Ubuntu has decided to disable Intel GPU security mitigations against Spectre in favor of reimplementing them into the kernel. While this may lead to a significant performance boost, both Intel and Canonical has acknowledged that some risk could remain.
Over time, those mitigations have degraded graphics processing performance by as much as 20 percent, a member of the Ubuntu development team recently reported. Additionally, the team member said, Ubuntu will integrate many of the same mitigations directly into its Kernel, specifically in the Questing Quokka release scheduled for October. In consultation with their counterparts at Intel, Ubuntu security engineers have decided to disable the mitigations in the device driver for the Intel Graphics Compute Runtime.
“After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level,” Ubuntu developer Shane McKee wrote. He continued:
At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
McKee went on to say that as a result, “Users can expect up to 20% performance improvement.”
The developer acknowledged that the change could open security holes or introduce bugs but said that both Ubuntu and Intel have confidence that disabled versions will be safe.
Most of the researchers Ars consulted agreed. They reasoned that the mitigations built into the kernel are likely to protect against most if not all Spectre attack scenarios. They also noted that there are no known reports of Spectre attacks ever being actively used in the wild.