And re-enables CVE-2019-0155?
Intel researchers discovered that Intel graphics processors allowed userspace to modify page table entries via writes to MMIO from the Blitter Command Streamer and exposed kernel memory information, resulting in possible privilege escalation and information disclosure vulnerabilities. A local user could use this issue to escalate their privileges on the local machine.
It's i915.mitigations
A question for people who are security experts: do you think the model of a computer having limited users and privileged users, with a user gaining privileged access being a massive security problem, is really tenable? The CPU/GPU are shared resources on a machine and isolating the work they do by user is quite difficult.
Would it really be infeasible to simply design compute systems under the assumption that all users can get root access? Most of these vulnerabilities can be mitigated for free by not giving any access to users you wouldn't mind having root access.
Wonder if it would be possible to enable them at runtime instead, based on whether the current Linux kernel boot has mitigated them or not.
Is it not a known fact that these mitigations cause a significant performance drop? I have never heard anyone assuming otherwise
how do we disable it?
Source if you wish to skip the clickbait, blogspam and toxic comments: https://bugs.launchpad.net/ubuntu/+source/intel-compute-runt...
I also propose the title here be changed to 'Security mitigations in intel-compute-runtime no longer needed, disabling brings 20% boost' because as it currently is it misleads that Canonical is reopening the Spectre vulnerability in the GPU for performance's sake. It's not. While there, I'd say update the link to point to the source.
Relevant quote:
> After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel...