You copied the Doc URL to your clipboard.

CSDB

Consumption of Speculative Data Barrier.

Syntax

CSDB{c}{q} ; A32

CSDB{c}.W ; T32

Where:

q
Is an optional instruction width specifier. See Instruction width specifiers.
c
Is an optional condition code. See Condition Codes.

Usage

Consumption of Speculative Data Barrier is a memory barrier that controls Speculative execution and data value prediction. Arm® Compiler supports the mitigation of the Variant 1 mechanism that is described in the whitepaper at Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism.

The CSDB instruction allows Speculative execution of:

  • Branch instructions.
  • Instructions that write to the PC.
  • Instructions that are not a result of data value predictions.
  • Instructions that are the result of PSTATE.{N,Z,C,V} predictions from conditional branch instructions or from conditional instructions that write to the PC.

The CSDB instruction prevents Speculative execution of:

  • Non-branch instructions.
  • Instructions that do not write to the PC.
  • Instructions that are the result of data value predictions.
  • Instructions that are the result of PSTATE.{N,Z,C,V} predictions from instructions other than conditional branch instructions and conditional instructions that write to the PC.

constrained unpredictable behavior

For conditional CSDB instructions that specify a condition {c} other than AL in A32, and for any condition {c} used inside an IT block in T32, then how the instructions are rejected depends on your assembler implementation. See your assembler documentation for details.

Note

For more information about the constrained unpredictable behavior, see Architectural Constraints on UNPREDICTABLE behaviors in the Arm® Architecture Reference Manual Arm®v8, for Arm®v8‑A architecture profile.

Examples

The following example shows a code sequence that could result in the processor loading data from an untrusted location that is provided by a user as the result of Speculative execution of instructions:

    CMP R0, R1
    BGE out_of_range
    LDRB R4, [R5, R0]  ; load data from list A
                       ; speculative execution of this instruction
                       ; must be prevented
    AND R4, R4, #1
    LSL R4, R4, #8
    ADD R4, R4, #0x200
    CMP R4, R6
    BGE out_of_range
    LDRB R7, [R8, R4]  ; load data from list B
out_of_range

In this example:

  • There are two list objects A and B.
  • A contains a list of values that are used to calculate offsets from which data can be loaded from B.
  • R1 is the length of A.
  • R5 is the base address of A.
  • R6 is the length of B.
  • R8 is the base address of B.
  • R0 is an untrusted offset that is provided by a user, and is used to load an element from A.

When R0 is greater-than or equal-to the length of A, it is outside the address range of A. Therefore, the first branch instruction BGE out_of_range is taken, and instructions LDRB R4, [R5, R0] through LDRB R7, [R8, R4] are skipped.

Without a CSDB instruction, these skipped instructions can still be speculatively executed, and could result in:

  • If R0 is maliciously set to an incorrect value, then data can be loaded into R4 from an address outside the address range of A.
  • Data can be loaded into R7 from an address outside the address range of B.

To mitigate against these untrusted accesses, add a pair of MOVGE and CSDB instructions between the BGE out_of_range and LDRB R4, [R5, R0] instructions as follows:

    CMP R0, R1
    BGE out_of_range

    MOVGE R0, #0      ; conditonally clears the untrusted
                      ; offset provided by the user so that
                      ; it cannot affect any other code

    CSDB              ; new barrier instruction

    LDRB R4, [R5, R0] ; load data from list A
                      ; speculative execution of this instruction
                      ; is prevented
    AND R4, R4, #1
    LSL R4, R4, #8
    ADD R4, R4, #0x200
    CMP R4, R6
    BGE out_of_range
    LDRB R7, [R8, R4] ; load data from list B
out_of_range