Use hardware-accelerated SHA-256 in STM32U5

[andrewkozlik]

The STM32U5 implements a hardware-accelerated version of SHA-256 and HMAC-SHA256, however not SHA-512. See Chapter 51 "Hash processor" in RM0456. They claim 66 clock cycles for processing one 512-bit block of data using SHA-256. I estimate this could be tens of times faster than our software implementation. It would probably give us a huge boost in speed for:

• SLIP-39 passphrase derivation (PBKDF2-HMAC-SHA256)
  • We should consider increasing the default iteration exponent.
• Bitcoin signing (SHA-256)
• Unlocking storage (PBKDF2-HMAC-SHA256)
  • We will need to update the progress calculation.

[TychoVrahe]

Note that we are already using this for firmware/bootloader integrity checks (without the HMAC). The speed-up was indeed as advertised. So this is more an issues of intergration into trezor-crypto rather than using the hash processor.

[TychoVrahe]

Before we integrate this everywhere, we need to solve context switching - possibly by means of functions HAL_HASH_ContextSaving and HAL_HASH_ContextRestoring. For now, every hash computation needs to call init, update, final and not be interrupted, otherwise it will not work properly. Also currently if final is not called at all but other hash computation starts, it will also result in incorrect hash.