[Windows Sandbox] Add restrict_indirect_branch_prediction support.
-Add sandbox support for new process mitigation RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON. -Supported on >= Win10 RS3/1709/16299, with Jan 2018 security updates, and based on underlying device hardware/OEM support. E.g. Intel STIBP -This CL also (finally) includes an update to the ConvertProcessMitigationsToPolicy() API. MS ran out of bits in the DWORD64 for process mitigation flags, so related APIs can now take in a two-element array of DWORD64s. The second element is for "*POLICY2*" mitigation flags (defined in WinBase.h). **Any downstream users of this sandbox API will need to update their code to always pass in a two-element array now. |size| returned will be adjusted appropriately to be directly passed into UpdateProcThreadAttribute(), for PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY. Bug=808526 Test=sbox_integration_tests.exe Change-Id: I9c5a0350d9b77f56a4a18be49d68fff039b11e54 Reviewed-on: https://chromium-review.googlesource.com/922797 Commit-Queue: Penny MacNeil <pennymac@chromium.org> Reviewed-by:Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#540380}
Showing
This diff is collapsed.
Please register or sign in to comment