Ubuntu Disables Intel GPU Security Mitigations for Up to 20% Graphics Performance Boost

Recent discussions surrounding Intel’s security mitigations for its graphics solutions have raised significant interest, as it appears that these measures are adversely affecting graphics performance on Ubuntu systems. This has prompted talk of their potential removal.

Improvements on the Horizon: Canonical and Intel’s Collaboration

With the emergence of critical vulnerabilities like Spectre and Meltdown, Intel implemented numerous security mitigations for its CPUs to protect users against potential data breaches. Although these microcode updates primarily focused on processors, similar protections were extended to the Intel graphics stack as a precautionary measure.

Interestingly, there have been no documented attacks targeting Intel integrated graphics processors (iGPUs) to date. Nevertheless, Canonical, the parent company of the Ubuntu operating system, found that these security measures have inadvertently led to a performance hit. According to Phoronix, Canonical and Intel are actively collaborating to strip away these security mitigations, which are deemed unnecessary for the Intel graphics stack. The anticipated outcome is a notable performance boost of up to 20%.

A bug report submitted to Launchpad indicates that users of Ubuntu could realize a 20% performance enhancement through these updates, expected to be integrated in version 25.10. The process to disable these mitigations in future Ubuntu packages will utilize the NEO_DISABLE_MITIGATIONS build. Given that Intel is already distributing its Intel Compute Runtime builds from GitHub with these mitigations turned off, it is reasonable to anticipate a smooth transition for Ubuntu users.

After discussions between Intel and Canonical’s security teams, we agree that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. Spectre has been sufficiently addressed in the kernel, and a clear warning from the Compute Runtime build will inform those using modified kernels without necessary patches. Therefore, we conclude that the Spectre mitigations in Compute Runtime do not provide enough security advantage to justify the current performance tradeoff.

While these updates are promising, they do raise concerns about potentially leaving systems vulnerable to unknown attack vectors. However, the formal approval from both Intel and Canonical instills a level of confidence. Their review indicates that they have vetted these changes and are moving forward, signalling to both users and developers that operating Ubuntu without these security mitigations is acceptable.

For further details, you can explore the information provided in this Source & Images.