Closed
Bug 1438601
Opened 7 years ago
Closed 1 year ago
Investigate PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON
Categories
(Core :: Security: Process Sandboxing, enhancement, P2)
Core
Security: Process Sandboxing
Tracking
()
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
firefox60 | --- | wontfix |
People
(Reporter: tjr, Unassigned)
Details
Attachments
(1 file)
59 bytes,
text/x-review-board-request
|
Details |
PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON
This flag can be used by processes to protect against sibling hardware threads (hyperthreads) from interfering with indirect branch predictions. Processes that have sensitive information in their address space should consider enabling this flag to protect against attacks involving indirect branch prediction (such as CVE-2017-5715).
Reporter | ||
Comment 1•7 years ago
|
||
This mitigation cannot be set via SetProcessMitigationPolicy. It has to be enabled at process creation time.
This flag can be specified on hardware that does not actually implement support for this feature. It will not result in an error if specified on hardware that does not support this feature. If/when other hardware supports this capability, the flag will automatically activate for that hardware.
Updated•7 years ago
|
Priority: -- → P2
Reporter | ||
Comment 2•7 years ago
|
||
Here's a perfherder comparison: https://treeherder.mozilla.org/perf.html#/compare?originalProject=autoland&originalRevision=213725db126c51c7dd4af9b28b833254755ac0c6&newProject=try&newRevision=1e012826aedd143078c307c0557dae486c97dfdc&framework=1
Overall it's... inconsistent I suppose.
Comment hidden (mozreview-request) |
Reporter | ||
Comment 4•7 years ago
|
||
This is a new try run. https://treeherder.mozilla.org/#/jobs?repo=try&revision=2af25a40055c37cd896791ac83366ebce869a7d5
We're investigating whether the hardware had the appropriate patches.
Comment 5•7 years ago
|
||
BTW, this has recently been added to the chromium sandbox mitigations, so we could take that patch and use the normal sandbox policy to enable this.
Updated•2 years ago
|
Severity: normal → S3
Reporter | ||
Updated•1 year ago
|
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
Updated•1 year ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•