Coreboot doesn’t disable the IME by the way. It just gets rid of some of it’s functionality blobs and sends a signal to it telling it to please disable itself. No one knows if that signal actually works. Only Intel themselves can actually fully remove it from a processor, like they did with the processors they sold to the NSA.
Okay I did some research and I was wrong. There is no confirmation Intel specifically removed the IME from NSA’s PCs. It’s just that some reverse engineers found a flag that supposedly disables it, and their theory is that it was meant for the NSA.
https://www.notebookcheck.net/Eureka-The-Intel-Management-Engine-can-finally-be-disabled-thanks-to-the-NSA.245922.0.html
I believe this is the switch System76 and Purism turn off, but as I said, since the blob is still there, we can’t be sure that switch actually works or if it’s just a trap.