Red Hat Recommends Disabling The Intel Linux Graphics Driver Over Hardware Flaw

It's been another day testing and investigating CVE-2019-14615, a.k.a. the Intel graphics hardware issue where for Gen9 all turned out to be okay but for Gen7 graphics leads to some big performance hits. Besides the Core i7 tests published yesterday in the aforelinked article, tests on relevant Core i3 and i5 CPUs are currently being carried out for seeing the impact there (so far, it's looking to be equally brutal).

The contents of CVE-2019-14615 are still marked private, but the Red Hat Customer Portal has opened their guidance on this graphics flaw. Red Hat rates this CVE as having moderate impact. This Red Hat bug report does shed some more light onto the issue.

In particular, here is the explanation of how this vulnerability works based upon their information:

1 - Userspace creates a batchbuffer
2 - Batchbuffer sent to kernel via ioctl
3 - ioctl issues it as an "Execution Unit" for the hardware.
4 - The kernel schedules another process to run.
5- Another process (running as user) can access the previous Execution Unit results by re-using Execution Units results.

With interfacing with the kernel driver interfaces as opposed to finding some way to be nefarious through OpenGL/GLSL does at least make it sound like this exploit isn't possible through WebGL (as some have been concerned over due to Intel's lack of public information at the moment) but indeed would have to be local code run on the system directly. We're certainly learning more about this attack vector as details become available.

What's interesting about Red Hat's customer guidance is that they are recommending the disabling of Intel's kernel graphics driver (i915) as the mitigation to the issue. There's been the Gen9 patch already mainlined, Gen8 is protected by previous work, and the hard-hitting Gen7 is what's available in patch form. Yet they suggest blacklisting the Intel graphics kernel driver while acknowledging "the power management functionality of the card will be disabled and the system may draw additional power...This mitigation may not be suitable if the graphical login functionality is required."

By disabling the Intel kernel graphics driver you lose out on hardware acceleration entirely as well as kernel mode-setting, which generally means running at a very low VESA resolution and the other display kinks that generally come with that experience. Granted, Red Hat Enterprise Linux is largely used on servers where graphics aren't utilized but this would also lose out on any OpenCL support and yes generally cause a loss in power savings and not to mention hurt those running RHEL on workstations with Intel graphics. But due to the shared power envelope between the integrated graphics and CPU cores, losing out on the iGPU power management can mean potential performance implications on the CPU side.

We'll see if Red Hat's customer guidance is updated when the RHEL kernels back-port the Gen9 (and presumably Gen7) patches or if they continue to recommend disabling the i915 kernel module -- if there are more security implications than let on with going to the extent of disabling/blacklisting the driver rather than just recommending an immediate kernel upgrade.