commit 7c8b181a013779b0f30d40580e4b00be63d1e91e
author Jerome Forissier <jerome.forissier@linaro.org> Mon Feb 25 15:13:39 2019 +0100
committer Jérôme Forissier <jerome.forissier@linaro.org> Mon May 13 15:58:03 2019 +0200
tree 7ad84435d96c70f0cf508f907456c35791803f69
parent 70b613102ce72808f6a0ad9f6f97f0545fd6ad02

libutils: add memzero_explicit()

Adds a new function: memzero_explicit(s, count) which is equivalent to
memset(s, 0, count) except that it cannot be optimized away by the
compiler.

memset() being a built-in function, the compiler is free to perform
optimizations such as simply discarding a call when it considers that the
call cannot have any observable effect from the program's point of view.
A typical example is clearing local data before returning from a
function. memset() is likely to have no effect in this case while
memzero_explicit() will work as expected.

Calling memset() directly from memzero_explicit() would work as long as
link time optimization (LTO) is not applied. With LTO however, the
compiler could inline the call to memzero_explicit() and find out that
dead store optimization applies. In order to avoid that, we use a method
mentioned in [1] which consists in using a volatile function pointer.
This method is considered "effective in practice" with all the commonly
used compilers.

Link: [1] https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-yang.pdf
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>