| 2025-05-07 14:02:39 |
Shane McKee |
bug |
|
|
added bug |
| 2025-05-07 14:14:49 |
Shane McKee |
tags |
|
pe-sponsoring-request |
|
| 2025-05-07 14:15:26 |
Shane McKee |
description |
After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a warning for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
Intel themselves have disabled this flag in their builds available on their Github release page upstream. |
After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a warning for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
Intel themselves have disabled this flag in their builds available on their Github release page upstream.
PPA: https://launchpad.net/~mckeesh/+archive/ubuntu/lp2110131 |
|
| 2025-05-07 14:37:41 |
Shane McKee |
attachment added |
|
intel_compute_mitigations.debdiff https://bugs.launchpad.net/ubuntu/+source/intel-compute-runtime/+bug/2110131/+attachment/5876300/+files/intel_compute_mitigations.debdiff |
|
| 2025-05-07 15:04:38 |
Shane McKee |
description |
After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a warning for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
Intel themselves have disabled this flag in their builds available on their Github release page upstream.
PPA: https://launchpad.net/~mckeesh/+archive/ubuntu/lp2110131 |
After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
Intel themselves have disabled this flag in their builds available on their Github release page upstream.
PPA: https://launchpad.net/~mckeesh/+archive/ubuntu/lp2110131 |
|
| 2025-05-07 15:12:24 |
Shane McKee |
bug |
|
|
added subscriber Ubuntu Sponsors |
| 2025-05-07 15:31:39 |
Shane McKee |
description |
After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
Intel themselves have disabled this flag in their builds available on their Github release page upstream.
PPA: https://launchpad.net/~mckeesh/+archive/ubuntu/lp2110131 |
After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
Intel themselves have enabled this flag in their builds available on their Github release page upstream.
PPA: https://launchpad.net/~mckeesh/+archive/ubuntu/lp2110131 |
|
| 2025-05-07 15:33:49 |
Shane McKee |
attachment added |
|
intel_compute_mitigations_2.debdiff https://bugs.launchpad.net/ubuntu/+source/intel-compute-runtime/+bug/2110131/+attachment/5876309/+files/intel_compute_mitigations_2.debdiff |
|
| 2025-06-06 17:25:08 |
Andreas Hasenack |
intel-compute-runtime (Ubuntu): assignee |
|
Shane McKee (mckeesh) |
|
| 2025-06-06 17:25:11 |
Andreas Hasenack |
intel-compute-runtime (Ubuntu): status |
New |
In Progress |
|
| 2025-06-06 17:25:33 |
Andreas Hasenack |
intel-compute-runtime (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2025-06-07 00:28:58 |
Launchpad Janitor |
intel-compute-runtime (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2025-06-11 18:18:39 |
Shane McKee |
summary |
NEO_DISABLE_MITIGATIONS flag default should be true |
[SRU] NEO_DISABLE_MITIGATIONS flag default should be true |
|
| 2025-06-11 18:18:42 |
Shane McKee |
description |
After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
Intel themselves have enabled this flag in their builds available on their Github release page upstream.
PPA: https://launchpad.net/~mckeesh/+archive/ubuntu/lp2110131 |
[ Impact ]
* Users can expect up to 20% performance improvement
[ Test Plan ]
* Run Khronos's OpenCL conformance tests:
https://github.com/KhronosGroup/OpenCL-CTS/tree/main/test_conformance
This will be run via checkbox-gfx, so the commands would be:
sudo snap install --classic snapcraft
sudo snap install checkbox24
lxd init --auto
git clone https://github.com/canonical/checkbox-gfx
cd checkbox-gfx
snapcraft
sudo snap install --dangerous --classic ./checkbox-gfx_1.0_amd64.snap
checkbox-gfx.install-opencl
checkbox-gfx.test-opencl
The goal here is not a perfect pass rate. The bar will be no regressions on
the new version without mitigations.
[ Where problems could occur ]
* As we are proposing to eliminate a vulnerability mitigation, there is the possibility that this would open up an unknown avenue for attack. To provide some confidence for this sizable risk, both Intel and Canonical security have signed off on this change, and Intel even distributes without these mitigations from their Compute Runtime Github repo without any known exploits.
* As with any change, this change could open up some other bug that was covered up by the mitigations. As with the previous point, we have some confidence because Intel already publishes without these mitigations.
* As we have mentioned that Intel already includes this change, it is appropriate to mention that Intel statically links their builds for Compute Runtime and has some differences in their debian packaging, which means that we could have unknown behavioral differences between the archive version and the versions published in their Github repo.
[ Other Info ]
* PPA: https://launchpad.net/~mckeesh/+archive/ubuntu/lp2110131
* Converted original bug to an SRU. Original description below
* Targeting back to Noble
[ Original Description ]
After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
Intel themselves have enabled this flag in their builds available on their Github release page upstream.
PPA: https://launchpad.net/~mckeesh/+archive/ubuntu/lp2110131 |
|
| 2025-06-11 18:18:58 |
Shane McKee |
removed subscriber Ubuntu Sponsors |
|
|
|
| 2025-06-11 20:11:50 |
Dave Jones |
nominated for series |
|
Ubuntu Oracular |
|
| 2025-06-11 20:11:50 |
Dave Jones |
bug task added |
|
intel-compute-runtime (Ubuntu Oracular) |
|
| 2025-06-11 20:11:50 |
Dave Jones |
nominated for series |
|
Ubuntu Plucky |
|
| 2025-06-11 20:11:50 |
Dave Jones |
bug task added |
|
intel-compute-runtime (Ubuntu Plucky) |
|
| 2025-06-11 20:11:50 |
Dave Jones |
nominated for series |
|
Ubuntu Noble |
|
| 2025-06-11 20:11:50 |
Dave Jones |
bug task added |
|
intel-compute-runtime (Ubuntu Noble) |
|
| 2025-06-11 20:31:35 |
Shane McKee |
attachment removed |
intel_compute_mitigations.debdiff https://bugs.launchpad.net/ubuntu/+source/intel-compute-runtime/+bug/2110131/+attachment/5876300/+files/intel_compute_mitigations.debdiff |
|
|
