In a recent decision made in Ubuntu, it was determined that the default setting for the supply of the package Intel-compute-runtime will now include the neo_disable_mitigations flag, which disables protection against PoCCTRE class attacks. Ubuntu developers noted that having this protection enabled can result in a performance decrease of approximately 20%.
The Intel-compute-runtime package contains components necessary for utilizing OpenCL and Intel’s oneAPI Level Zero on systems with Intel GPUs. When compiling the libraries included in the package, enabling the neo_disable_mitigations flag causes certain compile options, such as “-Mretpoline -mindirect-branch=thunk -MFUNCTION-RETURN=THUNK -Mindirect-branch-register,” which offer additional protection against Spectre, to be disabled. These options do not impact OpenCL performance or GPU operations but reduce overhead when executing code related to API operations.
After discussions between engineers from Intel and Canonical regarding security measures, it was determined that the Spectre protection implemented at the Compute Runtime level is no longer necessary since adequate protection is already in place at the kernel level. The Spectre protection provided by Compute Runtime is mainly beneficial for users without proper kernel-level protection, and the advantages it offers do not outweigh the observed performance decrease. Therefore, Intel Graphics Compute Runtime releases will now be distributed with the neo_disable_mitigations flag enabled by default, turning off this defense mechanism.