel knows its full capabilities, but it does perform a number of low-level tasks. None of them are required for everyday Linux use, so we disable it wherever possible.
How We Disable It
A common misconception is that coreboot is required to disable the CSME. That’s not true — it can also be done through the AMI BIOS. To give an analogy: AMI and coreboot are like different word processors — both can write a document, just with different styles.
coreboot could be compared to LibreOffice Writer (open-source), while AMI is more like Microsoft Word (proprietary).
Another myth is that the only way to disable the CSME is by using me_cleaner — an older open-source tool that deletes parts of the ME firmware. While it was clever for its time, it hasn’t been actively maintained since 2018, and it can cause system instability because it deliberately corrupts parts of the firmware. Fortunately, Intel later introduced an official method to disable the CSME — reducing it to the minimal code required for the CPU’s Bring-Up Process. Rumour has it this change was made at the NSA’s request.
At Star Labs, we use this official and reliable method, which allows us to enable or disable the CSME cleanly and verify that it’s truly off. When using AMI, this feature was already available. For coreboot, we added our own implementation — you can see the code here on GitHub.
How to Check if It’s Disabled
Several tools claim to check ME status, but only one method gives reliable results.
Older tools like intel_me_tool or chipsec can be misleading — they check through the PCI interface, and if that interface is simply disabled, they may falsely report that ME isn’t present.
The most accurate way to confirm the CSME’s status is by reading the firmware debug logs.
For AMI firmware, this requires specialist equipment, which we have for in-house testing.
For coreboot, however, you can check directly from Linux using a public tool called cbmem.
Steps to Check
-
Install cbmem:
-
Run the following command to show ME-related information:
-
Look for the Operation Mode line:
-
0= Normal / Enabled -
3= Disabled
-
Example: Enabled
Example: Disabled
This code is standard in coreboot and should work on any modern hardware using it.
Why We Disable It
At its core, the Intel CSME is closed-source, always on, and network-capable — three things that raise serious privacy concerns for many users.
By disabling it, we ensure that:
-
Only the minimal hardware bring-up code remains active.
-
No hidden processes can run independently of the operating system.
-
You have full visibility into what your computer is doing.
Combined with coreboot, this means your system boots faster, uses less power, and gives you a level of transparency that proprietary firmware can’t match.
In short: less mystery, more control — exactly how open-source computing should be.