diff --git a/core/embed/trezorhal/stm32f4/syscall_dispatch.c b/core/embed/trezorhal/stm32f4/syscall_dispatch.c
index 9698f345d3..09cb204bc7 100644
--- a/core/embed/trezorhal/stm32f4/syscall_dispatch.c
+++ b/core/embed/trezorhal/stm32f4/syscall_dispatch.c
@@ -443,6 +443,17 @@ __attribute((no_stack_protector)) void syscall_handler(uint32_t *args,
 #endif
 
 #ifdef USE_OPTIGA
+    case SYSCALL_OPTIGA_SIGN: {
+      uint8_t index = args[0];
+      const uint8_t *digest = (const uint8_t *)args[1];
+      size_t digest_size = args[2];
+      uint8_t *signature = (uint8_t *)args[3];
+      size_t max_sig_size = args[4];
+      size_t *sig_size = (size_t *)args[5];
+      args[0] = optiga_sign__verified(index, digest, digest_size, signature,
+                                      max_sig_size, sig_size);
+    } break;
+
     case SYSCALL_OPTIGA_CERT_SIZE: {
       uint8_t index = args[0];
       size_t *cert_size = (size_t *)args[1];
diff --git a/core/embed/trezorhal/stm32f4/syscall_verifiers.c b/core/embed/trezorhal/stm32f4/syscall_verifiers.c
index 2573a89cd3..caa578ceae 100644
--- a/core/embed/trezorhal/stm32f4/syscall_verifiers.c
+++ b/core/embed/trezorhal/stm32f4/syscall_verifiers.c
@@ -389,6 +389,29 @@ access_violation:
 
 // ---------------------------------------------------------------------
 
+optiga_sign_result __wur optiga_sign__verified(
+    uint8_t index, const uint8_t *digest, size_t digest_size,
+    uint8_t *signature, size_t max_sig_size, size_t *sig_size) {
+  if (!probe_read_access(digest, digest_size)) {
+    goto access_violation;
+  }
+
+  if (!probe_write_access(signature, max_sig_size)) {
+    goto access_violation;
+  }
+
+  if (!probe_write_access(sig_size, sizeof(*sig_size))) {
+    goto access_violation;
+  }
+
+  return optiga_sign(index, digest, digest_size, signature, max_sig_size,
+                     sig_size);
+
+access_violation:
+  apptask_access_violation();
+  return (optiga_sign_result){0};
+}
+
 bool __wur optiga_cert_size__verified(uint8_t index, size_t *cert_size) {
   if (!probe_write_access(cert_size, sizeof(*cert_size))) {
     goto access_violation;
diff --git a/core/embed/trezorhal/stm32f4/syscall_verifiers.h b/core/embed/trezorhal/stm32f4/syscall_verifiers.h
index cdd9d1440c..5f3bb18d62 100644
--- a/core/embed/trezorhal/stm32f4/syscall_verifiers.h
+++ b/core/embed/trezorhal/stm32f4/syscall_verifiers.h
@@ -102,6 +102,10 @@ secbool __wur sdcard_write_blocks__verified(const uint32_t *src,
 // ---------------------------------------------------------------------
 #include "optiga.h"
 
+optiga_sign_result __wur optiga_sign__verified(
+    uint8_t index, const uint8_t *digest, size_t digest_size,
+    uint8_t *signature, size_t max_sig_size, size_t *sig_size);
+
 bool __wur optiga_cert_size__verified(uint8_t index, size_t *cert_size);
 
 bool __wur optiga_read_cert__verified(uint8_t index, uint8_t *cert,