[SRU] NEO_DISABLE_MITIGATIONS flag default should be true
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| intel-compute-runtime (Ubuntu) |
Fix Released
|
Undecided
|
Shane McKee | ||
| Noble |
New
|
Undecided
|
Unassigned | ||
| Oracular |
New
|
Undecided
|
Unassigned | ||
| Plucky |
New
|
Undecided
|
Unassigned | ||
Bug Description
[ Impact ]
* Users can expect up to 20% performance improvement
[ Test Plan ]
* Run Khronos's OpenCL conformance tests:
https:/
This will be run via checkbox-gfx, so the commands would be:
sudo snap install --classic snapcraft
sudo snap install checkbox24
lxd init --auto
git clone https:/
cd checkbox-gfx
snapcraft
sudo snap install --dangerous --classic ./checkbox-
checkbox-
checkbox-
The goal here is not a perfect pass rate. The bar will be no regressions on
the new version without mitigations.
[ Where problems could occur ]
* As we are proposing to eliminate a vulnerability mitigation, there is the possibility that this would open up an unknown avenue for attack. To provide some confidence for this sizable risk, both Intel and Canonical security have signed off on this change, and Intel even distributes without these mitigations from their Compute Runtime Github repo without any known exploits.
* As with any change, this change could open up some other bug that was covered up by the mitigations. As with the previous point, we have some confidence because Intel already publishes without these mitigations.
* As we have mentioned that Intel already includes this change, it is appropriate to mention that Intel statically links their builds for Compute Runtime and has some differences in their debian packaging, which means that we could have unknown behavioral differences between the archive version and the versions published in their Github repo.
[ Other Info ]
* PPA: https:/
* Converted original bug to an SRU. Original description below
* Targeting back to Noble
[ Original Description ]
After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
Intel themselves have enabled this flag in their builds available on their Github release page upstream.
PPA: https:/
| tags: | added: pe-sponsoring-request |
| description: | updated |
| description: | updated |
| Andreas Hasenack (ahasenack) wrote | #3 |
| Changed in intel-compute-runtime (Ubuntu): | |
| assignee: | nobody → Shane McKee (mckeesh) |
| status: | New → In Progress |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in intel-compute-runtime (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| summary: |
- NEO_DISABLE_MITIGATIONS flag default should be true + [SRU] NEO_DISABLE_MITIGATIONS flag default should be true |
| description: | updated |
| Dave Jones (waveform) wrote | #5 |
| Shane McKee (mckeesh) wrote | #6 |
| Shane McKee (mckeesh) wrote | #7 |
Sponsored the second debdiff, with a small changelog modification in the text and the version:
diff --git a/debian/changelog b/debian/changelog
index c684de50..336101d7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+intel-
+
+ * d/rules: Disable GPU Spectre mitigations (LP: #2110131)
+
+ -- Shane McKee <email address hidden> Wed, 07 May 2025 18:06:08 +0400
+
intel-
* Backport patch to add Battlemage PCI ID 0xE211 (LP: #2106038)
diff --git a/debian/rules b/debian/rules
index 24d492ac..c050fff2 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,6 +10,7 @@ override_
+ -DNEO_DISABLE_
override_
Uploaded to questing:
Uploading intel-compute-
Uploading intel-compute-
Uploading intel-compute-
Uploading intel-compute-