While not talked about as much as the Intel CPU security mitigations, Intel graphics security mitigations have added up over time that if disabling Intel graphics security mitigations for their GPU compute stack for OpenCL and Level Zero can yield a 20% performance boost. Ubuntu maker Canonical in cooperation with Intel is preparing to disable these security mitigations in the Ubuntu packages in order to recoup this lost performance.
I haven’t looked at the Intel graphics security mitigation costs as closely as on the CPU side but apparently now it’s up to around 20%. Intel does allow building their GPU compute stack without these mitigations by using the “NEO_DISABLE_MITIGATIONS” build option and that is what Canonical is looking to set now for Ubuntu packages to avoid the significant performance impact. This work will likely all be addressed in time for Ubuntu 25.10. This NEO_DISABLE_MITIGATIONS option is just for compiling the Intel Compute Runtime stack and doesn’t impact the Linux kernel security mitigations or else outside of Intel’s “NEO” GPU compute stack. Both Intel and Canonical are in agreement with this move and it turns out that even Intel’s GitHub binary packages for their Compute Runtime for OpenCL and Level Zero ship with the mitigations disabled due to the performance impact.
This Ubuntu Launchpad bug report for the Intel Compute Runtime notes the key takeaways:
” * Users can expect up to 20% performance improvement”
…
[ Where problems could occur ]* As we are proposing to eliminate a vulnerability mitigation, there is the possibility that this would open up an unknown avenue for attack. To provide some confidence for this sizable risk, both Intel and Canonical security have signed off on this change, and Intel even distributes without these mitigations from their Compute Runtime Github repo without any known exploits.
* As with any change, this change could open up some other bug that was covered up by the mitigations. As with the previous point, we have some confidence because Intel already publishes without these mitigations.
* As we have mentioned that Intel already includes this change, it is appropriate to mention that Intel statically links their builds for Compute Runtime and has some differences in their debian packaging, which means that we could have unknown behavioral differences between the archive version and the versions published in their Github repo.”
That Launchpad ticket also notes:
“After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level. At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.
Intel themselves have enabled this flag in their builds available on their Github release page upstream.”
There is this PPA where Ubuntu developers are currently testing their Compute Runtime builds with NEO_DISABLE_MITIGATIONS enabled for disabling the mitigations.
I’ll be working on some benchmarks shortly with not realizing the mitigation impact is hitting the 20% scope for Intel graphics compute.
