diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig
index ecfdea2aae..63058124a5 100644
--- a/src/southbridge/intel/lynxpoint/Kconfig
+++ b/src/southbridge/intel/lynxpoint/Kconfig
@@ -84,4 +84,12 @@ config SERIALIO_UART_CONSOLE
 config CONSOLE_UART_BASE_ADDRESS
 	default 0xd6000000 if SERIALIO_UART_CONSOLE
 
+config DISABLE_ME_PCI
+	bool "Disable Intel ME PCI interface (MEI1)"
+	default y
+	help
+	  Disable and hide the ME PCI interface during finalize stage of boot.
+	  This will prevent the OS (and userspace apps) from interacting with
+	  the ME via the PCI interface after boot.
+
 endif
diff --git a/src/southbridge/intel/lynxpoint/me.c b/src/southbridge/intel/lynxpoint/me.c
index 40626c2362..91eeabd88e 100644
--- a/src/southbridge/intel/lynxpoint/me.c
+++ b/src/southbridge/intel/lynxpoint/me.c
@@ -543,6 +543,9 @@ void intel_me_finalize(struct device *dev)
 	/* Try to send EOP command so ME stops accepting other commands */
 	mkhi_end_of_post();
 
+	if (!CONFIG(DISABLE_ME_PCI))
+		return;
+
 	/* Make sure IO is disabled */
 	pci_and_config16(dev, PCI_COMMAND,
 			 ~(PCI_COMMAND_MASTER | PCI_COMMAND_MEMORY | PCI_COMMAND_IO));
@@ -903,7 +906,7 @@ static void intel_me_init(struct device *dev)
 static void intel_me_enable(struct device *dev)
 {
 	/* Avoid talking to the device in S3 path */
-	if (acpi_is_wakeup_s3()) {
+	if (acpi_is_wakeup_s3() && CONFIG(DISABLE_ME_PCI)) {
 		dev->enabled = 0;
 		pch_disable_devfn(dev);
 	}