[crypto] Check if byte-copy was successful

After a byte-wise copy using randomized_bytecopy() use the function
consttime_memeq_byte() to check if copying the data was successful.
This is a FI mitigation.

Closes #28753.

Signed-off-by: Pascal Nasahl <[email protected]>

Author: nasahlpa

sw/device/lib/base/hardened_memory.c

@@ -257,14 +257,17 @@ status_t randomized_bytecopy(void *restrict dest, const void *restrict src,
     barrierw(byte_idx);
 
     uint8_t *src_byte_idx = (uint8_t *)launderw(src_addr + byte_idx);
-    // TODO(#8815) byte writes vs. word-wise integrity.
     uint8_t *dest_byte_idx = (uint8_t *)launderw(dest_addr + byte_idx);
 
     *(dest_byte_idx) = *(src_byte_idx);
   }
   RANDOM_ORDER_HARDENED_CHECK_DONE(order);
   HARDENED_CHECK_EQ(count, byte_len);
 
+  // Check if copying the data was successful.
+  HARDENED_CHECK_EQ(consttime_memeq_byte(dest, src, byte_len),
+                    kHardenedBoolTrue);
+
   return OTCRYPTO_OK;
 }
 

sw/device/lib/base/hardened_memory.h

@@ -146,7 +146,9 @@ status_t hardened_xor_in_place(uint32_t *OT_RESTRICT x,
  * Copy memory between non-overlapping regions with a randomized byte traversal.
  *
  * CAUTION! This function is not considered as secure as `hardened_memcpy` due
- * to the byte-sized memory accesses vs. 32b word accesses.
+ * to the byte-sized memory accesses vs. 32b word accesses. After copying the
+ * data, this function uses `consttime_memeq_byte()` to check if the data was
+ * copied correctly.
  *
  * @param dest the region to copy to.
  * @param src the region to copy from.