Intel Preparing New Driver Option To Disable GPU Security Mitigations

Written by Michael Larabel in Intel on 9 January 2021 at 02:31 PM EST. 13 Comments
INTEL
Stemming from the renewed attention this week of Haswell GT1 graphics being broken for the past half-year under Linux with the latest versions of the kernel, a revised patch was sent out to restore that graphics support for low-end Haswell Celeron/Pentium processors. As part of that, a new option is being introduced to allow disabling security mitigations of the Intel graphics driver.

This patch was sent out on Saturday that fixes up the Haswell GT1 support following the public attention this week over the low-end Haswell graphics support managing to be broken for the past several kernel release cycles while a prior version of that patch has been floating on the bug report thread for weeks.

What caused that regression, which led to hangs at boot, was the Haswell mitigation of last year's "iGPU Leak" vulnerability. The Ivy Bridge / Haswell mitigation for that security vulnerability really wrecked the performance but improved with time. But it still poses significant overhead to a follow-up patch is set to allow users to finally be able to disable the functionality.

This patch allows users to override the security mitigations default for the Intel graphics driver. "The clear-residuals mitigate is a relatively heavy hammer and under some circumstances the user may wish to forgo the context isolation in order to meet some performance requirement. Introduce a generic module parameter to allow selectively enabling/disabling different mitigations."

By default the iGPU Leak mitigation is still active but the i915.mitigations=off can now be used to disable it at run-time. (This is just in reference to the Intel graphics driver and this and any future security issues. The mitigations=off kernel option in general is for the separate CPU security mitigation situation.)

If all goes well these patches should be mainlined for Linux 5.12. Well, ideally the Haswell GT1 fix will get picked up still for the 5.11 cycle and is also marked for back-porting to stable series of Linux 5.7 and newer. The mitigation control patch will presumably wait until the Linux 5.12 merge window.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week