drivers: crypto: Add STM32 HASH hardware driver

[bayrem-gharsellaoui]

Summary

This work uses the crypto hash API implementing the STM32 HASH accelerator, initially supporting only STM32U5, with support for SHA-224 and SHA-256 via the Zephyr crypto API.

---

Supported Hardware

• I currently tested this on: nucleo_u575zi_q board (STM32U5 series)
• It is designed to be extended to other STM32 families that include the HASH peripheral (the other STM32 families may have a handle structure in their HAL different from the one used in STM32U5)

---

Testing

Crypto test suite:

• I adapted and ran tests/crypto/crypto_hash as an application for nucleo_u575zi_q and it passed

Manual test sample:

I developed this example application to verify:

• Correctness of SHA-224 and SHA-256 digests
• Multi-session behavior
• Thread safety

#include <zephyr/crypto/crypto.h>
#include <zephyr/kernel.h>
#include <zephyr/logging/log.h>
LOG_MODULE_REGISTER(hash_example);

#define SHA256_DIGEST_LEN (32)
#define SHA224_DIGEST_LEN (28)

static const uint8_t test_data_256[] = "Thread1 SHA256 data";
static const uint8_t test_data_224[] = "Thread2 SHA224 data";

static const uint8_t expected_digest_256[SHA256_DIGEST_LEN] = {
    0x1f, 0x1b, 0x55, 0x79, 0x3e, 0x5a, 0x48, 0x42, 0x0a, 0x28, 0xfe,
    0xc7, 0xeb, 0xee, 0x94, 0xcd, 0x7e, 0x25, 0xf9, 0x26, 0x18, 0xe8,
    0x6a, 0xaa, 0xf7, 0x1d, 0x2f, 0x02, 0x86, 0x1c, 0x67, 0xd4};

static const uint8_t expected_digest_224[SHA224_DIGEST_LEN] = {
    0x14, 0xca, 0xee, 0x76, 0xf6, 0x54, 0x95, 0xf3, 0xe9, 0xed,
    0xa9, 0x10, 0xe2, 0x9b, 0x0b, 0x4a, 0x62, 0xe8, 0xf5, 0x67,
    0x12, 0x27, 0xcf, 0x97, 0x1a, 0x4f, 0xe8, 0x8b};

static void do_hashing(enum hash_algo algo, const uint8_t *input, size_t in_len,
                       const uint8_t *expected_digest, size_t digest_len,
                       const char *label) {
  int ret;
  const struct device *dev = DEVICE_DT_GET(DT_NODELABEL(hash));
  struct hash_ctx ctx = {0};
  struct hash_pkt pkt = {0};
  uint8_t digest[SHA256_DIGEST_LEN] = {0};

  ret = hash_begin_session(dev, &ctx, algo);
  if (ret != 0) {
    LOG_ERR("%s: begin_session failed (%d)", label, ret);
    return;
  }

  pkt.in_buf = (uint8_t *)input;
  pkt.in_len = in_len;
  pkt.out_buf = digest;

  ret = hash_compute(&ctx, &pkt);
  if (ret != 0) {
    LOG_ERR("%s: compute failed (%d)", label, ret);
    hash_free_session(dev, &ctx);
    return;
  }

  if (memcmp(digest, expected_digest, digest_len) == 0) {
    LOG_INF("%s: Digest OK", label);
  } else {
    LOG_ERR("%s: Digest MISMATCH", label);
  }

  LOG_HEXDUMP_DBG(digest, digest_len, label);

  ret = hash_free_session(dev, &ctx);
  if (ret != 0) {
    LOG_ERR("%s: free_session failed (%d)", label, ret);
    return;
  }
}

static void thread_sha256(void) {
  do_hashing(CRYPTO_HASH_ALGO_SHA256, test_data_256, sizeof(test_data_256) - 1,
             expected_digest_256, SHA256_DIGEST_LEN, "SHA256-Thread1");
}

static void thread_sha224(void) {
  do_hashing(CRYPTO_HASH_ALGO_SHA224, test_data_224, sizeof(test_data_224) - 1,
             expected_digest_224, SHA224_DIGEST_LEN, "SHA224-Thread2");
}

K_THREAD_DEFINE(sha256_thread, 2048, thread_sha256, NULL, NULL, NULL, 5, 0, 0);
K_THREAD_DEFINE(sha224_thread, 2048, thread_sha224, NULL, NULL, NULL, 5, 0, 0);

---

Notes

• The implementation is very close to drivers/crypto/crypto_stm32.c on purpose for consistency and maintainability.
• Currently the driver only supports synchronous operations and single-shot hashing (no interrupts or DMA).
• Multipart hash (update / finish) is not yet implemented, but can be added later (using the HAL_HASHEx_xxx_Accumulate() APIs)

---

Next Steps

• Verify driver for the other STM32U5 boards
• Extend to other STM32 series (e.g., H5...) once validated.
• Add support for multipart hashing.

[github-actions]

Hello @bayrem-gharsellaoui, and thank you very much for your first pull request to the Zephyr project!
Our Continuous Integration pipeline will execute a series of checks on your Pull Request commit messages and code, and you are expected to address any failures by updating the PR. Please take a look at our commit message guidelines to find out how to format your commit messages, and at our contribution workflow to understand how to update your Pull Request. If you haven't already, please make sure to review the project's Contributor Expectations and update (by amending and force-pushing the commits) your pull request if necessary.
If you are stuck or need help please join us on Discord and ask your question there. Additionally, you can escalate the review when applicable. 😊

[ceolin]

It looks good to me.

[bayrem-gharsellaoui]

@mathieuchopstm
All discussed changes are applied, can you please take a look again?
Thanks

[JarmouniA]

tests/crypto/crypto_hash (or another more adequate in-tree test) should be enabled to run with the added driver.

[GeorgeCGV]

Suggested change

	static const struct crypto_driver_api stm32_hash_api = {
	static DEVICE_API(crypto, stm32_hash_funcs) = {

[bayrem-gharsellaoui]

Done

[GeorgeCGV]

Shouldn't hash be a part of the crypto driver? By implementing required API:

hash_begin_session 
hash_free_session

HASH is a separate IP from CRYP/AES that crypto_stm32.c currently manages so a separate driver seems sensible to me. Maybe I don't understand the architecture of crypto drivers well though.

I see... zephyr offers crypto api that includes both - hash and encryption. However, API topic is out of scope of this PR.

[bayrem-gharsellaoui]

Hello @ceolin
Are there anything left to do for this PR,
It is stale as I'm waiting for maintainers review/feedback/approval.
Thanks

[JarmouniA]

@bayrem-gharsellaoui you have CI compliance issues that need to be corrected
https://github.com/zephyrproject-rtos/zephyr/actions/runs/16774415152/job/47497936949?pr=93923

[bayrem-gharsellaoui]

@bayrem-gharsellaoui you have CI compliance issues that need to be corrected https://github.com/zephyrproject-rtos/zephyr/actions/runs/16774415152/job/47497936949?pr=93923

Can you please run the CI again to check if it passes now ?

[bayrem-gharsellaoui]

@bayrem-gharsellaoui you have CI compliance issues that need to be corrected https://github.com/zephyrproject-rtos/zephyr/actions/runs/16774415152/job/47497936949?pr=93923

I'm not sure why this is failing in compliance check:

67d0df09d6d2db413ada91794035509755bcecd5: Signed-off-by line (Signed-off-by: Bayrem Gharsellaoui <[email protected]>) does not follow the syntax: First Last <email>.

Even though I'm following the correct syntax: First Last <email>

Am I missing something ?

[JarmouniA]

@bayrem-gharsellaoui you have CI compliance issues that need to be corrected https://github.com/zephyrproject-rtos/zephyr/actions/runs/16774415152/job/47497936949?pr=93923

I'm not sure why this is failing in compliance check:

67d0df09d6d2db413ada91794035509755bcecd5: Signed-off-by line (Signed-off-by: Bayrem Gharsellaoui <[email protected]>) does not follow the syntax: First Last <email>.

Even though I'm following the correct syntax: First Last <email>

Am I missing something ?

Commit author email should be the same as the Signed-off-by one.

[bayrem-gharsellaoui]

@bayrem-gharsellaoui you have CI compliance issues that need to be corrected https://github.com/zephyrproject-rtos/zephyr/actions/runs/16774415152/job/47497936949?pr=93923

I'm not sure why this is failing in compliance check:
67d0df09d6d2db413ada91794035509755bcecd5: Signed-off-by line (Signed-off-by: Bayrem Gharsellaoui <[email protected]>) does not follow the syntax: First Last <email>.
Even though I'm following the correct syntax: First Last <email>
Am I missing something ?

Commit author email should be the same as the Signed-off-by one.

It is:

bayrem@debian:~/workspace/zephyr$ git config --global user.email
[email protected]
bayrem@debian:~/workspace/zephyr$ git config --global user.name
bayrem-gharsellaoui

The only thing I have doubt in is that (before the PR I guess) I changed my GitHub email address to be conform with the compliance check

[JarmouniA]

@bayrem-gharsellaoui you have CI compliance issues that need to be corrected https://github.com/zephyrproject-rtos/zephyr/actions/runs/16774415152/job/47497936949?pr=93923

I'm not sure why this is failing in compliance check:
67d0df09d6d2db413ada91794035509755bcecd5: Signed-off-by line (Signed-off-by: Bayrem Gharsellaoui <[email protected]>) does not follow the syntax: First Last <email>.
Even though I'm following the correct syntax: First Last <email>
Am I missing something ?

Commit author email should be the same as the Signed-off-by one.

It is:

bayrem@debian:~/workspace/zephyr$ git config --global user.email
[email protected]
bayrem@debian:~/workspace/zephyr$ git config --global user.name
bayrem-gharsellaoui

The only thing I have doubt in is that (before the PR I guess) I changed my GitHub email address to be conform with the compliance check

git user name should not be attached.

[bayrem-gharsellaoui]

@bayrem-gharsellaoui you have CI compliance issues that need to be corrected https://github.com/zephyrproject-rtos/zephyr/actions/runs/16774415152/job/47497936949?pr=93923

I'm not sure why this is failing in compliance check:
67d0df09d6d2db413ada91794035509755bcecd5: Signed-off-by line (Signed-off-by: Bayrem Gharsellaoui <[email protected]>) does not follow the syntax: First Last <email>.
Even though I'm following the correct syntax: First Last <email>
Am I missing something ?

Commit author email should be the same as the Signed-off-by one.

It is:

bayrem@debian:~/workspace/zephyr$ git config --global user.email
[email protected]
bayrem@debian:~/workspace/zephyr$ git config --global user.name
bayrem-gharsellaoui

The only thing I have doubt in is that (before the PR I guess) I changed my GitHub email address to be conform with the compliance check

git user name should not be attached.

Should I unset it and push again ?

git config --global --unset user.name

[dsseng]

Please set user.name to First Last, as in the sign-off tag. Without email, it goes to user.email

[JarmouniA]

set user.name to First Last

Then amend your commits with interactive rebase and git commit --amend --author="Full Name <email>" for each one

[bayrem-gharsellaoui]

set user.name to First Last

Then amend your commits with interactive rebase and git commit --amend --author="Full Name <email>" for each one

@JarmouniA it is Done

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[bayrem-gharsellaoui]

set user.name to First Last

Then amend your commits with interactive rebase and git commit --amend --author="Full Name <email>" for each one

@JarmouniA it is Done

All CI checks have passed

[dsseng]

set user.name to First Last

Then amend your commits with interactive rebase and git commit --amend --author="Full Name <email>" for each one

@JarmouniA it is Done

All CI checks have passed

Great! This can now wait for approvals from subsys maintainers and then be mergeable

[github-actions]

Hi @bayrem-gharsellaoui!
Congratulations on getting your very first Zephyr pull request merged 🎉🥳. This is a fantastic achievement, and we're thrilled to have you as part of our community!

To celebrate this milestone and showcase your contribution, we'd love to award you the Zephyr Technical Contributor badge. If you're interested, please claim your badge by filling out this form: Claim Your Zephyr Badge.

Thank you for your valuable input, and we look forward to seeing more of your contributions in the future! 🪁