25. Hash processor (HASH)

This section applies to STM32F415/417xx and STM32F43xxx devices.

25.1 HASH introduction

The hash processor is a fully compliant implementation of the secure hash algorithm (SHA-1, SHA-224, SHA-256), the MD5 (message-digest algorithm 5) hash algorithm and the HMAC (keyed-hash message authentication code) algorithm suitable for a variety of applications. It computes a message digest (160 bits for the SHA-1 algorithm, 256 bits for the SHA-256 algorithm and 224 bits for the SHA-224 algorithm, 128 bits for the MD5 algorithm) for messages of up to \( (2^{64} - 1) \) bits, while HMAC algorithms provide a way of authenticating messages by means of hash functions. HMAC algorithms consist in calling the SHA-1, SHA-224, SHA-256 or MD5 hash function twice.

25.2 HASH main features

Note: Padding, as defined in the SHA-1, SHA-224 and SHA-256 algorithm, consists in adding a bit at bx1 followed by N bits at bx0 to get a total length congruent to 448 modulo 512. After this, the message is completed with a 64-bit integer which is the binary representation of the original message length. For this hash processor, the quanta for entering the message is a 32-bit word, so an additional information must be provided at the end of the message entry, which is the number of valid bits in the last 32-bit word entered.

25.3 HASH functional description

Figure 1 shows the block diagram of the hash processor.

Figure 233. Block diagram for STM32F415/417xx

Block diagram for STM32F415/417xx showing the hash processor architecture connected to a 32-bit AHB2 bus.

The diagram illustrates the internal architecture of the hash processor. At the top, a horizontal double-headed arrow represents the 32-bit AHB2 bus . Below it, a vertical stack of components is shown. On the left, a large box labeled Control and status registers contains several sub-registers: Interrupt registers (HASH_IMR, HASH_SR), Control register (HASH_CR), Start register (HASH_STR), Context swapping (HASH_CSR0..50), and Message digest (HASH_H0..H4). This box is connected to the bus via a double-headed arrow. To the right of the control registers, a dashed box labeled IN buffer contains a Data register (HASH_DIN) and a 16 × 32-bit IN FIFO . The HASH_DIN register is connected to the bus and receives data from an external source, indicated by an arrow pointing into it with the text: "write into HASH_DIN or write DCAL bit to 1 or 1 complete block transferred by the DMA". The IN FIFO is connected to the HASH_DIN register and to a swapping block below it. The swapping block is connected to the SHA-1 / MD5 Hash / HMAC processor core . An arrow points from the swapping block to the core with the text: "IN FIFO full or DCAL written to 1". The core sends a digest back to the Message digest register (HASH_H0..H4) and exchanges context information with the Context swapping register (HASH_CSR0..50). The identifier ai16081 is located in the bottom right corner of the diagram.

Block diagram for STM32F415/417xx showing the hash processor architecture connected to a 32-bit AHB2 bus.

Figure 234. Block diagram for STM32F43xxx

Block diagram for STM32F43xxx hash processor (HASH).

The diagram illustrates the internal architecture of the hash processor. At the top, a horizontal double-headed arrow represents the 32-bit AHB2 bus . Below this bus, on the left, is a large box labeled Control and status registers . This box contains several sub-registers: Interrupt registers (HASH_IMR, HASH_SR), Control register (HASH_CR), Start register (HASH_STR), Context swapping (HASH_CSR0..53), and Message digest (HASH_H0..H7). To the right of the bus is an IN buffer (dashed box) containing a Data register (HASH_DIN) and a 16 × 32-bit IN FIFO . An arrow points from the text "write into HASH_DIN or write DCAL bit to 1 or 1 complete block transferred by the DMA" to the HASH_DIN register. Below the IN FIFO is a swapping block. An arrow points from the text "IN FIFO full or DCAL written to 1" to this swapping block. At the bottom right is the SHA-1, SHA-224, SHA-256 and MD5 Hash / HMAC processor core . Arrows show data flow: from the IN FIFO through the swapping block to the processor core, from the core to the Message digest (HASH_H0..H7) labeled "digest", and from the Context swapping (HASH_CSR0..53) to the core labeled "context". The Control and status registers are connected to the 32-bit AHB2 bus via a vertical double-headed arrow.

Block diagram for STM32F43xxx hash processor (HASH).

MS30442V1

The FIPS PUB 180-2 standard and the IETF RFC 1321 publication specify the SHA-1, SHA-224 and SHA-256 and MD5 secure hash algorithms, respectively, for computing a condensed representation of a message or data file. When a message of any length below \( 2^{64} \) bits is provided on input, the SHA-1, SHA-224 and SHA-256 and MD5 produce respective a 160-bit, 224 bit, 256 bit and 128-bit output string, respectively, called a message digest. The message digest can then be processed with a digital signature algorithm in order to generate or verify the signature for the message. Signing the message digest rather than the message often improves the efficiency of the process because the message digest is usually much smaller in size than the message. The verifier of a digital signature has to use the same hash algorithm as the one used by the creator of the digital signature.

The SHA-1, SHA-224 and SHA-256 and MD5 are qualified as “secure” because it is computationally infeasible to find a message that corresponds to a given message digest, or to find two different messages that produce the same message digest. Any change to a message in transit, with very high probability, results in a different message digest, and the signature fails to verify. For more detail on the SHA-1 or SHA-224 and SHA-256 algorithm, please refer to the FIPS PUB 180-2 (Federal Information Processing Standards Publication 180-2), 2002 august 1.

The current implementation of this standard works with little-endian input data convention. For example, the C string “abc” must be represented in memory as the 24-bit hexadecimal value 0x434241.

A message or data file to be processed by the hash processor should be considered a bit string. The length of the message is the number of bits in the message (the empty message

has length 0). You can consider that 32 bits of this bit string forms a 32-bit word. Note that the FIPS PUB 180-1 standard uses the convention that bit strings grow from left to right, and bits can be grouped as bytes (8 bits) or words (32 bits) (but some implementations also use half-words (16 bits), and implicitly, uses the big-endian byte (half-word) ordering. This convention is mainly important for padding (see Section 1.3.4: Message padding on page 12 ).

25.3.1 Duration of the processing

The computation of an intermediate block of a message takes:

to which you must add the time needed to load the 16 words of the block into the processor (at least 16 clock cycles for a 512-bit block).

The time needed to process the last block of a message (or of a key in HMAC) can be longer. This time depends on the length of the last block and the size of the key (in HMAC mode). Compared to the processing of an intermediate block, it can be increased by a factor of:

25.3.2 Data type

Data are entered into the hash processor 32 bits (word) at a time, by writing them into the HASH_DIN register. But the original bit-string can be organized in bytes, half-words or words, or even be represented as bits. As the system memory organization is little-endian and SHA1, SHA-224 and SHA-256 computation is big-endian, depending on the way the original bit string is grouped, a bit, byte, or half-word swapping operation is performed automatically by the hash processor.

The kind of data to be processed is configured with the DATATYPE bitfield in the HASH control register (HASH_CR).

Figure 235. Bit, byte and half-word swapping

A-In case of binary data hash, all bits should be swapped as below

Diagram A: Bit swapping operation. It shows a bit string organization in the Hash processor (Big-Endian) with bits 0, 1, 29, 30, 31. Above it, the HASH_DIN input shows bits 31, 30, 2, 1, 0. Arrows show the mapping: bit 0 to bit 31, bit 1 to bit 30, bit 29 to bit 2, bit 30 to bit 1, and bit 31 to bit 0. A note indicates padding with '1' and '0's is performed on the left side of the bit string. A dashed line separates this section from the next.

Bit swapping operation

DATATYPE =bx 11

HASH_DIN

bit 31 bit 30 ... bit 2 bit 1 bit 0

Bits entered with little-Endian format

bit string organization in Hash processor: Big-Endian

bit 0 bit 1 ... bit 29 bit 30 bit 31

"1" "0s"

padding is performed on this side of the bit string.

bit-string grows in this direction as defined by FIPSPUB 180-2 std.

Diagram A: Bit swapping operation. It shows a bit string organization in the Hash processor (Big-Endian) with bits 0, 1, 29, 30, 31. Above it, the HASH_DIN input shows bits 31, 30, 2, 1, 0. Arrows show the mapping: bit 0 to bit 31, bit 1 to bit 30, bit 29 to bit 2, bit 30 to bit 1, and bit 31 to bit 0. A note indicates padding with '1' and '0's is performed on the left side of the bit string. A dashed line separates this section from the next.

B-In case of byte data hash, all bytes should be swapped as below

Diagram B: Byte swapping operation. It shows a byte string organization in the Hash processor (Big-Endian) with bytes 0, 1, 2, 3. Above it, the HASH_DIN input shows bytes 3, 2, 1, 0. Arrows show the mapping: byte 0 to byte 3, byte 1 to byte 2, byte 2 to byte 1, and byte 3 to byte 0. A dashed line separates this section from the next.

Byte swapping operation

DATATYPE =bx 10

HASH_DIN

Byte 3 bits 7...0 Byte 2 bits 7...0 Byte 1 bits 7...0 Byte 0 bits 7...0

Bytes entered with little-Endian format

Bit string organization in Hash processor: Big-Endian

Byte 0 bits 7...0 Byte 1 bits 7...0 Byte 2 bits 7...0 Byte 3 bits 7...0

bit-string grows in this direction as defined by FIPSPUB 180-2 std.

Diagram B: Byte swapping operation. It shows a byte string organization in the Hash processor (Big-Endian) with bytes 0, 1, 2, 3. Above it, the HASH_DIN input shows bytes 3, 2, 1, 0. Arrows show the mapping: byte 0 to byte 3, byte 1 to byte 2, byte 2 to byte 1, and byte 3 to byte 0. A dashed line separates this section from the next.

C-In case of half-word hash, all half-word should be swapped as below

Diagram C: Half-word swapping operation. It shows a half-word string organization in the Hash processor (Big-Endian) with half-words 0, 1. Above it, the HASH_DIN input shows half-words 1, 0. Arrows show the mapping: half-word 0 to half-word 1, and half-word 1 to half-word 0. A dashed line separates this section from the next.

Half-word swapping operation

DATATYPE =bx 01

HASH_DIN

Half-word 1 bits 15...0 Half-word 0 bits 15...0

half word entered with little-Endian format

Bit string organization in Hash processor: Big-Endian

Half-word 0 bits 15...0 Half-word 1 bits 15...0

bit-string grows in this direction as defined by FIPS PUB 180-2 std.

Diagram C: Half-word swapping operation. It shows a half-word string organization in the Hash processor (Big-Endian) with half-words 0, 1. Above it, the HASH_DIN input shows half-words 1, 0. Arrows show the mapping: half-word 0 to half-word 1, and half-word 1 to half-word 0. A dashed line separates this section from the next.

ai16082b

The least significant bit of the message has to be at position 0 (right) in the first word entered into the hash processor, the 32nd bit of the bit string has to be at position 0 in the second word entered into the hash processor and so on.

25.3.3 Message digest computing

The HASH sequentially processes blocks of 512 bits when computing the message digest. Thus, each time \( 16 \times 32 \) -bit words ( \( = 512 \) bits) have been written by the DMA or the CPU, into the hash processor, the HASH automatically starts computing the message digest. This operation is known as a partial digest computation.

The message to be processed is entered into the peripheral by 32-bit words written into the HASH_DIN register. The current contents of the HASH_DIN register are transferred to the input FIFO (IN FIFO) each time the register is written with new data. HASH_DIN and the input FIFO form a FIFO of a 17-word length (named the IN buffer).

The processing of a block can start only once the last value of the block has entered the IN FIFO. The peripheral must get the information as to whether the HASH_DIN register contains the last bits of the message or not. Two cases may occur:

The contents of the HASH_DIN register are interpreted automatically with the information sent by the DMA controller.

This process —data entering + partial digest computation— continues until the last bits of the original message are written to the HASH_DIN register. As the length (number of bits) of a message can be any integer value, the last word written into the HASH processor may have a valid number of bits between 1 and 32. This number of valid bits in the last word, NBLW, has to be written into the HASH_STR register, so that message padding is correctly performed before the final message digest computation.

Once this is done, writing into HASH_STR with bit DCAL = 1 starts the processing of the last entered block of message by the hash processor. This processing consists in:

When the DMA is enabled, it provides the information to the hash processor when it is transferring the last data word. Then the padding and digest computation are performed automatically as if DCAL had been written to 1.

25.3.4 Message padding

Message padding consists in appending a “1” followed by m “0”s followed by a 64-bit integer to the end of the original message to produce a padded message block of length 512. The “1” is added to the last word written into the HASH_DIN register at the bit position defined by the NBLW bitfield, and the remaining upper bits are cleared (“0”s).

Example: let us assume that the original message is the ASCII binary-coded form of “abc”, of length L = 24:

byte 0      byte 1      byte 2      byte 3
01100001 01100010 01100011 UUUUUUUU
<-- 1st word written to HASH_DIN -->

NBLW has to be loaded with the value 24: a “1” is appended at bit location 24 in the bit string (starting counting from left to right in the above bit string), which corresponds to bit 31 in the HASH_DIN register (little-endian convention):

01100001 01100010 01100011 1UUUUUUU

Since L = 24, the number of bits in the above bit string is 25, and 423 “0”s are appended, making now 448. This gives (in hexadecimal, big-endian format):

61626380 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000

The L value, in two-word representation (that is 00000000 00000018) is appended. Hence the final padded message in hexadecimal:

61626380 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000028

If the HASH is programmed to use the little-endian byte input format, the above message has to be entered by doing the following steps:

  1. 1. 0xUU636261 is written into the HASH_DIN register (where ‘U’ means don’t care)
  2. 2. 0x18 is written into the HASH_STR register (the number of valid bits in the last word written into the HASH_DIN register is 24, as the original message length is 24 bits)
  3. 3. 0x10 is written into the HASH_STR register to start the message padding and digest computation. When NBLW ≠ 0x00, the message padding puts a “1” into the HASH_DIN register at the bit position defined by the NBLW value, and inserts “0”s at bit locations [31:(NBLW+1)]. When NBLW == 0x00, the message padding inserts one new word with

value 0x0000 0001. Then an all zero word (0x0000 0000) is added and the message length in a two-word representation, to get a block of 16 x 32-bit words.

  1. 4. The HASH computing is performed, and the message digest is then available in the HASH_Hx registers (x = 0...4) for the SHA-1 algorithm. For example:
H0 = 0xA9993E36
H1 = 0x4706816A
H2 = 0xBA3E2571
H3 = 0x7850C26C
H4 = 0x9CD0D89D

25.3.5 Hash operation

The hash function (SHA-1, SHA-224, SHA-256 and MD5) is selected when the INIT bit is written to '1' in the HASH_CR register while the MODE bit is at '0' in HASH_CR. The algorithm (SHA-1, SHA-224, SHA-256 or MD5) is selected at the same time (that is when the INIT bit is set) using the ALGO bits.

The message can then be sent by writing it word by word into the HASH_DIN register. When a block of 512 bits—that is 16 words—has been written, a partial digest computation starts upon writing the first data of the next block. The hash processor remains busy for 66 cycles for the SHA-1 algorithm, or 50 cycles for the MD5 algorithm, SHA-224 algorithm and SHA-256 algorithm.

The process can then be repeated until the last word of the message. If DMA transfers are used, refer to the Procedure where the data are loaded by DMA section. Otherwise, if the message length is not an exact multiple of 512 bits, then the HASH_STR register has to be written to launch the computation of the final digest.

Once computed, the digest can be read from the HASH_H0...HASH_H4 registers (for the MD5 algorithm, HASH_H4 is not relevant) on STM32F415/417xx, and from the HASH_H0...HASH_H7 registers on STM32F43xxx where:

HASH_H4..HASH_H7 are not relevant when the MD5 algorithm is selected,
HASH_H5.. HASH_H7 are not relevant when the SHA-1 algorithm is selected,
HASH_H7 is not relevant when the SHA-224 algorithm is selected.

25.3.6 HMAC operation

The HMAC algorithm is used for message authentication, by irreversibly binding the message being processed to a key chosen by the user. For HMAC specifications, refer to “HMAC: keyed-hashing for message authentication, H. Krawczyk, M. Bellare, R. Canetti, February 1997.

Basically, the algorithm consists of two nested hash operations:

\[ \text{HMAC}(\text{message}) = \text{Hash}[(\text{key} \mid \text{pad}) \text{ XOR } 0\text{x}5\text{C}) \mid \text{Hash}((\text{key} \mid \text{pad}) \text{ XOR } 0\text{x}36) \mid \text{message}] \]

where:

To compute the HMAC, four different phases are required:

  1. 1. The block is initialized by writing the INIT bit to '1' with the MODE bit at '1' and the ALGO bits set to the value corresponding to the desired algorithm. The LKEY bit must also be set during this phase if the key being used is longer than 64 bytes (in this case, the HMAC specifications specify that the hash of the key should be used in place of the real key).
  2. 2. The key (to be used for the inner hash function) is then given to the core. This operation follows the same mechanism as the one used to send the message in the hash operation (that is, by writing into HASH_DIN and, finally, into HASH_STR).
  3. 3. Once the last word has been entered and computation has started, the hash processor elaborates the key. It is then ready to accept the message text using the same mechanism as the one used to send the message in the hash operation.
  4. 4. After the first hash round, the hash processor returns "ready" to indicate that it is ready to receive the key to be used for the outer hash function (normally, this key is the same as the one used for the inner hash function). When the last word of the key is entered and computation starts, the HMAC result is made available in the HASH_H0...HASH_H4 registers on STM32F415/417xx and on HASH_H0...HASH_H7 registers on STM32F43xxx.

Note: 1 The computation latency of the HMAC primitive depends on the lengths of the keys and message. You could the HMAC as two nested underlying hash functions with the same key length (long or short).

25.3.7 Context swapping

It is possible to interrupt a hash/HMAC process to perform another processing with a higher priority, and to complete the interrupted process later on, when the higher-priority task is complete. To do so, the context of the interrupted task must be saved from the hash registers to memory, and then be restored from memory to the hash registers.

The procedures where the data flow is controlled by software or by DMA are described below.

Procedure where the data are loaded by software

The context can be saved only when no block is currently being processed. That is, you must wait for DINIS = 1 (the last block has been processed and the input FIFO is empty) or NBW ≠ 0 (the FIFO is not full and no processing is ongoing).

Store the contents of the following registers into memory:

The context can be restored when the high-priority task is complete. Please follow the order of the sequence below.

  1. Write the following registers with the values saved in memory: HASH_IMR, HASH_STR and HASH_CR
  2. Initialize the hash processor by setting the INIT bit in the HASH_CR register
  3. Write the HASH_CSR0 to HASH_CSR50 (STM32F415/417xx), and HASH_CSR0 to HASH_CSR53 (STM32F43xxx) registers with the values saved in memory

You can now restart the processing from the point where it has been interrupted.

Procedure where the data are loaded by DMA

In this case it is not possible to predict if a DMA transfer is in progress or if the process is ongoing. Thus, you must stop the DMA transfers, then wait until the HASH is ready in order to interrupt the processing of a message.

Reconfigure the DMA controller so that it transfers the end of the message. You can now restart the processing from the point where it was interrupted by setting the DMAE bit.

Note: If context swapping does not involve HMAC operations, the HASH_CSR38 to HASH_CSR50 (STM32F415/417xx) and HASH_CSR38 to HASH_CSR53 (STM32F43xxx) registers do not have to be saved and restored.

If context swapping occurs between two blocks (the last block was completely processed and the next block has not yet been pushed into the IN FIFO, NBW = 000 in the HASH_CR register), the HASH_CSR22 to HASH_CSR37 registers do not have to be saved and restored.

25.3.8 HASH interrupt

There are two individual maskable interrupt sources generated by the HASH processor. They are connected to the same interrupt vector.

You can enable or disable the interrupt sources individually by changing the mask bits in the HASH_IMR register. Setting the appropriate mask bit to 1 enables the interrupt.

The status of the individual interrupt sources can be read from the HASH_SR register.

Figure 236. HASH interrupt mapping diagram

Figure 236. HASH interrupt mapping diagram. The diagram shows two AND gates. The top AND gate has inputs DCIS and DCIM. The bottom AND gate has inputs DINIS and DINIM. The outputs of both AND gates are connected to an OR gate. The output of the OR gate is labeled 'HASH interrupt to NVIC'. The diagram is labeled 'ai16086' in the bottom right corner.
Figure 236. HASH interrupt mapping diagram. The diagram shows two AND gates. The top AND gate has inputs DCIS and DCIM. The bottom AND gate has inputs DINIS and DINIM. The outputs of both AND gates are connected to an OR gate. The output of the OR gate is labeled 'HASH interrupt to NVIC'. The diagram is labeled 'ai16086' in the bottom right corner.

25.4 HASH registers

The HASH core is associated with several control and status registers and five message digest registers.

All these registers are accessible through word accesses only, else an AHB error is generated.

25.4.1 HASH control register (HASH_CR) for STM32F415/417xx

Address offset: 0x00

Reset value: 0x0000 0000

31302928272625242322212019181716
ReservedLKEY
rw
1514131211109876543210
ReservedDINNENBWALGO[0]MODEDATATYPEDMAEINITReserved
rrrwrwrwrww

Bits 31:17 Reserved, forced by hardware to 0.

Bit 16 LKEY : Long key selection

This bit selects between short key ( \( \leq 64 \) bytes) or long key ( \( > 64 \) bytes) in HMAC mode

0: Short key ( \( \leq 64 \) bytes)

1: Long key ( \( > 64 \) bytes)

Note: This selection is only taken into account when the INIT bit is set and MODE = 1. Changing this bit during a computation has no effect.

Bits 15:13 Reserved, forced by hardware to 0.

Bit 12 DINNE : DIN not empty

This bit is set when the HASH_DIN register holds valid data (that is after being written at least once). It is cleared when either the INIT bit (initialization) or the DCAL bit (completion of the previous message processing) is written to 1.

0: No data are present in the data input buffer

1: The input buffer contains at least one word of data

Bits 11:8 NBW : Number of words already pushed

This bitfield reflects the number of words in the message that have already been pushed into the IN FIFO.

NBW increments (+1) when a write access is performed to the HASH_DIN register while DINNE = 1.

It goes to 0000 when the INIT bit is written to 1 or when a digest calculation starts (DCAL written to 1 or DMA end of transfer).

" If the DMA is not used:

0000 and DINNE=0: no word has been pushed into the DIN buffer (the buffer is empty, both the HASH_DIN register and the IN FIFO are empty)

0000 and DINNE=1: 1 word has been pushed into the DIN buffer (The HASH_DIN register contains 1 word, the IN FIFO is empty)

0001: 2 words have been pushed into the DIN buffer (the HASH_DIN register and the IN FIFO contain 1 word each)

...

1111: 16 words have been pushed into the DIN buffer

" If the DMA is used, NBW is the exact number of words that have been pushed into the IN FIFO.

Bit 7 ALGO[1:0] : Algorithm selection

These bits select the SHA-1 or the MD5 algorithm:

0: SHA-1 algorithm selected

1: MD5 algorithm selected

Note: This selection is only taken into account when the INIT bit is set. Changing this bit during a computation has no effect.

Bit 6 MODE : Mode selection

This bit selects the HASH or HMAC mode for the selected algorithm:

0: Hash mode selected

1: HMAC mode selected. LKEY must be set if the key being used is longer than 64 bytes.

Note: This selection is only taken into account when the INIT bit is set. Changing this bit during a computation has no effect.

Bits 5:4 DATATYPE : Data type selection

Defines the format of the data entered into the HASH_DIN register:

00: 32-bit data. The data written into HASH_DIN are directly used by the HASH processing, without reordering.

01: 16-bit data, or half-word. The data written into HASH_DIN are considered as 2 half-words, and are swapped before being used by the HASH processing.

10: 8-bit data, or bytes. The data written into HASH_DIN are considered as 4 bytes, and are swapped before being used by the HASH processing.

11: bit data, or bit-string. The data written into HASH_DIN are considered as 32 bits (1st bit of the string at position 0), and are swapped before being used by the HASH processing (1st bit of the string at position 31).

Bit 3 DMAE: DMA enable

0: DMA transfers disabled

1: DMA transfers enabled. A DMA request is sent as soon as the HASH core is ready to receive data.

Note: 1: This bit is cleared by hardware when the DMA asserts the DMA terminal count signal (while transferring the last data of the message). This bit is not cleared when the INIT bit is written to 1.

2: If this bit is written to 0 while a DMA transfer has already been requested to the DMA, DMAE is cleared but the current transfer is not aborted. Instead, the DMA interface remains internally enabled until the transfer is complete or INIT is written to 1.

Bit 2 INIT: Initialize message digest calculation

Writing this bit to 1 resets the hash processor core, so that the HASH is ready to compute the message digest of a new message.

Writing this bit to 0 has no effect.

Reading this bit always return 0.

Bits 1:0 Reserved, must be kept cleared.

25.4.2 HASH control register (HASH_CR) for STM32F43xxx

Address offset: 0x00

Reset value: 0x0000 0000

31302928272625242322212019181716
ReservedALGO[1]ReservedLKEY
rwrw
1514131211109876543210
ReservedMDMATDINNENBWALGO[0]MODEDATATYPEDMAEINITReserved
rwrrrrrrwrwrwrwrww

Bits 31:19 Reserved, forced by hardware to 0.

Bit 17 Reserved, forced by hardware to 0.

Bit 16 LKEY : Long key selection

This bit selects between short key ( \( \leq 64 \) bytes) or long key ( \( > 64 \) bytes) in HMAC mode

Note: This selection is only taken into account when the INIT bit is set and MODE = 1. Changing this bit during a computation has no effect.

Bits 15:14 Reserved, forced by hardware to 0.

Bit 13 MDMAT : Multiple DMA Transfers

This bit is set when hashing large files when multiple DMA transfers are needed.

Bit 12 DINNE : DIN not empty

This bit is set when the HASH_DIN register holds valid data (that is after being written at least once). It is cleared when either the INIT bit (initialization) or the DCAL bit (completion of the previous message processing) is written to 1.

Bits 11:8 NBW : Number of words already pushed

This bitfield reflects the number of words in the message that have already been pushed into the IN FIFO.

NBW increments (+1) when a write access is performed to the HASH_DIN register while DINNE = 1.

It goes to 0000 when the INIT bit is written to 1 or when a digest calculation starts (DCAL written to 1 or DMA end of transfer).

” If the DMA is not used:

0000 and DINNE=0: no word has been pushed into the DIN buffer (the buffer is empty, both the HASH_DIN register and the IN FIFO are empty)

0000 and DINNE=1: 1 word has been pushed into the DIN buffer (The HASH_DIN register contains 1 word, the IN FIFO is empty)

0001: 2 words have been pushed into the DIN buffer (the HASH_DIN register and the IN FIFO contain 1 word each)

...

1111: 16 words have been pushed into the DIN buffer

” If the DMA is used, NBW is the exact number of words that have been pushed into the IN FIFO.

Bit 18 and bit 7 ALGO[1:0] : Algorithm selection

These bits selects the SHA-1, SHA-224, SHA256 or the MD5 algorithm:

00: SHA-1 algorithm selected

01: MD5 algorithm selected

10: SHA224 algorithm selected

11: SHA256 algorithm selected

Note: This selection is only taken into account when the INIT bit is set. Changing this bit during a computation has no effect.

Bit 6 MODE : Mode selection

This bit selects the HASH or HMAC mode for the selected algorithm:

0: Hash mode selected

1: HMAC mode selected. LKEY must be set if the key being used is longer than 64 bytes.

Note: This selection is only taken into account when the INIT bit is set. Changing this bit during a computation has no effect.

Bits 5:4 DATATYPE : Data type selection

Defines the format of the data entered into the HASH_DIN register:

00: 32-bit data. The data written into HASH_DIN are directly used by the HASH processing, without reordering.

01: 16-bit data, or half-word. The data written into HASH_DIN are considered as 2 half-words, and are swapped before being used by the HASH processing.

10: 8-bit data, or bytes. The data written into HASH_DIN are considered as 4 bytes, and are swapped before being used by the HASH processing.

11: bit data, or bit-string. The data written into HASH_DIN are considered as 32 bits (1st bit of the string at position 0), and are swapped before being used by the HASH processing (1st bit of the string at position 31).

Bit 3 DMAE : DMA enable

0: DMA transfers disabled

1: DMA transfers enabled. A DMA request is sent as soon as the HASH core is ready to receive data.

Note: 1: This bit is cleared by hardware when the DMA asserts the DMA terminal count signal (while transferring the last data of the message). This bit is not cleared when the INIT bit is written to 1.

2: If this bit is written to 0 while a DMA transfer has already been requested to the DMA, DMAE is cleared but the current transfer is not aborted. Instead, the DMA interface remains internally enabled until the transfer is complete or INIT is written to 1.

Bit 2 INIT : Initialize message digest calculation

Writing this bit to 1 resets the hash processor core, so that the HASH is ready to compute the message digest of a new message.

Writing this bit to 0 has no effect.

Reading this bit always return 0.

Bits 1:0 Reserved, must be kept cleared.

25.4.3 HASH data input register (HASH_DIN)

Address offset: 0x04

Reset value: 0x0000 0000

HASH_DIN is the data input register. It is 32-bit wide. It is used to enter the message by blocks of 512 bits. When the HASH_DIN register is written to, the value presented on the AHB databus is 'pushed' into the HASH core and the register takes the new value presented on the AHB databus. The DATATYPE bits must previously have been configured in the HASH_CR register to get a correct message representation.

When a block of 16 words has been written to the HASH_DIN register, an intermediate digest calculation is launched:

When the last block has been written to the HASH_DIN register, the final digest calculation (including padding) is launched:

When a digest calculation (intermediate or final) is in progress, any new write access to the HASH_DIN register is extended (by wait-state insertion on the AHB bus) until the HASH calculation completes.

When the HASH_DIN register is read, the last word written in this location is accessed (zero after reset).

31302928272625242322212019181716
DATAIN
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
DATAIN
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 DATAIN : Data input

Read = returns the current register content.

Write = the current register content is pushed into the IN FIFO, and the register takes the new value presented on the AHB databus.

25.4.4 HASH start register (HASH_STR)

Address offset: 0x08

Reset value: 0x0000 0000

The HASH_STR register has two functions:

31302928272625242322212019181716
Reserved
1514131211109876543210
ReservedDCALReservedNBLW
wrwrwrwrwrw

Bits 31:9 Reserved, forced by hardware to 0.

Bit 8 DCAL : Digest calculation

Writing this bit to 1 starts the message padding, using the previously written value of NBLW, and starts the calculation of the final message digest with all data words written to the IN FIFO since the INIT bit was last written to 1.

Reading this bit returns 0.

Note

Bits 7:5 Reserved, forced by hardware to 0.

Bits 4:0 NBLW : Number of valid bits in the last word of the message in the bit string organization of hash processor

When these bits are written and DCAL is at '0', they take the value on the AHB databus:

0x00: All 32 bits of the last data written in the bit string organization of hash processor (after data swapping) are valid.

0x01: Only bit [31] of the last data written in the bit string organization of hash processor (after data swapping) are valid

0x02: Only bits [31:30] of the last data written in the bit string organization of hash processor (after data swapping) are valid

0x03: Only bits [31:29] of the last data written in the bit string organization of hash processor (after data swapping) are valid

...

0x1F: Only bits [0] of the last data written in the bit string organization of hash processor (after data swapping) are valid

When these bits are written and DCAL is at '1', the bitfield is not changed.

Reading them returns the last value written to NBLW.

Note: These bits must be configured before setting the DCAL bit, else they are not taken into account. Especially, it is not possible to configure NBLW and set DCAL at the same time.

25.4.5 HASH digest registers (HASH_HR0..4/5/6/7)

Address offset: 0x0C to 0x1C (STM32F415/417xx), plus 0x310 to 0x32C (STM32F43xxx)

Reset value: 0x0000 0000

These registers contain the message digest result named as:

  1. 1. H0, H1, H2, H3 and H4, respectively, in the SHA1 algorithm description
    Note that in this case, the HASH_H5 to HASH_H7 register is not used, and is read as zero.
  2. 2. A, B, C and D, respectively, in the MD5 algorithm description
    Note that in this case, the HASH_H4 to HASH_H7 register is not used, and is read as zero.
  3. 3. H0 to H6, respectively, in the SHA224 algorithm description,
    Note that in this case, the HASH_H7 register is not used, and is read as zero.
  4. 4. H0 to H7, respectively, in the SHA256 algorithm description,

If a read access to one of these registers occurs while the HASH core is calculating an intermediate digest or a final message digest (that is when the DCAL bit has been written to 1), then the read is stalled until the completion of the HASH calculation.

Note: H0, H1, H2, H3 and H4 mapping are duplicated in two regions.

HASH_HR0

Address offset: 0x0C and 0x310

31302928272625242322212019181716
H0
rrrrrrrrrrrrrrrr
1514131211109876543210
H0
rrrrrrrrrrrrrrrr

HASH_HR1

Address offset: 0x10 and 0x314

31302928272625242322212019181716
H1
rrrrrrrrrrrrrrrr
1514131211109876543210
H1
rrrrrrrrrrrrrrrr

HASH_HR2

Address offset: 0x14 and 0x318

31302928272625242322212019181716
H2
rrrrrrrrrrrrrrrr
1514131211109876543210
H2
rrrrrrrrrrrrrrrr

HASH_HR3

Address offset: 0x18 and 0x31C

31302928272625242322212019181716
H3
rrrrrrrrrrrrrrrr
1514131211109876543210
H3
rrrrrrrrrrrrrrrr

HASH_HR4

Address offset: 0x1C and 0x320

31302928272625242322212019181716
H4
rrrrrrrrrrrrrrrr
1514131211109876543210
H4
rrrrrrrrrrrrrrrr

HASH_HR5

Address offset: 0x324

31302928272625242322212019181716
H5
rrrrrrrrrrrrrrrr
1514131211109876543210
H5
rrrrrrrrrrrrrrrr

HASH_HR6

Address offset: 0x328

31302928272625242322212019181716
H6
rrrrrrrrrrrrrrrr
1514131211109876543210
H6
rrrrrrrrrrrrrrrr

HASH_HR7

Address offset: 0x32C

31302928272625242322212019181716
H7
rrrrrrrrrrrrrrrr
1514131211109876543210
H7
rrrrrrrrrrrrrrrr

Note: When starting a digest computation for a new bit stream (by writing the INIT bit to 1), these registers assume their reset values.

25.4.6 HASH interrupt enable register (HASH_IMR)

Address offset: 0x20

Reset value: 0x0000 0000

31302928272625242322212019181716
Reserved
1514131211109876543210
ReservedDCIEDINIE
nwnw

Bits 31:2 Reserved, forced by hardware to 0.

Bit 1 DCIE : Digest calculation completion interrupt enable

0: Digest calculation completion interrupt disabled

1: Digest calculation completion interrupt enabled.

Bit 0 DINIE : Data input interrupt enable

0: Data input interrupt disabled

1: Data input interrupt enabled

25.4.7 HASH status register (HASH_SR)

Address offset: 0x24

Reset value: 0x0000 0001

31302928272625242322212019181716
Reserved
1514131211109876543210
ReservedBUSYDMASDCISDINIS
rrrc_w0rc_w0

Bits 31:4 Reserved, forced by hardware to 0.

Bit 3 BUSY : Busy bit

0: No block is currently being processed

1: The hash core is processing a block of data

Bit 2 DMAS : DMA Status

This bit provides information on the DMA interface activity. It is set with DMAE and cleared when DMAE=0 and no DMA transfer is ongoing. No interrupt is associated with this bit.

0: DMA interface is disabled (DMAE=0) and no transfer is ongoing

1: DMA interface is enabled (DMAE=1) or a transfer is ongoing

Bit 1 DCIS : Digest calculation completion interrupt status

This bit is set by hardware when a digest becomes ready (the whole message has been processed). It is cleared by writing it to 0 or by writing the INIT bit to 1 in the HASH_CR register.

0: No digest available in the HASH_Hx registers

1: Digest calculation complete, a digest is available in the HASH_Hx registers. An interrupt is generated if the DCIE bit is set in the HASH_IMR register.

Bit 0 DINIS : Data input interrupt status

This bit is set by hardware when the input buffer is ready to get a new block (16 locations are free). It is cleared by writing it to 0 or by writing the HASH_DIN register.

0: Less than 16 locations are free in the input buffer

1: A new block can be entered into the input buffer. An interrupt is generated if the DINIE bit is set in the HASH_IMR register.

25.4.8 HASH context swap registers (HASH_CSRx)

Address offset: 0x0F8 to 0x1C0

Additional registers are available from 0x1C1 to 0x1CC on STM32F43xxx:

These registers contain the complete internal register states of the hash processor, and are useful when a context swap has to be done because a high-priority task has to use the hash processor while it is already in use by another task.

When such an event occurs, the HASH_CSRx registers have to be read and the read values have to be saved somewhere in the system memory space. Then the hash processor can be used by the preemptive task, and when hash computation is finished, the saved context can be read from memory and written back into these HASH_CSRx registers.

HASH_CSRx

Address offset: 0x0F8 to 0x1C0 on STM32F415/417xx

Address offset: 0x0F8 to 0x1CC on STM32F43xxx

31302928272625242322212019181716
CSx
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
CSx
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

25.4.9 HASH register map

Table 9 gives the summary HASH register map and reset values.

Table 118. HASH register map and reset values on STM32F415/417xx

OffsetRegister name
reset value		Register size
313029282726252423222120191817161514131211109876543210
0x00HASH_CRReservedLKEYReservedDINNENBWALGO[0]MODEDATATYPEDMAEINITReserved
Reset value00000000000
0x04HASH_DINDATAIN
Reset value00000000000000000000000000000000
0x08HASH_STRReservedDCALReservedNBLW
Reset value000000
0x0CHASH_HR0H0
Reset value00000000000000000000000000000000
0x10HASH_HR1H1
Reset value00000000000000000000000000000000
0x14HASH_HR2H2
Reset value00000000000000000000000000000000
0x18HASH_HR3H3
Reset value00000000000000000000000000000000
0x1CHASH_HR4H4
Reset value00000000000000000000000000000000
0x20HASH_IMRReservedDCIEDINIE
Reset value00000000000000000000000000000000
0x24HASH_SRReservedBUSYDMASDCISDINIS
Reset value0001
0xF8HASH_CSR0CSR0
Reset value00000000000000000000000000000010
...
...
0x1C0HASH_CSR50CSR50
Reset value00000000000000000000000000000000
Reserved
0x310HASH_HR0H0
Reset value00000000000000000000000000000000
0x314HASH_HR1H1
Reset value00000000000000000000000000000000

Table 118. HASH register map and reset values on STM32F415/417xx (continued)

OffsetRegister name
reset value		Register size
313029282726252423222120191817161514131211109876543210
0x318HASH_HR2H2
Reset value00000000000000000000000000000000
0x31CHASH_HR3H3
Reset value00000000000000000000000000000000
0x320HASH_HR4H4
Reset value00000000000000000000000000000000

Table 119. HASH register map and reset values on STM32F43xxx

OffsetRegister name
reset value		Register size
313029282726252423222120191817161514131211109876543210
0x00HASH_CRReservedALGO[1]ReservedLKEYReservedMDMATDINNENBWALGO[0]MODEDATATYPEDMAEINITReserved
Reset value000000000000000
0x04HASH_DINDATAIN
Reset value00000000000000000000000000000000
0x08HASH_STRReservedDCALReservedNBLW
Reset value000000
0x0CHASH_HR0H0
Reset value00000000000000000000000000000000
0x10HASH_HR1H1
Reset value00000000000000000000000000000000
0x14HASH_HR2H2
Reset value00000000000000000000000000000000
0x18HASH_HR3H3
Reset value00000000000000000000000000000000
0x1CHASH_HR4H4
Reset value00000000000000000000000000000000
0x20HASH_IMRReservedDCIEDINIE
Reset value0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 000
0x24HASH_SRReservedBUSYDMASDCISDINIS
Reset value0001

Table 119. HASH register map and reset values on STM32F43xxx (continued)

OffsetRegister name
reset value		Register size
313029282726252423222120191817161514131211109876543210
0xF8HASH_CSR0CSR0
Reset value00000000000000000000000000000010
...
...
0x1CCHASH_CSR53CSR53
Reset value00000000000000000000000000000000
Reserved
0x310HASH_HR0H0
Reset value00000000000000000000000000000000
0x314HASH_HR1H1
Reset value00000000000000000000000000000000
0x318HASH_HR2H2
Reset value00000000000000000000000000000000
0x31CHASH_HR3H3
Reset value00000000000000000000000000000000
0x320HASH_HR4H4
Reset value00000000000000000000000000000000
0x324HASH_HR5H5
Reset value00000000000000000000000000000000
0x328HASH_HR6H6
Reset value00000000000000000000000000000000
0x32CHASH_HR7H7
Reset value00000000000000000000000000000000