From ac3cf7c20b7df97293de6f1286e1dce4e181ef58 Mon Sep 17 00:00:00 2001
From: Dave Rodgman <dave.rodgman@arm.com>
Date: Thu, 31 Aug 2023 15:19:38 +0100
Subject: [PATCH] Add more protection to mbedtls_platform_zeroize

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
---
 library/platform_util.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/library/platform_util.c b/library/platform_util.c
index 63b7c4152e..d4574f459e 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
@@ -125,6 +125,15 @@ void mbedtls_platform_zeroize(void *buf, size_t len)
         SecureZeroMemory(buf, len);
 #else
         memset_func(buf, 0, len);
+#endif
+
+#if defined(__GNUC__)
+        /* For clang and gcc, pretend that we have some assembly that reads the
+         * zero'd memory as an additional protection against being optimised away. */
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wvla"
+        asm volatile ("" : : "m" (*(char (*)[len]) buf) : );
+#pragma clang diagnostic pop
 #endif
     }
 }