You copied the Doc URL to your clipboard.

CSDB

Consumption of Speculative Data Barrier.

Syntax

CSDB{c}{q} ; A32

CSDB{c}.W ; T32

Where:

q
Is an optional instruction width specifier. See Instruction width specifiers.
c
Is an optional condition code. See Chapter 7 Condition Codes.

Usage

Consumption of Speculative Data Barrier is a memory barrier that controls Speculative execution and data value prediction. Arm® Compiler supports the mitigation of the Variant 1 mechanism that is described in the whitepaper at Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism.

The CSDB instruction allows Speculative execution of:

  • Branch instructions.
  • Instructions that write to the PC.
  • Instructions that are not a result of data value predictions.
  • Instructions that are the result of PSTATE.{N,Z,C,V} predictions from conditional branch instructions or from conditional instructions that write to the PC.

The CSDB instruction prevents Speculative execution of:

  • Non-branch instructions.
  • Instructions that do not write to the PC.
  • Instructions that are the result of data value predictions.
  • Instructions that are the result of PSTATE.{N,Z,C,V} predictions from instructions other than conditional branch instructions and conditional instructions that write to the PC.

constrained unpredictable behavior

For conditional CSDB instructions that specify a condition {c} other than AL in A32, and for any condition {c} used inside an IT block in T32, then Arm Compiler does the following:

  • The armasm legacy assembler rejects conditional CSDB instructions, outputs an error message, and aborts. For example:

    • For A32 code:
      "test2.s", line 4: Error: A1895E: The specified condition results in UNPREDICTABLE behaviour
          4 00000000   CSDBEQ
    • For T32 code:
      "test2.s", line 8: Error: A1603E: This instruction inside IT block has UNPREDICTABLE results
          8 00000006   CSDBEQ

    You can relax this behavior by using:

    • The --diag-suppress=1895 option for A32 code.
    • The --diag-suppress=1603 option for T32 code.

    You can also use the --unsafe option with these options. However, this option disables many correctness checks.

  • The armclang integrated assembler rejects conditional CSDB instructions, outputs an error message, and aborts. For example:

    <stdin>:10:7: error: instruction 'csdb' is not predicable, but condition code specified
      csdbeq
          ^

    The same error is output for both A32 and T32.

Note

For more information about the constrained unpredictable behavior, see Architectural Constraints on UNPREDICTABLE behaviors in the Arm® Architecture Reference Manual Arm®v8, for Arm®v8‑A architecture profile.

Examples

The following example shows a code sequence that could result in the processor loading data from an untrusted location that is provided by a user as the result of Speculative execution of instructions:

    CMP R0, R1
    BGE out_of_range
    LDRB R4, [R5, R0]  ; load data from list A
                       ; speculative execution of this instruction
                       ; must be prevented
    AND R4, R4, #1
    LSL R4, R4, #8
    ADD R4, R4, #0x200
    CMP R4, R6
    BGE out_of_range
    LDRB R7, [R8, R4]  ; load data from list B
out_of_range

In this example:

  • There are two list objects A and B.
  • A contains a list of values that are used to calculate offsets from which data can be loaded from B.
  • R1 is the length of A.
  • R5 is the base address of A.
  • R6 is the length of B.
  • R8 is the base address of B.
  • R0 is an untrusted offset that is provided by a user, and is used to load an element from A.

When R0 is greater-than or equal-to the length of A, it is outside the address range of A. Therefore, the first branch instruction BGE out_of_range is taken, and instructions LDRB R4, [R5, R0] through LDRB R7, [R8, R4] are skipped.

Without a CSDB instruction, these skipped instructions can still be speculatively executed, and could result in:

  • If R0 is maliciously set to an incorrect value, then data can be loaded into R4 from an address outside the address range of A.
  • Data can be loaded into R7 from an address outside the address range of B.

To mitigate against these untrusted accesses, add a pair of MOVGE and CSDB instructions between the BGE out_of_range and LDRB R4, [R5, R0] instructions as follows:

    CMP R0, R1
    BGE out_of_range

    MOVGE R0, #0      ; conditonally clears the untrusted
                      ; offset provided by the user so that
                      ; it cannot affect any other code

    CSDB              ; new barrier instruction

    LDRB R4, [R5, R0] ; load data from list A
                      ; speculative execution of this instruction
                      ; is prevented
    AND R4, R4, #1
    LSL R4, R4, #8
    ADD R4, R4, #0x200
    CMP R4, R6
    BGE out_of_range
    LDRB R7, [R8, R4] ; load data from list B
out_of_range
Was this page helpful? Yes No