Expensive is one way to put it. With the patch enabled my Laptop consumes considerably more power (1.5-2 Watts average) on light tasks like vaapi decoding or webbrowsing resulting in ~25% less battery life. Powertop shows RC6 is reached for the GPU but deeper package states are far less than before. The worst thing is that there is NO WAY to switch this patch off! Gonna Stick with 5.3 Kernel until I find an good AMD laptop.

I don't know specifics of the attack, but the likelihood of a web browser exploiting it and being able to retrieve any data is unlikely afaik, and that's assuming they could reliably get data via the attack in the first place. Some of these local exploits afaik need to be handled in a more manual/sequential manner under certain controlled conditions and sift through noise. Generally, the browser exploit would be initiated by JS and for it to send data to another domain has to bypass some default security polices in place now, unless they own the actual domain/server or have a way to store the data there for retrieval. The other likely avenue is browser extensions I guess? Of which I'm more careful/conservative in using.

I have no doubt that someone specifically targeting me and knowing what they're doing can probably compromise me and my data, but automated/bot attempts often performed by script kiddies(in the sense the attacker is often from a community as a leech, using the work of others rather than tailoring the code themselves and actually understanding it properly).. they're generally after whatever easy wins with low hanging fruit can be had.

For my personal systems, I'm not too bothered.

What CPU are you using? If this is only mitigated via kernel, then for those that are ok with custom kernels, I guess this would be a useful patch to have(that removes the mitigation).

I just got a new Intel laptop for the power saving advantage it has over AMD(80% less or more, bit better with 5.5 kernel and PSR support I imagine), although now AMD Renoir 4000 series seems like it might further surpass this weakness AMD has had with laptops, ugh.

i7-8700T running in a clevo laptop and a i5-7200u powering a Lenovo T470. Both laptops are able to park the GPU when idle with latest 5.5-rc6. During lightweight tasks (playing very old opengl games or video hardware decoding) the power drain however is 2-2.5 watts higher on the 8700T and 1.5-watts on the 7200u compared to earlier 5.3 kernel w/o any soft-rc6isch patches. Kernel param "mitigations=off" unfortunately doesn't help here. I can understand that this has to be patched but for god sake Intel please leave us the chance to bypass this patch - PLEASE!

I don't understand why they haven't got a way to disable this mitigation, if it is only a local issue.

Or can it be invoked 'locally' via WebGL (or a similar web-deliverable GPU-invoking mechanism) in a web page?

I'm getting a *little* bit irritated right now. In the last few weeks, Intel has...

a) broken RC6 power management with a hastily rolled out security fix (and there is STILL no proper fix for the regression),

b) introduced random hangs in the driver, and apparently everyone on newer hardware is affected (only with different likelihood to encounter hangs)

c) and now has done yet another hastily implemented security fix with unknown performance, power management and stability implications

At this point I'm not going to recommend Intel notebooks anymore and nobody in their right mind should do so either.

It is good that you have considered your threat model.

I too do not know the details of the exploit, my thoughts are based that web browsers have a lot of control over how things are rendered. if it can be exploited then that's the vector of least resistance.

Hopefully they can sort that out. that's a significant power regression.

Exploiting it is one thing, getting the exploited data sent back to you via the browser sandbox/policies is another afaik.

I'm not sure what kernel you're running, but I had your "a" and "b" issues before, and FWIW they've been fixed and are now in Linus' bleeding-edge master. As far as "c", a quick "#if 0" (to avoid merge issues) around the one-(effective)-line mitigation took care of it for me.