Lack of scratch page may result in lost data at power loss

[Wassasin]

During the exchange of pages a page may be lost at brownout because it only exists in RAM. This can happen during or shortly after this statement:

moonboot/src/boot/mod.rs

Lines 252 to 254 in efadc79

	self.internal_memory
	.write(a_location + offset, &page_b_buf)
	.map_err(|_| MemoryError::WriteFailure)?;

Fixing this would require an intermediate scratch page to write each page to, as well as an appropriate representation of this intermediate state in the State page.

[Wassasin]

This is referred to in

moonboot/TODO.md

Line 2 in efadc79

* Implement power-interrupt safe exchange operation with a temporary flash page sdtorage

[jhbruhn]

Yes, I can confirm this is a problem, which is why I didn't advertise the stateful exchange as a feature (yet).

The scratchpad would need to have a size of PAGE_SIZE. This would obviously reduce the usable size for the firmware, but IMO that is a very good tradeoff to make it an always included feature.

Could this be realised as part of the bootloader via some macro/linker magic, without modifying the linker script?

We could get into problems if this ever supports different memory devices (e.g. external flash/EEPROM). Where will the scratchpad be stored then?

[Wassasin]

See #2 for a proposal on how to get the bootloader power-interrupt safe. As for external flash, perhaps we should change internal_memory to be an abstraction over all types of memory, internal, external and RAM, and use a reference to Bank to make it select the right kind of memory.