[sw] Harden the new boot_data_write

In addition to using hardened functions for control flow integrity, this
change updates `boot_data_write` to write each entry twice per page
(at index 0 and 1). This redundancy ensures that the boot data can
survive some types of persistent bit corruption.

Change-Id: I548174aba322da3b5bf7c568fbde5abc032e81c0
Signed-off-by: Yi-Hsuan Deng <yhdeng@google.com>

Author: sasdf

sw/device/silicon_creator/lib/boot_data.c

@@ -657,7 +657,8 @@ rom_error_t boot_data_write(const boot_data_t *boot_data) {
   // Find the active page and the next counter.
   active_page_info_t active_page;
   boot_data_t last_entry;
-  RETURN_IF_ERROR(boot_data_active_page_find(&active_page, &last_entry));
+  HARDENED_RETURN_IF_ERROR(
+      boot_data_active_page_find(&active_page, &last_entry));
   if (active_page.has_valid_entry == kHardenedBoolTrue) {
     // Counters are rounded to the next even value to ensure wraparound happens
     // on both pages.
@@ -667,15 +668,21 @@ rom_error_t boot_data_write(const boot_data_t *boot_data) {
   // Write to the inactive page first, and then active page.
   // If both pages are invalid, write the page0 first.
   int inactive_idx = active_page.page == kPages[0];
-
   boot_data_digest_compute(&new_entry, &new_entry.digest);
+  // NE also covers the NULL case when both pages are invalid.
+  HARDENED_CHECK_NE(active_page.page, kPages[inactive_idx]);
   RETURN_IF_ERROR(boot_data_entry_write(kPages[inactive_idx], 0, &new_entry,
                                         /*erase=*/kHardenedBoolTrue));
+  HARDENED_RETURN_IF_ERROR(boot_data_entry_write(
+      kPages[inactive_idx], 1, &new_entry, /*erase=*/kHardenedBoolFalse));
 
+  inactive_idx = !inactive_idx;
   new_entry.counter += 1;
   boot_data_digest_compute(&new_entry, &new_entry.digest);
-  return boot_data_entry_write(kPages[!inactive_idx], 0, &new_entry,
-                               /*erase=*/kHardenedBoolTrue);
+  RETURN_IF_ERROR(boot_data_entry_write(kPages[inactive_idx], 0, &new_entry,
+                                        /*erase=*/kHardenedBoolTrue));
+  return boot_data_entry_write(kPages[inactive_idx], 1, &new_entry,
+                               /*erase=*/kHardenedBoolFalse);
 }
 
 /**

sw/device/silicon_creator/lib/boot_data_functest.c

@@ -354,10 +354,14 @@ rom_error_t write_empty_test(void) {
   boot_data_t boot_data;
   read_boot_data(kPages[0], 0, &boot_data);
   RETURN_IF_ERROR(compare_boot_data(&kTestBootData, &boot_data));
+  read_boot_data(kPages[0], 1, &boot_data);
+  RETURN_IF_ERROR(compare_boot_data(&kTestBootData, &boot_data));
   LOG_INFO("Page 0 OK");
 
   read_boot_data(kPages[1], 0, &boot_data);
   RETURN_IF_ERROR(compare_boot_data(&kTestBootDataDual, &boot_data));
+  read_boot_data(kPages[1], 1, &boot_data);
+  RETURN_IF_ERROR(compare_boot_data(&kTestBootDataDual, &boot_data));
   LOG_INFO("Page 1 OK");
 
   RETURN_IF_ERROR(boot_data_read(kLcStateProd, &boot_data));