PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY structure (winnt.h)

This data structure provides the status of process policies that are related to the mitigation of side channels. This can include side channel attacks involving speculative execution and page combining.

Syntax

typedef struct _PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY {
  union {
    DWORD Flags;
    struct {
      DWORD SmtBranchTargetIsolation : 1;
      DWORD IsolateSecurityDomain : 1;
      DWORD DisablePageCombine : 1;
      DWORD SpeculativeStoreBypassDisable : 1;
      DWORD RestrictCoreSharing : 1;
      DWORD ReservedFlags : 27;
    } DUMMYSTRUCTNAME;
  } DUMMYUNIONNAME;
} PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY;

Members

DUMMYUNIONNAME

DUMMYUNIONNAME.Flags

This member is reserved for system use.

DUMMYUNIONNAME.DUMMYSTRUCTNAME

DUMMYUNIONNAME.DUMMYSTRUCTNAME.SmtBranchTargetIsolation

If TRUE then, while this process is executing in user-mode, requests the application of hardware mitigations to prevent cross-SMT-thread branch target pollution.

If the hardware doesn't provide support for such a mitigation, or the mitigation has been disabled system-wide, then this policy has no effect.

To enable this policy after a process has started, you can call SetProcessMitigationPolicy. It can't be disabled once enabled.

DUMMYUNIONNAME.DUMMYSTRUCTNAME.IsolateSecurityDomain

If TRUE, isolates this process into a distinct security domain, even from other processes running as the same security context. That prevents branch target injection cross-process.

Page-combining is limited to processes within the same security domain. This flag effectively limits the process to only combining internally to the process itself, except for common pages and unless further restricted by the DisablePageCombine policy.

To enable this policy after a process has started, you can call SetProcessMitigationPolicy. It can't be disabled once enabled.

DUMMYUNIONNAME.DUMMYSTRUCTNAME.DisablePageCombine

If TRUE, disables all page-combining for this process, even internally to the process itself, except for common pages (pages of entirely 0s or entirely 1s).

To enable this policy after a process has started, you can call SetProcessMitigationPolicy. It can't be disabled once enabled.

DUMMYUNIONNAME.DUMMYSTRUCTNAME.SpeculativeStoreBypassDisable

If TRUE then, while this process is executing in user-mode, and in order to mitigate intra-process SSB, requests that hardware mitigations for Speculative Store Bypass (SSB) be enabled.

If the hardware doesn't provide support for such a mitigation, or the mitigation has been disabled system-wide, then this policy has no effect.

To enable this policy after a process has started, you can call SetProcessMitigationPolicy. It can't be disabled once enabled.

DUMMYUNIONNAME.DUMMYSTRUCTNAME.RestrictCoreSharing

If TRUE, the CPU scheduler prevents threads within this process from being scheduled to the same core as threads from another security domain.

This policy can't be enabled on systems where the scheduler is incapable of providing this guarantee. For example, this policy can't be enabled for processes in a virtual machine unless the hypervisor reports the absence of non-architectural core sharing.

To enable this policy after a process has started, you can call SetProcessMitigationPolicy. It can't be disabled once enabled.

DUMMYUNIONNAME.DUMMYSTRUCTNAME.ReservedFlags

This member is reserved for system use.

Requirements

Requirement Value
Header winnt.h