Closed Bug 1438601 Opened 7 years ago Closed 1 year ago

Investigate PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON

Categories

(Core :: Security: Process Sandboxing, enhancement, P2)

enhancement

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox60 --- wontfix

People

(Reporter: tjr, Unassigned)

Details

Attachments

(1 file)

PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON This flag can be used by processes to protect against sibling hardware threads (hyperthreads) from interfering with indirect branch predictions. Processes that have sensitive information in their address space should consider enabling this flag to protect against attacks involving indirect branch prediction (such as CVE-2017-5715).
This mitigation cannot be set via SetProcessMitigationPolicy. It has to be enabled at process creation time. This flag can be specified on hardware that does not actually implement support for this feature. It will not result in an error if specified on hardware that does not support this feature. If/when other hardware supports this capability, the flag will automatically activate for that hardware.
Priority: -- → P2
This is a new try run. https://treeherder.mozilla.org/#/jobs?repo=try&revision=2af25a40055c37cd896791ac83366ebce869a7d5 We're investigating whether the hardware had the appropriate patches.
BTW, this has recently been added to the chromium sandbox mitigations, so we could take that patch and use the normal sandbox policy to enable this.
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: