Simplify the relaxed output-output rule Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: 352095ca865a4ff4478838a80ca5a678d8899634 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Fri Oct 13 19:56:22 2023 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Fri Oct 13 19:56:22 2023 +0200
tree: a6dcfd3b8797519588305c69bf9425f86c613865
parent: 60c453ee725311cacc0d25f7651d81ad57f9f620 [diff] [blame]
diff --git a/docs/architecture/psa-shared-memory.md b/docs/architecture/psa-shared-memory.md
index 61d37db..e71eed4 100644
--- a/docs/architecture/psa-shared-memory.md
+++ b/docs/architecture/psa-shared-memory.md

@@ -91,7 +91,8 @@
 
 * Never read the same input twice at the same index.
 * Never read back from an output.
-* Once potentially confidential data has been written to an output, it may not be overwritten. (This rule is more complex to allow writing non-confidential data first, for example to pre-initialize an output to zero for robustness.)
+* Never write to the output twice at the same index.
+    * This rule can usefully be relaxed in many circumstances. It is ok to write data that is independent of the inputs (and not otherwise confidential), then overwrite it. For example, it is ok to zero the output buffer before starting to process the input.
 
 These rules are very difficult to enforce.
commit	352095ca865a4ff4478838a80ca5a678d8899634	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Fri Oct 13 19:56:22 2023 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Fri Oct 13 19:56:22 2023 +0200
tree	a6dcfd3b8797519588305c69bf9425f86c613865
parent	60c453ee725311cacc0d25f7651d81ad57f9f620 [diff] [blame]