Intel Ivybridge + Haswell Require Security Mitigation For Graphics Hardware Flaw
Earlier today we were first to report on an Intel graphics driver patch mitigating a "Gen9" graphics hardware vulnerability. Details on that new security disclosure are coming to light and it turns out older Intel "Gen" graphics are also affected.
The Linux kernel patch for this hardware defect that was merged earlier today only was for the very common Gen9 graphics, basically from Skylake through all relevant/shipping CPUs today pre-Icelake. The patch had mentioned though Gen8 was not impacted thanks to an earlier workaround. But now it turns out Intel Gen7/Gen7.5 graphics are also affected: this basically means Ivy Bridge and Haswell processors along with the likes of Valley View.
A new patch has been posted that characterizes this Intel Processor Graphics issue as being insufficient control flow in certain data structures. As explained earlier, this vulnerability could lead to unintended information disclosures but requires having access to the local system for exploit.
The Gen9 workaround is clearing the execution state between context switches. For Ivy Bridge and Haswell, a custom EU kernel is being called prior to every context restore in order to clear EU and URB resources.
While the Gen9 patch was quickly merged today and already back-ported for stable trees, the Gen7/Gen7.5 patch has not. The mitigation for older Intel hardware is pending mainline inclusion for performance analysis to see the impact on performance.
The Intel Gen7 graphics security mitigation patch can be found here. Presumably a similar change will be coming to the Intel Windows driver. I'll be firing up some benchmarks shortly for seeing how this Intel HD Graphics security mitigation affects the graphics performance.