Set enable_cet_shadow_stack for Windows x64

This enables the CETCOMPAT linker flag for Windows marking binaries
as CET compatible. On supporting hardware this will cause Chrome to
run with Hardware Enforced Stack Protection for compatible modules.

CET will still be disabled for the renderer process as the feature
CetForRenderer is default-disabled.

x86 is not supported: build/config/compiler/BUILD.gn:2519

Tests: mini_installer on supporting hardware
Bug: 1131225
Change-Id: Ic5db6eca0acf4cdfb0eff0f624e4d4f4e5a7da50
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2602845
Reviewed-by: Dirk Pranke <dpranke@google.com>
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#845041}

build/config/compiler/compiler.gni

@@ -69,8 +69,8 @@ declare_args() {
   # Chrome's clang. crbug.com/1033839
   use_thin_lto = is_cfi || (is_official_build &&
                             (target_os == "android" ||
-                             ((is_chromeos_ash || is_chromeos_lacros)
-                              && is_chromeos_device)))
+                             ((is_chromeos_ash || is_chromeos_lacros) &&
+                              is_chromeos_device)))
 
   # If true, use Goma for ThinLTO code generation where applicable.
   use_goma_thin_lto = false
@@ -100,13 +100,12 @@ declare_args() {
   clang_diagnostic_dir =
       rebase_path("//tools/clang/crashreports", root_build_dir)
 
-  # Experimental option to mark binaries as compatible with Shadow
-  # Stack of Control-flow Enforcement Technology (CET). If Windows version
-  # and hardware supports the feature and it's enabled by OS then additional
-  # additional validation of return address will be performed as mitigation
-  # against Return-oriented programming (ROP).
+  # Mark binaries as compatible with Shadow Stack of Control-flow Enforcement
+  # Technology (CET). If Windows version and hardware supports the feature and
+  # it's enabled by OS then additional validation of return address will be
+  # performed as mitigation against Return-oriented programming (ROP).
   # https://chromium.googlesource.com/chromium/src/+/master/docs/design/sandbox.md#cet-shadow-stack
-  enable_cet_shadow_stack = false
+  enable_cet_shadow_stack = target_cpu == "x64"
 }
 
 assert(!is_cfi || use_thin_lto, "CFI requires ThinLTO")

docs/design/sandbox.md

@@ -364,8 +364,8 @@ policies on the target process for enforcing security characteristics.
 
 #### CET Shadow Stack:
 
-* Only in Insider Builds of Windows 10 yet.
-* It's being evaluated and not enabled for any processes.  See
+* Available in Windows 10 2004 December Update.
+* Is not enabled in the renderer.  See
 [ticket](https://bugs.chromium.org/p/chromium/issues/detail?id=1136224),
 [MSDN](https://docs.microsoft.com/en-us/cpp/build/reference/cetcompat?view=vs-2019).