** Summary changed: - NEO_DISABLE_MITIGATIONS flag default should be true + [SRU] NEO_DISABLE_MITIGATIONS flag default should be true
** Description changed: - After discussion between Intel and Canonical’s security teams, we are in - agreement that Spectre no longer needs to be mitigated for the GPU at - the Compute Runtime level. At this point, Spectre has been mitigated in - the kernel, and a clear warning from the Compute Runtime build serves as - a notification for those running modified kernels without those patches. - For these reasons, we feel that Spectre mitigations in Compute Runtime - no longer offer enough security impact to justify the current - performance tradeoff. + [ Impact ] + + * Users can expect up to 20% performance improvement + + [ Test Plan ] + + * Run Khronos's OpenCL conformance tests: + https://github.com/KhronosGroup/OpenCL-CTS/tree/main/test_conformance + + This will be run via checkbox-gfx, so the commands would be: + sudo snap install --classic snapcraft + sudo snap install checkbox24 + lxd init --auto + git clone https://github.com/canonical/checkbox-gfx + cd checkbox-gfx + snapcraft + sudo snap install --dangerous --classic ./checkbox-gfx_1.0_amd64.snap + checkbox-gfx.install-opencl + checkbox-gfx.test-opencl + + The goal here is not a perfect pass rate. The bar will be no regressions on + the new version without mitigations. + + [ Where problems could occur ] + + * As we are proposing to eliminate a vulnerability mitigation, there is the possibility that this would open up an unknown avenue for attack. To provide some confidence for this sizable risk, both Intel and Canonical security have signed off on this change, and Intel even distributes without these mitigations from their Compute Runtime Github repo without any known exploits. + * As with any change, this change could open up some other bug that was covered up by the mitigations. As with the previous point, we have some confidence because Intel already publishes without these mitigations. + * As we have mentioned that Intel already includes this change, it is appropriate to mention that Intel statically links their builds for Compute Runtime and has some differences in their debian packaging, which means that we could have unknown behavioral differences between the archive version and the versions published in their Github repo. + + [ Other Info ] + + * PPA: https://launchpad.net/~mckeesh/+archive/ubuntu/lp2110131 + * Converted original bug to an SRU. Original description below + * Targeting back to Noble + + [ Original Description ] + After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff. Intel themselves have enabled this flag in their builds available on their Github release page upstream. PPA: https://launchpad.net/~mckeesh/+archive/ubuntu/lp2110131 -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to intel-compute-runtime in Ubuntu. https://bugs.launchpad.net/bugs/2110131 Title: [SRU] NEO_DISABLE_MITIGATIONS flag default should be true To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-compute-runtime/+bug/2110131/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
