From 6606d5c4141d970dab05e8667bff4fa965c6d79f Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <Andres.AmayaGarcia@arm.com>
Date: Thu, 8 Mar 2018 20:25:29 +0000
Subject: [PATCH] Add config.h docs for MBEDTLS_UTILS_ZEROIZE_ALT

---
 include/mbedtls/config.h | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 8c35b86cd..7f0941fcf 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2856,7 +2856,20 @@
  * \def MBEDTLS_UTILS_ZEROIZE_ALT
  *
  * Uncomment the macro to let mbed TLS use your alternate implementation of
- * mbedtls_zeroize().
+ * mbedtls_zeroize(). This replaced the default implementation in utils.c.
+ *
+ * mbedtls_zeroize() is a widely used function across the library to zero a
+ * block of memory. The implementation is expected to be secure in the sense
+ * that it has been written to prevent the compiler from removing calls to
+ * mbedtls_zeroize() as part of redundant code elimination optimizations.
+ * However, it is difficult to guarantee that calls to mbedtls_zeroize() will
+ * not be optimized by the compiler as older versions of the C language
+ * standards do not provide a secure implementation of memset(). Therefore,
+ * MBEDTLS_UTILS_ZEROIZE_ALT enables users to configure their own
+ * implementation of mbedtls_zeroize(), for example by using directives
+ * specific to their compiler, features from the C standard (e.g using
+ * memset_s() in C11) or calling a secure memset() from their system (e.g
+ * explicit_bzero() in BSD).
  */
 //#define MBEDTLS_UTILS_ZEROIZE_ALT