perf(core): optimize boot speed on U5 by using has processor to calculate image hashes, switches to sha256

[no changelog]

core/embed/boardloader/main.c

@@ -38,6 +38,9 @@
 #ifdef USE_SDRAM
 #include "sdram.h"
 #endif
+#ifdef USE_HASH_PROCESSOR
+#include "hash_processor.h"
+#endif
 
 #include "lowlevel.h"
 #include "model.h"
@@ -266,6 +269,10 @@ int main(void) {
   sdram_init();
 #endif
 
+#ifdef USE_HASH_PROCESSOR
+  hash_processor_init();
+#endif
+
   display_init();
   display_clear();
 

core/embed/bootloader/main.c

@@ -55,6 +55,10 @@
 #ifdef USE_RGB_LED
 #include "rgb_led.h"
 #endif
+#ifdef USE_HASH_PROCESSOR
+#include "hash_processor.h"
+#endif
+
 #include "model.h"
 #include "usb.h"
 #include "version.h"
@@ -418,6 +422,10 @@ int bootloader_main(void) {
   }
 #endif
 
+#ifdef USE_HASH_PROCESSOR
+  hash_processor_init();
+#endif
+
 #ifdef USE_DMA2D
   dma2d_init();
 #endif

core/embed/bootloader/messages.c

@@ -599,12 +599,12 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
       secbool is_ilu = secfalse;  // interaction-less update
 
       if (bootargs_get_command() == BOOT_COMMAND_INSTALL_UPGRADE) {
-        BLAKE2S_CTX ctx;
+        IMAGE_HASH_CTX ctx;
-        uint8_t hash[BLAKE2S_DIGEST_LENGTH];
+        uint8_t hash[IMAGE_HASH_DIGEST_LENGTH];
-        blake2s_Init(&ctx, BLAKE2S_DIGEST_LENGTH);
+        IMAGE_HASH_INIT(&ctx);
-        blake2s_Update(&ctx, CHUNK_BUFFER_PTR,
+        IMAGE_HASH_UPDATE(&ctx, CHUNK_BUFFER_PTR,
-                       vhdr.hdrlen + received_hdr->hdrlen);
+                          vhdr.hdrlen + received_hdr->hdrlen);
-        blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);
+        IMAGE_HASH_FINAL(&ctx, hash);
 
         // the firmware must be the same as confirmed by the user
         if (memcmp(bootargs_get_args()->hash, hash, sizeof(hash)) != 0) {

core/embed/bootloader_ci/main.c

@@ -39,6 +39,11 @@
 #include "bootui.h"
 #include "messages.h"
 #include "model.h"
+
+#ifdef USE_HASH_PROCESSOR
+#include "hash_processor.h"
+#endif
+
 // #include "mpu.h"
 
 #define USB_IFACE_NUM 0
@@ -207,6 +212,10 @@ int main(void) {
   touch_power_on();
 #endif
 
+#ifdef USE_HASH_PROCESSOR
+  hash_processor_init();
+#endif
+
   mpu_config_bootloader();
 
 #if PRODUCTION

core/embed/firmware/main.c

@@ -74,6 +74,10 @@
 #ifdef USE_SD_CARD
 #include "sdcard.h"
 #endif
+#ifdef USE_HASH_PROCESSOR
+#include "hash_processor.h"
+#endif
+
 #ifdef USE_OPTIGA
 #include "optiga_commands.h"
 #include "optiga_transport.h"
@@ -120,6 +124,10 @@ int main(void) {
   enable_systemview();
 #endif
 
+#ifdef USE_HASH_PROCESSOR
+  hash_processor_init();
+#endif
+
 #ifdef USE_DMA2D
   dma2d_init();
 #endif

core/embed/lib/image.c

@@ -19,7 +19,6 @@
 
 #include <string.h>
 
-#include "blake2s.h"
 #include "ed25519-donna/ed25519.h"
 
 #include "common.h"
@@ -120,13 +119,13 @@ secbool check_image_model(const image_header *const hdr) {
 }
 
 void get_image_fingerprint(const image_header *const hdr, uint8_t *const out) {
-  BLAKE2S_CTX ctx;
+  IMAGE_HASH_CTX ctx;
-  blake2s_Init(&ctx, BLAKE2S_DIGEST_LENGTH);
+  IMAGE_HASH_INIT(&ctx);
-  blake2s_Update(&ctx, hdr, IMAGE_HEADER_SIZE - IMAGE_SIG_SIZE);
+  IMAGE_HASH_UPDATE(&ctx, (uint8_t *)hdr, IMAGE_HEADER_SIZE - IMAGE_SIG_SIZE);
   for (int i = 0; i < IMAGE_SIG_SIZE; i++) {
-    blake2s_Update(&ctx, (const uint8_t *)"\x00", 1);
+    IMAGE_HASH_UPDATE(&ctx, (const uint8_t *)"\x00", 1);
   }
-  blake2s_Final(&ctx, out, BLAKE2S_DIGEST_LENGTH);
+  IMAGE_HASH_FINAL(&ctx, out);
 }
 
 secbool check_image_header_sig(const image_header *const hdr, uint8_t key_m,
@@ -141,7 +140,7 @@ secbool check_image_header_sig(const image_header *const hdr, uint8_t key_m,
     return secfalse;
 
   return sectrue *
-         (0 == ed25519_sign_open(fingerprint, BLAKE2S_DIGEST_LENGTH, pub,
+         (0 == ed25519_sign_open(fingerprint, IMAGE_HASH_DIGEST_LENGTH, pub,
                                  *(const ed25519_signature *)hdr->sig));
 }
 
@@ -199,21 +198,21 @@ secbool check_vendor_header_sig(const vendor_header *const vhdr, uint8_t key_m,
 
   // check header signature
 
-  uint8_t hash[BLAKE2S_DIGEST_LENGTH];
+  uint8_t hash[IMAGE_HASH_DIGEST_LENGTH];
-  BLAKE2S_CTX ctx;
+  IMAGE_HASH_CTX ctx;
-  blake2s_Init(&ctx, BLAKE2S_DIGEST_LENGTH);
+  IMAGE_HASH_INIT(&ctx);
-  blake2s_Update(&ctx, vhdr->origin, vhdr->hdrlen - IMAGE_SIG_SIZE);
+  IMAGE_HASH_UPDATE(&ctx, vhdr->origin, vhdr->hdrlen - IMAGE_SIG_SIZE);
   for (int i = 0; i < IMAGE_SIG_SIZE; i++) {
-    blake2s_Update(&ctx, (const uint8_t *)"\x00", 1);
+    IMAGE_HASH_UPDATE(&ctx, (const uint8_t *)"\x00", 1);
   }
-  blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);
+  IMAGE_HASH_FINAL(&ctx, hash);
 
   ed25519_public_key pub;
   if (sectrue != compute_pubkey(key_m, key_n, keys, vhdr->sigmask, pub))
     return secfalse;
 
   return sectrue *
-         (0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, pub,
+         (0 == ed25519_sign_open(hash, IMAGE_HASH_DIGEST_LENGTH, pub,
                                  *(const ed25519_signature *)vhdr->sig));
 }
 
@@ -223,20 +222,22 @@ secbool check_vendor_header_keys(const vendor_header *const vhdr) {
 }
 
 void vendor_header_hash(const vendor_header *const vhdr, uint8_t *hash) {
-  BLAKE2S_CTX ctx;
+  IMAGE_HASH_CTX ctx;
-  blake2s_Init(&ctx, BLAKE2S_DIGEST_LENGTH);
+  IMAGE_HASH_INIT(&ctx);
-  blake2s_Update(&ctx, vhdr->vstr, vhdr->vstr_len);
+  IMAGE_HASH_UPDATE(&ctx, (const uint8_t *)vhdr->vstr, vhdr->vstr_len);
-  blake2s_Update(&ctx, "Trezor Vendor Header", 20);
+  IMAGE_HASH_UPDATE(&ctx, (const uint8_t *)"Trezor Vendor Header", 20);
-  blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);
+  IMAGE_HASH_FINAL(&ctx, hash);
 }
 
 secbool check_single_hash(const uint8_t *const hash, const uint8_t *const data,
                           int len) {
-  uint8_t h[BLAKE2S_DIGEST_LENGTH];
+  uint8_t s_c[IMAGE_HASH_DIGEST_LENGTH] = {0};
-  blake2s(data, len, h, BLAKE2S_DIGEST_LENGTH);
+
-  return sectrue * (0 == memcmp(h, hash, BLAKE2S_DIGEST_LENGTH));
+  IMAGE_HASH_CALC(data, len, s_c);
+
+  return sectrue * (0 == memcmp(s_c, hash, IMAGE_HASH_DIGEST_LENGTH));
 }
-//
+
 secbool check_image_contents(const image_header *const hdr, uint32_t firstskip,
                              const flash_area_t *area) {
   if (0 == area) {
@@ -340,10 +341,7 @@ secbool check_firmware_header(const uint8_t *header, size_t header_size,
   get_image_fingerprint(ihdr, info->fingerprint);
 
   // calculate hash of both vendor and image headers
-  BLAKE2S_CTX ctx;
+  IMAGE_HASH_CALC(header, vhdr.hdrlen + ihdr->hdrlen, info->hash);
-  blake2s_Init(&ctx, BLAKE2S_DIGEST_LENGTH);
-  blake2s_Update(&ctx, header, vhdr.hdrlen + ihdr->hdrlen);
-  blake2s_Final(&ctx, &info->hash, BLAKE2S_DIGEST_LENGTH);
 
   return sectrue;
 }

core/embed/lib/image.h

@@ -23,6 +23,7 @@
 #include <stdint.h>
 #include "blake2s.h"
 #include "flash.h"
+#include "image_hash_conf.h"
 #include "model.h"
 #include "secbool.h"
 
@@ -90,9 +91,9 @@ typedef struct {
   uint8_t ver_patch;
   uint8_t ver_build;
   // firmware fingerprint
-  uint8_t fingerprint[BLAKE2S_DIGEST_LENGTH];
+  uint8_t fingerprint[IMAGE_HASH_DIGEST_LENGTH];
   // hash of vendor and image header
-  uint8_t hash[BLAKE2S_DIGEST_LENGTH];
+  uint8_t hash[IMAGE_HASH_DIGEST_LENGTH];
 } firmware_header_info_t;
 
 const image_header *read_image_header(const uint8_t *const data,

core/embed/lib/image_hash_conf.h

@@ -0,0 +1,41 @@
+#ifndef LIB_IMAGE_HASH_H_
+#define LIB_IMAGE_HASH_H_
+
+#include "model.h"
+#include TREZOR_BOARD
+
+#ifdef IMAGE_HASH_SHA256
+#include "sha2.h"
+#define IMAGE_HASH_DIGEST_LENGTH SHA256_DIGEST_LENGTH
+#ifdef USE_HASH_PROCESSOR
+#include "hash_processor.h"
+#define IMAGE_HASH_CTX hash_sha265_context_t
+#define IMAGE_HASH_INIT(ctx) hash_processor_sha256_init(ctx)
+#define IMAGE_HASH_UPDATE(ctx, data, len) \
+  hash_processor_sha256_update(ctx, data, len)
+#define IMAGE_HASH_FINAL(ctx, output) hash_processor_sha256_final(ctx, output)
+#define IMAGE_HASH_CALC(data, len, output) \
+  hash_processor_sha256_calc(data, len, output)
+#else
+#define IMAGE_HASH_CTX SHA256_CTX
+#define IMAGE_HASH_INIT(ctx) sha256_Init(ctx)
+#define IMAGE_HASH_UPDATE(ctx, data, len) sha256_Update(ctx, data, len)
+#define IMAGE_HASH_FINAL(ctx, output) sha256_Final(ctx, output)
+#define IMAGE_HASH_CALC(data, len, output) sha256_Raw(data, len, output)
+#endif
+
+#elif defined IMAGE_HASH_BLAKE2S
+#include "blake2s.h"
+#define IMAGE_HASH_DIGEST_LENGTH BLAKE2S_DIGEST_LENGTH
+#define IMAGE_HASH_CTX BLAKE2S_CTX
+#define IMAGE_HASH_INIT(ctx) blake2s_Init(ctx, BLAKE2S_DIGEST_LENGTH)
+#define IMAGE_HASH_UPDATE(ctx, data, len) blake2s_Update(ctx, data, len)
+#define IMAGE_HASH_FINAL(ctx, output) \
+  blake2s_Final(ctx, output, BLAKE2S_DIGEST_LENGTH)
+#define IMAGE_HASH_CALC(data, len, output) \
+  blake2s(data, len, output, BLAKE2S_DIGEST_LENGTH)
+#else
+#error "IMAGE_HASH_SHA256 or IMAGE_HASH_BLAKE2S must be defined"
+#endif
+
+#endif

core/embed/models/model_D001.h

@@ -24,6 +24,7 @@
 #define FIRMWARE_START 0x08040000
 
 #define IMAGE_CHUNK_SIZE (128 * 1024)
+#define IMAGE_HASH_BLAKE2S
 #define BOOTLOADER_IMAGE_MAXSIZE (128 * 1024 * 1)  // 128 KB
 #define FIRMWARE_IMAGE_MAXSIZE (128 * 1024 * 13)   // 1664 KB
 #define NORCOW_SECTOR_SIZE (64 * 1024)

core/embed/models/model_D002.h

@@ -27,6 +27,7 @@
 #define FIRMWARE_START 0x0C050000
 
 #define IMAGE_CHUNK_SIZE SIZE_256K
+#define IMAGE_HASH_SHA256
 #define BOOTLOADER_IMAGE_MAXSIZE SIZE_128K
 #define FIRMWARE_IMAGE_MAXSIZE SIZE_3712K
 #define NORCOW_SECTOR_SIZE SIZE_64K

core/embed/models/model_T1B1.h

@@ -11,6 +11,7 @@
 #define FIRMWARE_START 0x08010000
 
 #define IMAGE_CHUNK_SIZE (64 * 1024)
+#define IMAGE_HASH_SHA256
 #define BOOTLOADER_IMAGE_MAXSIZE (32 * 1024 * 1)  // 32 KB
 #define FIRMWARE_IMAGE_MAXSIZE (64 * 1024 * 15)   // 960 KB
 #define NORCOW_SECTOR_SIZE (16 * 1024)

core/embed/models/model_T2B1.h

@@ -24,6 +24,7 @@
 #define FIRMWARE_START 0x08040000
 
 #define IMAGE_CHUNK_SIZE (128 * 1024)
+#define IMAGE_HASH_BLAKE2S
 #define BOOTLOADER_IMAGE_MAXSIZE (128 * 1024 * 1)  // 128 KB
 #define FIRMWARE_IMAGE_MAXSIZE (128 * 1024 * 13)   // 1664 KB
 #define NORCOW_SECTOR_SIZE (64 * 1024)

core/embed/models/model_T2T1.h

@@ -24,6 +24,7 @@
 #define FIRMWARE_START 0x08040000
 
 #define IMAGE_CHUNK_SIZE (128 * 1024)
+#define IMAGE_HASH_BLAKE2S
 #define BOOTLOADER_IMAGE_MAXSIZE (128 * 1024 * 1)  // 128 KB
 #define FIRMWARE_IMAGE_MAXSIZE (128 * 1024 * 13)   // 1664 KB
 #define NORCOW_SECTOR_SIZE (64 * 1024)

core/embed/models/model_T3T1.h

@@ -26,6 +26,7 @@
 #define FIRMWARE_START 0x0C050000
 
 #define IMAGE_CHUNK_SIZE (128 * 1024)
+#define IMAGE_HASH_SHA256
 #define BOOTLOADER_IMAGE_MAXSIZE (128 * 1024 * 1)  // 128 KB
 #define FIRMWARE_IMAGE_MAXSIZE (128 * 1024 * 13)   // 1664 KB
 #define NORCOW_SECTOR_SIZE (64 * 1024)

core/embed/prodtest/main.c

@@ -48,6 +48,10 @@
 #include "optiga_transport.h"
 #endif
 
+#ifdef USE_HASH_PROCESSOR
+#include "hash_processor.h"
+#endif
+
 #include "memzero.h"
 
 #ifdef STM32U5
@@ -553,6 +557,9 @@ int main(void) {
   display_reinit();
   display_orientation(0);
   random_delays_init();
+#ifdef USE_HASH_PROCESSOR
+  hash_processor_init();
+#endif
 #ifdef USE_SD_CARD
   sdcard_init();
 #endif

core/embed/reflash/main.c

@@ -34,6 +34,10 @@
 #include "secbool.h"
 #include "touch.h"
 
+#ifdef USE_HASH_PROCESSOR
+#include "hash_processor.h"
+#endif
+
 static void progress_callback(int pos, int len) { term_printf("."); }
 
 static void flash_from_sdcard(const flash_area_t* area, uint32_t source,
@@ -66,6 +70,10 @@ int main(void) {
   sdcard_init();
   touch_init();
 
+#ifdef USE_HASH_PROCESSOR
+  hash_processor_init();
+#endif
+
   display_orientation(0);
   display_clear();
   display_backlight(255);

core/embed/trezorhal/boards/stm32u5a9j-dk.h

@@ -9,6 +9,7 @@
 #define USE_TOUCH 1
 //#define USE_SBU 1
 //#define USE_DISP_I8080_8BIT_DW 1
+#define USE_HASH_PROCESSOR 1
 
 #include "displays/dsi.h"
 

core/embed/trezorhal/boards/trezor_t3t1_v4.h

@@ -15,6 +15,7 @@
 #define USE_DISP_I8080_8BIT_DW 1
 #define USE_HAPTIC 1
 #define USE_BACKLIGHT 1
+#define USE_HASH_PROCESSOR 1
 
 #include "displays/panels/lx154a2422.h"
 #include "displays/st7789v.h"

core/embed/trezorhal/hash_processor.h

@@ -0,0 +1,33 @@
+#ifndef TREZORHAL_HASH_PROCESSOR_H_
+#define TREZORHAL_HASH_PROCESSOR_H_
+
+#include <stdint.h>
+
+#define HASH_SHA256_BUFFER_SIZE 4
+
+typedef struct {
+  uint32_t length;                         /*!< nb bytes in buffer */
+  uint8_t buffer[HASH_SHA256_BUFFER_SIZE]; /*!< data being processed */
+} hash_sha265_context_t;
+
+// Initialize the hash processor
+void hash_processor_init(void);
+
+// Calculate SHA256 hash of data
+// for best performance, data should be 32-bit aligned - as this allows DMA to
+// be used
+void hash_processor_sha256_calc(const uint8_t *data, uint32_t len,
+                                uint8_t *hash);
+
+// Initialize the hash context
+// This serves for calculating hashes of multiple data blocks
+void hash_processor_sha256_init(hash_sha265_context_t *ctx);
+
+// Feed the hash next chunk of data
+void hash_processor_sha256_update(hash_sha265_context_t *ctx,
+                                  const uint8_t *data, uint32_t len);
+
+// Finalize the hash calculation, retrieve the digest
+void hash_processor_sha256_final(hash_sha265_context_t *ctx, uint8_t *output);
+
+#endif

core/embed/trezorhal/stm32u5/hash_processor.c

@@ -0,0 +1,132 @@
+#include "hash_processor.h"
+#include <stdbool.h>
+#include <string.h>
+#include STM32_HAL_H
+#include "irq.h"
+#include "memzero.h"
+#include "sha2.h"
+
+HASH_HandleTypeDef hhash = {0};
+DMA_HandleTypeDef DMA_Handle = {0};
+
+void hash_processor_init(void) {
+  __HAL_RCC_HASH_CLK_ENABLE();
+  __HAL_RCC_GPDMA1_CLK_ENABLE();
+
+  hhash.Init.DataType = HASH_DATATYPE_8B;
+  hhash.hdmain = &DMA_Handle;
+  HAL_HASH_Init(&hhash);
+
+  /* USER CODE END GPDMA1_Init 1 */
+  DMA_Handle.Instance = GPDMA1_Channel12;
+  DMA_Handle.Init.Request = GPDMA1_REQUEST_HASH_IN;
+  DMA_Handle.Init.BlkHWRequest = DMA_BREQ_SINGLE_BURST;
+  DMA_Handle.Init.Direction = DMA_MEMORY_TO_PERIPH;
+  DMA_Handle.Init.SrcInc = DMA_SINC_INCREMENTED;
+  DMA_Handle.Init.DestInc = DMA_DINC_FIXED;
+  DMA_Handle.Init.SrcDataWidth = DMA_SRC_DATAWIDTH_WORD;
+  DMA_Handle.Init.DestDataWidth = DMA_DEST_DATAWIDTH_WORD;
+  DMA_Handle.Init.Priority = DMA_LOW_PRIORITY_HIGH_WEIGHT;
+  DMA_Handle.Init.SrcBurstLength = 1;
+  DMA_Handle.Init.DestBurstLength = 4;
+  DMA_Handle.Init.TransferAllocatedPort =
+      DMA_SRC_ALLOCATED_PORT1 | DMA_DEST_ALLOCATED_PORT0;
+  DMA_Handle.Init.TransferEventMode = DMA_TCEM_BLOCK_TRANSFER;
+  DMA_Handle.Init.Mode = DMA_NORMAL;
+  HAL_DMA_Init(&DMA_Handle);
+  HAL_DMA_ConfigChannelAttributes(&DMA_Handle, DMA_CHANNEL_SEC |
+                                                   DMA_CHANNEL_SRC_SEC |
+                                                   DMA_CHANNEL_DEST_SEC);
+
+  DMA_Handle.Parent = &hhash;
+
+  HAL_NVIC_SetPriority(GPDMA1_Channel12_IRQn, IRQ_PRI_DMA, 0);
+  HAL_NVIC_EnableIRQ(GPDMA1_Channel12_IRQn);
+}
+
+void GPDMA1_Channel12_IRQHandler(void) { HAL_DMA_IRQHandler(&DMA_Handle); }
+
+static void hash_processor_sha256_calc_dma(const uint8_t *data, uint32_t len,
+                                           uint8_t *hash) {
+  while (len > 0) {
+    uint32_t chunk = len > 0x8000 ? 0x8000 : len;
+    bool last = (len - chunk) <= 0;
+
+    __HAL_HASH_SET_MDMAT();
+
+    HAL_HASHEx_SHA256_Start_DMA(&hhash, (uint8_t *)data, chunk);
+    while (HAL_HASH_GetState(&hhash) != HAL_HASH_STATE_READY)
+      ;
+
+    if (last) {
+      HASH->STR |= HASH_STR_DCAL;
+      HAL_HASHEx_SHA256_Finish(&hhash, hash, 1000);
+    }
+    data += chunk;
+    len -= chunk;
+  }
+}
+
+void hash_processor_sha256_calc(const uint8_t *data, uint32_t len,
+                                uint8_t *hash) {
+  if (((uint32_t)data & 0x3) == 0) {
+    hash_processor_sha256_calc_dma(data, len, hash);
+  } else {
+    HAL_HASHEx_SHA256_Start(&hhash, (uint8_t *)data, len, hash, 1000);
+  }
+}
+
+void hash_processor_sha256_init(hash_sha265_context_t *ctx) {
+  memzero(ctx, sizeof(hash_sha265_context_t));
+}
+
+void hash_processor_sha256_update(hash_sha265_context_t *ctx,
+                                  const uint8_t *data, uint32_t len) {
+  if (ctx->length > 0) {
+    uint32_t chunk = HASH_SHA256_BUFFER_SIZE - ctx->length;
+    if (chunk > len) {
+      chunk = len;
+    }
+    memcpy(ctx->buffer + ctx->length, data, chunk);
+    ctx->length += chunk;
+    data += chunk;
+    len -= chunk;
+    if (ctx->length == HASH_SHA256_BUFFER_SIZE) {
+      HAL_HASHEx_SHA256_Accmlt(&hhash, (uint8_t *)ctx->buffer,
+                               HASH_SHA256_BUFFER_SIZE);
+      ctx->length = 0;
+      memzero(ctx->buffer, HASH_SHA256_BUFFER_SIZE);
+    }
+  }
+
+  uint32_t len_aligned = len & ~(HASH_SHA256_BUFFER_SIZE - 1);
+  uint32_t len_rest = len & (HASH_SHA256_BUFFER_SIZE - 1);
+
+  while (len_aligned > 0) {
+    uint32_t chunk = len_aligned > 0x8000 ? 0x8000 : len_aligned;
+    HAL_HASHEx_SHA256_Accmlt(&hhash, (uint8_t *)data, chunk);
+    data += chunk;
+    len_aligned -= chunk;
+  }
+
+  if (len_rest > 0) {
+    memcpy(ctx->buffer, data, len_rest);
+    ctx->length = len_rest;
+  }
+}
+
+void hash_processor_sha256_final(hash_sha265_context_t *ctx, uint8_t *output) {
+  uint32_t tmp_out[SHA256_DIGEST_LENGTH / sizeof(uint32_t)] = {0};
+
+  if (ctx->length > 0) {
+    memzero(ctx->buffer + ctx->length, HASH_SHA256_BUFFER_SIZE - ctx->length);
+    HAL_HASHEx_SHA256_Accmlt_End(&hhash, (uint8_t *)ctx->buffer, ctx->length,
+                                 (uint8_t *)tmp_out, 1000);
+    ctx->length = 0;
+    memzero(ctx->buffer, HASH_SHA256_BUFFER_SIZE);
+  } else {
+    HASH->STR |= HASH_STR_DCAL;
+    HAL_HASHEx_SHA256_Finish(&hhash, (uint8_t *)tmp_out, 1000);
+  }
+  memcpy(output, tmp_out, SHA256_DIGEST_LENGTH);
+}

core/embed/trezorhal/stm32u5/stm32u5xx_hal_conf.h

@@ -57,7 +57,7 @@ extern "C" {
 #define HAL_GFXMMU_MODULE_ENABLED
 /*#define HAL_GPU2D_MODULE_ENABLED */
 #define HAL_GTZC_MODULE_ENABLED
-/*#define HAL_HASH_MODULE_ENABLED */
+#define HAL_HASH_MODULE_ENABLED
 /*#define HAL_HRTIM_MODULE_ENABLED */
 /*#define HAL_IRDA_MODULE_ENABLED */
 /*#define HAL_IWDG_MODULE_ENABLED */

core/embed/vendorheader/D002/vendor_dev_DO_NOT_SIGN.json

@@ -6,7 +6,7 @@
     "version": [0, 0],
     "sig_m": 2,
     "trust": {
-        "allow_run_with_secret": false,
+        "allow_run_with_secret": true,
         "show_vendor_string": false,
         "require_user_click": false,
         "red_background": false,

core/site_scons/boards/stm32u5_common.py

@@ -19,12 +19,16 @@ def stm32u5_common_files(env, defines, sources, paths):
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_cortex.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_cryp.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_dma2d.c",
+        "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_dma.c",
+        "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_dma_ex.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_dsi.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_flash.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_flash_ex.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_gfxmmu.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_gpio.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_gtzc.c",
+        "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_hash.c",
+        "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_hash_ex.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_i2c.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_i2c_ex.c",
         "vendor/stm32u5xx_hal_driver/Src/stm32u5xx_hal_icache.c",
@@ -50,6 +54,7 @@ def stm32u5_common_files(env, defines, sources, paths):
         "embed/trezorhal/stm32u5/flash.c",
         "embed/trezorhal/stm32u5/flash_otp.c",
         "embed/trezorhal/stm32u5/lowlevel.c",
+        "embed/trezorhal/stm32u5/hash_processor.c",
         "embed/trezorhal/stm32u5/mpu.c",
         "embed/trezorhal/stm32u5/platform.c",
         "embed/trezorhal/stm32u5/secret.c",

python/src/trezorlib/firmware/models.py

@@ -258,8 +258,14 @@ T2T1_HASH_PARAMS = FirmwareHashParameters(
     padding_byte=None,
 )
 
+T3T1_HASH_PARAMS = FirmwareHashParameters(
+    hash_function=hashlib.sha256,
+    chunk_size=1024 * 128,
+    padding_byte=None,
+)
+
 D002_HASH_PARAMS = FirmwareHashParameters(
-    hash_function=hashlib.blake2s,
+    hash_function=hashlib.sha256,
     chunk_size=1024 * 256,
     padding_byte=None,
 )
@@ -285,7 +291,7 @@ MODEL_MAP_DEV = {
 MODEL_HASH_PARAMS_MAP = {
     Model.T1B1: LEGACY_HASH_PARAMS,
     Model.T2T1: T2T1_HASH_PARAMS,
-    Model.T3T1: T2T1_HASH_PARAMS,
+    Model.T3T1: T3T1_HASH_PARAMS,
     Model.T2B1: T2T1_HASH_PARAMS,
     Model.D001: T2T1_HASH_PARAMS,
     Model.D002: D002_HASH_PARAMS,

python/src/trezorlib/firmware/vendor.py

@@ -121,10 +121,11 @@ class VendorHeader(Struct):
     # fmt: on
 
     def digest(self) -> bytes:
+        hash_function = Model.from_hw_model(self.hw_model).hash_params().hash_function
         cpy = copy(self)
         cpy.sigmask = 0
         cpy.signature = b"\x00" * 64
-        return hashlib.blake2s(cpy.build()).digest()
+        return hash_function(cpy.build()).digest()
 
     def vhash(self) -> bytes:
         h = hashlib.blake2s()