Intel's Mitigation For CVE-2019-14615 Graphics Vulnerability Obliterates Gen7 iGPU Performance
Yesterday we noted that the Linux kernel picked up a patch mitigating an Intel Gen9 graphics vulnerability. It didn't sound too bad at first but then seeing Ivy Bridge Gen7 and Haswell Gen7.5 graphics are also affected raised eyebrows especially with that requiring a much larger mitigation. Now in testing the performance impact, the current mitigation patches completely wreck the performance of Ivybridge/Haswell graphics performance.
The vulnerability being discussed and analyzed this week is CVE-2019-14615. This CVE still hasn't been made public over 24 hours later (though there are the Intel SA-00314 details for this disclosure), but from going through kernel patches and other resources, it certainly caught our interest right away and have been benchmarking it since yesterday evening. The CVE-2019-14615 vulnerability amounts to a new information disclosure issue due to insufficient control flow in certain data structures. Local access is required for exploiting this control flow issue in the hardware, but it's not yet known/published if say WebGL within web browsers could exploit this issue. This is a hardware issue with all operating systems being affected. Our testing today, of course, is under Linux.
With the Intel Gen9 graphics mitigation it's resorting to clearing all execution unit (EU) state at each context switch. That patch was merged to mainline right away and quickly backported to the stable series seeing new point releases. All is fairly well there (including minimal performance impact, as to be shown in this article) but with the Gen7/Gen7.5 mitigation is where the situation becomes quite messy.
The Gen7 graphics mitigation is much larger across two patches and relies upon a custom EU kernel being called prior to every context restore for clearing EU and URB resources. (Gen8 Broadwell graphics is already protected from a prior workaround.) With these patches for Gen7 graphics generation not being merged to mainline and the patch noting that "more analysis is performance on the performance implications," we expected the graphics performance to take a hit but we didn't expect it to be as dramatic as what we're seeing!
First of all, for the very common Gen9 graphics that is basically found on all current Intel PCs besides Gen11 Icelake, the performance hit is indeed minimal... In just some Java 2D micro-benchmarks of its OpenGL pipeline were there any measurable hits to the performance. The Gen9 performance overall had no real impact from its clearing of EU state between context switches. The Gen9 graphics testing was done on an Intel Core i9 9900KS system and using Linux 5.5 Git from yesterday/today during which the mitigation was applied. So that's all dandy, but when it comes to Gen7 graphics is where there is a major problem:
With this Haswell Core i7 4790K benchmarking, the Java text rendering performance saw its performance even drop like crazy -- not to mention the huge hits to various OpenGL games. Granted, not many games run nicely going back to Haswell/Ivybridge era. But the open-source continuation of Enemy Territory saw its frame-rate more than halved with its mitigation. With all of the other games tested were very sizable hits to the frame-rates.
When taking the geometric mean of the i7-4790K, the mitigated results for this new vulnerability saw the HD Graphics 4600 performance drop down to 58% the performance prior to mitigating this single vulnerability.
But this is just the teaser data, continue on for more details on not only the Core i7 4790K but also having re-tested the Core i7 3770K after being shocked at the CVE-2019-14615 mitigation hit for Gen7.