Skip to content

Enable spectre mitigations for ANCM binaries #63725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 18, 2025
Merged

Enable spectre mitigations for ANCM binaries #63725

merged 3 commits into from
Sep 18, 2025

Conversation

wtgodbe
Copy link
Member

@wtgodbe wtgodbe commented Sep 18, 2025

Fixes binskim alerts

@Copilot Copilot AI review requested due to automatic review settings September 18, 2025 21:35
Copilot
Copilot AI reviewed Sep 18, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables Spectre mitigations for all ASP.NET Core Module (ANCM) binaries to address BinSkim security alerts. Spectre mitigations help protect against side-channel attacks by adding compiler-generated security hardening.

  • Adds the /Qspectre compiler flag to existing security options across all ANCM project files
  • Updates both individual project files and common build configuration
  • Maintains existing Control Flow Guard (/guard:cf) protections while adding Spectre mitigations

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
OutOfProcessRequestHandler.vcxproj Adds /Qspectre flag to out-of-process request handler compilation options
InProcessRequestHandler.vcxproj Adds /Qspectre flag to in-process request handler compilation options
AspNetCore.vcxproj Adds /Qspectre flag to main ASP.NET Core module compilation options
common.props Adds /Qspectre flag to shared build settings for installer components
aspnetcoreCA.vcxproj Adds /Qspectre flag to custom action compilation options

@github-actions github-actions bot added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Sep 18, 2025
@danmoseley
Copy link
Member

From Liquid, seems there's a specific property for it:

For VC projects, you should use the SpectreMitigation property with the value Spectre. When using older MSVC versions, you can pass /d2guardspecload if your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre [1].

But I tried that in a vanilla C++ project and it didn't seem to work, so fine.

danmoseley
danmoseley approved these changes Sep 18, 2025
View reviewed changes
Copy link
Member

@danmoseley danmoseley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the binskim bugs only relate to aspnetcorev2.dll and its _outofprocess variant. Not sure all of these are needed, but also seems reasonable to add to all.

@wtgodbe
Copy link
Member Author

wtgodbe commented Sep 18, 2025

For VC projects, you should use the SpectreMitigation property with the value Spectre

Couldn't hurt to add the property as well - I'll do that too

@wtgodbe
Copy link
Member Author

wtgodbe commented Sep 18, 2025

/backport to release/10.0

@wtgodbe wtgodbe enabled auto-merge (squash) September 18, 2025 23:10
@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/10.0: https://github.com/dotnet/aspnetcore/actions/runs/17843652108

@github-actions github-actions bot mentioned this pull request Sep 18, 2025
Merged
11 tasks
@wtgodbe wtgodbe merged commit 2c2bb66 into main Sep 18, 2025
30 checks passed
@wtgodbe wtgodbe deleted the wtgodbe/Spectre branch September 18, 2025 23:12
@dotnet-policy-service dotnet-policy-service bot added this to the 11.0-preview1 milestone Sep 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@danmoseley danmoseley danmoseley approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy BrennanConroy is a code owner

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

Assignees

No one assigned

Labels

area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions

Projects

None yet

Milestone

11.0-preview1

Development

Successfully merging this pull request may close these issues.

2 participants

@wtgodbe @danmoseley