trezor-firmware icon indicating copy to clipboard operation
trezor-firmware copied to clipboard
verified publisher icon trezor

Use hardware-accelerated SHA-256 in STM32U5

Open andrewkozlik opened this issue 1 year ago • 2 comments

The STM32U5 implements a hardware-accelerated version of SHA-256 and HMAC-SHA256, however not SHA-512. See Chapter 51 "Hash processor" in RM0456. They claim 66 clock cycles for processing one 512-bit block of data using SHA-256. I estimate this could be tens of times faster than our software implementation. It would probably give us a huge boost in speed for:

  • SLIP-39 passphrase derivation (PBKDF2-HMAC-SHA256)
    • We should consider increasing the default iteration exponent.
  • Bitcoin signing (SHA-256)
  • Unlocking storage (PBKDF2-HMAC-SHA256)
    • We will need to update the progress calculation.

andrewkozlik avatar Mar 22 '24 11:03 andrewkozlik

Note that we are already using this for firmware/bootloader integrity checks (without the HMAC). The speed-up was indeed as advertised. So this is more an issues of intergration into trezor-crypto rather than using the hash processor.

TychoVrahe avatar Mar 22 '24 19:03 TychoVrahe

Before we integrate this everywhere, we need to solve context switching - possibly by means of functions HAL_HASH_ContextSaving and HAL_HASH_ContextRestoring. For now, every hash computation needs to call init, update, final and not be interrupted, otherwise it will not work properly. Also currently if final is not called at all but other hash computation starts, it will also result in incorrect hash.

TychoVrahe avatar Apr 17 '24 07:04 TychoVrahe