Open Andarwinux opened 3 weeks ago
These flags are used by default for other system binaries (including inbox conhost). It may be worth checking how much these flags cost us in performance and/or binary size and to enable them.
For what it's worth, we're building with the security configuration baseline established by Windows Undocked. The build system we're using enforces that baseline and does not seem to be signaling us as out-of-compliance.
I can't test ehcont, but cetcompat seems to be fine, I forced hardware-enforced stack protection for Windows Terminal via WD on tigerlake and znver4 and didn't notice any performance impact.
Description of the new feature/enhancement
Compile Windows Terminal with
/guard:ehcont
and link with/guard:ehcont /cetcompat
Proposed technical implementation details (optional)