diff --git a/common/protob/messages-management.proto b/common/protob/messages-management.proto
index aa15c8f13..ae19c4c67 100644
--- a/common/protob/messages-management.proto
+++ b/common/protob/messages-management.proto
@@ -234,6 +234,24 @@ message Entropy {
     required bytes entropy = 1;     // chunk of random generated bytes
 }
 
+/**
+ * Request: Get a hash of the installed firmware combined with an optional challenge.
+ * @start
+ * @next FirmwareHash
+ * @next Failure
+ */
+message GetFirmwareHash {
+    optional bytes challenge = 1;   // Blake2s key up to 32 bytes in length.
+}
+
+/**
+ * Response: Hash of the installed firmware combined with the optional challenge.
+ * @end
+ */
+message FirmwareHash {
+    required bytes hash = 1;
+}
+
 /**
  * Request: Request device to wipe all sensitive data and settings
  * @start
diff --git a/common/protob/messages.proto b/common/protob/messages.proto
index 218c574cf..a8967c01b 100644
--- a/common/protob/messages.proto
+++ b/common/protob/messages.proto
@@ -114,6 +114,8 @@ enum MessageType {
     MessageType_PreauthorizedRequest = 85 [(bitcoin_only) = true, (wire_out) = true];
     MessageType_CancelAuthorization = 86 [(bitcoin_only) = true, (wire_in) = true];
     MessageType_RebootToBootloader = 87 [(bitcoin_only) = true, (wire_in) = true];
+    MessageType_GetFirmwareHash = 88 [(bitcoin_only) = true, (wire_in) = true];
+    MessageType_FirmwareHash = 89 [(bitcoin_only) = true, (wire_out) = true];
 
     MessageType_SetU2FCounter = 63 [(wire_in) = true];
     MessageType_GetNextU2FCounter = 80 [(wire_in) = true];
diff --git a/core/src/trezor/enums/MessageType.py b/core/src/trezor/enums/MessageType.py
index cf07ccfd0..4509699f7 100644
--- a/core/src/trezor/enums/MessageType.py
+++ b/core/src/trezor/enums/MessageType.py
@@ -41,6 +41,8 @@ DoPreauthorized = 84
 PreauthorizedRequest = 85
 CancelAuthorization = 86
 RebootToBootloader = 87
+GetFirmwareHash = 88
+FirmwareHash = 89
 FirmwareErase = 6
 FirmwareUpload = 7
 FirmwareRequest = 8
diff --git a/core/src/trezor/enums/__init__.py b/core/src/trezor/enums/__init__.py
index ea26eded6..bc7bc8e0b 100644
--- a/core/src/trezor/enums/__init__.py
+++ b/core/src/trezor/enums/__init__.py
@@ -58,6 +58,8 @@ if TYPE_CHECKING:
         PreauthorizedRequest = 85
         CancelAuthorization = 86
         RebootToBootloader = 87
+        GetFirmwareHash = 88
+        FirmwareHash = 89
         SetU2FCounter = 63
         GetNextU2FCounter = 80
         NextU2FCounter = 81
diff --git a/core/src/trezor/messages.py b/core/src/trezor/messages.py
index 4b5f3d050..08b5cdba8 100644
--- a/core/src/trezor/messages.py
+++ b/core/src/trezor/messages.py
@@ -2190,6 +2190,34 @@ if TYPE_CHECKING:
         def is_type_of(cls, msg: protobuf.MessageType) -> TypeGuard["Entropy"]:
             return isinstance(msg, cls)
 
+    class GetFirmwareHash(protobuf.MessageType):
+        challenge: "bytes | None"
+
+        def __init__(
+            self,
+            *,
+            challenge: "bytes | None" = None,
+        ) -> None:
+            pass
+
+        @classmethod
+        def is_type_of(cls, msg: protobuf.MessageType) -> TypeGuard["GetFirmwareHash"]:
+            return isinstance(msg, cls)
+
+    class FirmwareHash(protobuf.MessageType):
+        hash: "bytes"
+
+        def __init__(
+            self,
+            *,
+            hash: "bytes",
+        ) -> None:
+            pass
+
+        @classmethod
+        def is_type_of(cls, msg: protobuf.MessageType) -> TypeGuard["FirmwareHash"]:
+            return isinstance(msg, cls)
+
     class WipeDevice(protobuf.MessageType):
 
         @classmethod
diff --git a/python/src/trezorlib/messages.py b/python/src/trezorlib/messages.py
index 6f44b425f..a2e8660f7 100644
--- a/python/src/trezorlib/messages.py
+++ b/python/src/trezorlib/messages.py
@@ -66,6 +66,8 @@ class MessageType(IntEnum):
     PreauthorizedRequest = 85
     CancelAuthorization = 86
     RebootToBootloader = 87
+    GetFirmwareHash = 88
+    FirmwareHash = 89
     SetU2FCounter = 63
     GetNextU2FCounter = 80
     NextU2FCounter = 81
@@ -3487,6 +3489,34 @@ class Entropy(protobuf.MessageType):
         self.entropy = entropy
 
 
+class GetFirmwareHash(protobuf.MessageType):
+    MESSAGE_WIRE_TYPE = 88
+    FIELDS = {
+        1: protobuf.Field("challenge", "bytes", repeated=False, required=False),
+    }
+
+    def __init__(
+        self,
+        *,
+        challenge: Optional["bytes"] = None,
+    ) -> None:
+        self.challenge = challenge
+
+
+class FirmwareHash(protobuf.MessageType):
+    MESSAGE_WIRE_TYPE = 89
+    FIELDS = {
+        1: protobuf.Field("hash", "bytes", repeated=False, required=True),
+    }
+
+    def __init__(
+        self,
+        *,
+        hash: "bytes",
+    ) -> None:
+        self.hash = hash
+
+
 class WipeDevice(protobuf.MessageType):
     MESSAGE_WIRE_TYPE = 5