Announcement

Collapse
No announcement yet.

Intel's Linux Graphics Driver Gets Patched For A Gen9 Graphics Vulnerability

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by boxie View Post
    forcibly clearing the EU state on each context switch sounds expensive - I assume there will be a short article benchmarking it Michael ?
    Expensive is one way to put it. With the patch enabled my Laptop consumes considerably more power (1.5-2 Watts average) on light tasks like vaapi decoding or webbrowsing resulting in ~25% less battery life. Powertop shows RC6 is reached for the GPU but deeper package states are far less than before. The worst thing is that there is NO WAY to switch this patch off! Gonna Stick with 5.3 Kernel until I find an good AMD laptop.
    Last edited by saski; 01-15-2020, 03:02 AM.

    Comment


    • #12
      Originally posted by boxie View Post

      well if it can be exploited via a web browser you might just need to have it enabled all the time.

      come to think of it, it probably has a hit on energy usage as well.
      I don't know specifics of the attack, but the likelihood of a web browser exploiting it and being able to retrieve any data is unlikely afaik, and that's assuming they could reliably get data via the attack in the first place. Some of these local exploits afaik need to be handled in a more manual/sequential manner under certain controlled conditions and sift through noise. Generally, the browser exploit would be initiated by JS and for it to send data to another domain has to bypass some default security polices in place now, unless they own the actual domain/server or have a way to store the data there for retrieval. The other likely avenue is browser extensions I guess? Of which I'm more careful/conservative in using.

      I have no doubt that someone specifically targeting me and knowing what they're doing can probably compromise me and my data, but automated/bot attempts often performed by script kiddies(in the sense the attacker is often from a community as a leech, using the work of others rather than tailoring the code themselves and actually understanding it properly).. they're generally after whatever easy wins with low hanging fruit can be had.

      For my personal systems, I'm not too bothered.

      Comment


      • #13
        Originally posted by saski View Post

        Expensive is one way to put it. With the patch enabled my Laptop consumes considerably more power (1.5-2 Watts average) on light tasks like vaapi decoding or webbrowsing resulting in ~25% less battery life. Powertop shows RC6 is reached for the GPU but deeper package states are far less than before. The worst thing is that there is NO WAY to switch this patch off! Gonna Stick with 5.3 Kernel until I find an good AMD laptop.
        What CPU are you using? If this is only mitigated via kernel, then for those that are ok with custom kernels, I guess this would be a useful patch to have(that removes the mitigation).

        I just got a new Intel laptop for the power saving advantage it has over AMD(80% less or more, bit better with 5.5 kernel and PSR support I imagine), although now AMD Renoir 4000 series seems like it might further surpass this weakness AMD has had with laptops, ugh.

        Comment


        • #14
          Originally posted by polarathene View Post

          What CPU are you using? If this is only mitigated via kernel, then for those that are ok with custom kernels, I guess this would be a useful patch to have(that removes the mitigation).

          I just got a new Intel laptop for the power saving advantage it has over AMD(80% less or more, bit better with 5.5 kernel and PSR support I imagine), although now AMD Renoir 4000 series seems like it might further surpass this weakness AMD has had with laptops, ugh.
          i7-8700T running in a clevo laptop and a i5-7200u powering a Lenovo T470. Both laptops are able to park the GPU when idle with latest 5.5-rc6. During lightweight tasks (playing very old opengl games or video hardware decoding) the power drain however is 2-2.5 watts higher on the 8700T and 1.5-watts on the 7200u compared to earlier 5.3 kernel w/o any soft-rc6isch patches. Kernel param "mitigations=off" unfortunately doesn't help here. I can understand that this has to be patched but for god sake Intel please leave us the chance to bypass this patch - PLEASE!

          Comment


          • #15
            I don't understand why they haven't got a way to disable this mitigation, if it is only a local issue.

            Or can it be invoked 'locally' via WebGL (or a similar web-deliverable GPU-invoking mechanism) in a web page?

            Comment


            • #16
              I'm getting a *little* bit irritated right now. In the last few weeks, Intel has...

              a) broken RC6 power management with a hastily rolled out security fix (and there is STILL no proper fix for the regression),

              b) introduced random hangs in the driver, and apparently everyone on newer hardware is affected (only with different likelihood to encounter hangs)

              c) and now has done yet another hastily implemented security fix with unknown performance, power management and stability implications

              At this point I'm not going to recommend Intel notebooks anymore and nobody in their right mind should do so either.

              Comment


              • #17
                Originally posted by polarathene View Post

                I don't know specifics of the attack, but the likelihood of a web browser exploiting it and being able to retrieve any data is unlikely afaik, and that's assuming they could reliably get data via the attack in the first place. Some of these local exploits afaik need to be handled in a more manual/sequential manner under certain controlled conditions and sift through noise. Generally, the browser exploit would be initiated by JS and for it to send data to another domain has to bypass some default security polices in place now, unless they own the actual domain/server or have a way to store the data there for retrieval. The other likely avenue is browser extensions I guess? Of which I'm more careful/conservative in using.

                I have no doubt that someone specifically targeting me and knowing what they're doing can probably compromise me and my data, but automated/bot attempts often performed by script kiddies(in the sense the attacker is often from a community as a leech, using the work of others rather than tailoring the code themselves and actually understanding it properly).. they're generally after whatever easy wins with low hanging fruit can be had.

                For my personal systems, I'm not too bothered.
                It is good that you have considered your threat model.

                I too do not know the details of the exploit, my thoughts are based that web browsers have a lot of control over how things are rendered. if it can be exploited then that's the vector of least resistance.

                Comment


                • #18
                  Originally posted by saski View Post

                  Expensive is one way to put it. With the patch enabled my Laptop consumes considerably more power (1.5-2 Watts average) on light tasks like vaapi decoding or webbrowsing resulting in ~25% less battery life. Powertop shows RC6 is reached for the GPU but deeper package states are far less than before. The worst thing is that there is NO WAY to switch this patch off! Gonna Stick with 5.3 Kernel until I find an good AMD laptop.
                  Hopefully they can sort that out. that's a significant power regression.

                  Comment


                  • #19
                    Originally posted by boxie View Post

                    It is good that you have considered your threat model.

                    I too do not know the details of the exploit, my thoughts are based that web browsers have a lot of control over how things are rendered. if it can be exploited then that's the vector of least resistance.
                    Exploiting it is one thing, getting the exploited data sent back to you via the browser sandbox/policies is another afaik.

                    Comment


                    • #20
                      Originally posted by brent View Post
                      a) broken RC6 power management with a hastily rolled out security fix (and there is STILL no proper fix for the regression),
                      b) introduced random hangs in the driver, and apparently everyone on newer hardware is affected (only with different likelihood to encounter hangs)
                      c) and now has done yet another hastily implemented security fix with unknown performance, power management and stability implications
                      I'm not sure what kernel you're running, but I had your "a" and "b" issues before, and FWIW they've been fixed and are now in Linus' bleeding-edge master. As far as "c", a quick "#if 0" (to avoid merge issues) around the one-(effective)-line mitigation took care of it for me.

                      Comment

                      Working...
                      X