drivers: crypto: Add initial support for rpi_pico sha256 accelerator

boards/raspberrypi/rpi_pico2/rpi_pico2_rp2350a_m33.yaml

@@ -11,6 +11,7 @@ supported:
   - adc
   - clock
   - counter
+  - crypto
   - dma
   - gpio
   - hwinfo

drivers/crypto/CMakeLists.txt

@@ -1,20 +1,25 @@
 # SPDX-License-Identifier: Apache-2.0
 
 zephyr_library()
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_ATAES132A		crypto_ataes132a.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_MBEDTLS_SHIM		crypto_mtls_shim.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_STM32			crypto_stm32.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_STM32_HASH		crypto_stm32_hash.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_SMARTBOND        crypto_smartbond.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_NRF_ECB		crypto_nrf_ecb.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_INTEL_SHA		crypto_intel_sha.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_NPCX_SHA		crypto_npcx_sha.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_MCHP_XEC_SYMCR	crypto_mchp_xec_symcr.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_IT51XXX_SHA		crypto_it51xxx_sha.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_IT8XXX2_SHA		crypto_it8xxx2_sha.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_IT8XXX2_SHA_V2	crypto_it8xxx2_sha_v2.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_MCUX_DCP		crypto_mcux_dcp.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_SI32 		crypto_si32.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_CC23X0		crypto_cc23x0.c)
-zephyr_library_sources_ifdef(CONFIG_CRYPTO_RTS5912_SHA		crypto_rts5912_sha.c)
+
+# zephyr-keep-sorted-start
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_ATAES132A            crypto_ataes132a.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_CC23X0               crypto_cc23x0.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_INTEL_SHA            crypto_intel_sha.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_IT51XXX_SHA          crypto_it51xxx_sha.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_IT8XXX2_SHA          crypto_it8xxx2_sha.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_IT8XXX2_SHA_V2       crypto_it8xxx2_sha_v2.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_MBEDTLS_SHIM         crypto_mtls_shim.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_MCHP_XEC_SYMCR       crypto_mchp_xec_symcr.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_MCUX_DCP             crypto_mcux_dcp.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_NPCX_SHA             crypto_npcx_sha.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_NRF_ECB              crypto_nrf_ecb.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_RPI_PICO_SHA256      crypto_rpi_pico_sha256.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_RTS5912_SHA          crypto_rts5912_sha.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_SI32                 crypto_si32.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_SMARTBOND            crypto_smartbond.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_STM32                crypto_stm32.c)
+zephyr_library_sources_ifdef(CONFIG_CRYPTO_STM32_HASH           crypto_stm32_hash.c)
+# zephyr-keep-sorted-stop
+
 zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS)

drivers/crypto/Kconfig

@@ -47,18 +47,21 @@ config CRYPTO_MBEDTLS_SHIM_MAX_SESSION
 	  This can be used to tweak the amount of sessions the driver
 	  can handle in parallel.
 
+# zephyr-keep-sorted-start
 source "drivers/crypto/Kconfig.ataes132a"
-source "drivers/crypto/Kconfig.stm32"
-source "drivers/crypto/Kconfig.nrf_ecb"
+source "drivers/crypto/Kconfig.cc23x0"
 source "drivers/crypto/Kconfig.intel"
-source "drivers/crypto/Kconfig.npcx"
-source "drivers/crypto/Kconfig.xec"
 source "drivers/crypto/Kconfig.it51xxx"
 source "drivers/crypto/Kconfig.it8xxx2"
 source "drivers/crypto/Kconfig.mcux_dcp"
+source "drivers/crypto/Kconfig.npcx"
+source "drivers/crypto/Kconfig.nrf_ecb"
+source "drivers/crypto/Kconfig.rpi_pico"
+source "drivers/crypto/Kconfig.rts5912"
 source "drivers/crypto/Kconfig.si32"
 source "drivers/crypto/Kconfig.smartbond"
-source "drivers/crypto/Kconfig.cc23x0"
-source "drivers/crypto/Kconfig.rts5912"
+source "drivers/crypto/Kconfig.stm32"
+source "drivers/crypto/Kconfig.xec"
+# zephyr-keep-sorted-stop
 
 endif # CRYPTO

drivers/crypto/Kconfig.rpi_pico

@@ -0,0 +1,10 @@
+# Copyright (c) 2025 TOKITA Hiroshi
+# SPDX-License-Identifier: Apache-2.0
+
+config CRYPTO_RPI_PICO_SHA256
+	bool "Raspberry Pi RP2 series SHA256 Accelerator"
+	default y
+	depends on DT_HAS_RASPBERRYPI_PICO_SHA256_ENABLED
+	select PICOSDK_USE_SHA256
+	help
+	  Enable driver for RP2 series SHA256 accelerator

drivers/crypto/crypto_rpi_pico_sha256.c

@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 2025 TOKITA Hiroshi
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#define DT_DRV_COMPAT raspberrypi_pico_sha256
+
+#include <zephyr/crypto/crypto.h>
+#include <zephyr/kernel.h>
+#include <zephyr/sys/util_macro.h>
+#include <zephyr/sys/byteorder.h>
+
+#include <pico/bootrom/lock.h>
+#include <pico/sha256.h>
+
+#include <zephyr/logging/log.h>
+LOG_MODULE_REGISTER(crypto_rpi_pico_sha256, CONFIG_CRYPTO_LOG_LEVEL);
+
+struct crypto_rpi_pico_sha256_data {
+	pico_sha256_state_t state;
+	struct k_spinlock lock;
+};
+
+static int crypto_rpi_pico_sha256_hash_handler(struct hash_ctx *ctx, struct hash_pkt *pkt,
+					       bool finish)
+{
+	struct crypto_rpi_pico_sha256_data *data = ctx->device->data;
+
+	if (!data->state.locked) {
+		LOG_ERR("Invalid lock status: unlocked");
+		return -EINVAL;
+	}
+
+	data->state.cache_used = 0;
+	data->state.cache.word = 0;
+	data->state.total_data_size = 0;
+
+	sha256_err_not_ready_clear();
+	sha256_set_bswap(true);
+	sha256_start();
+
+	pico_sha256_update(&data->state, pkt->in_buf, pkt->in_len);
+
+	if (!finish) {
+		LOG_ERR("Multipart hashing not supported yet");
+		return -ENOTSUP;
+	}
+
+	pico_sha256_write_padding(&data->state);
+	sha256_wait_valid_blocking();
+
+	for (uint i = 0; i < 8; i++) {
+		((uint32_t *)pkt->out_buf)[i] = BSWAP_32((uint32_t)sha256_hw->sum[i]);
+	}
+
+	return 0;
+}
+
+static int crypto_rpi_pico_sha256_query_hw_caps(const struct device *dev)
+{
+	return CAP_SEPARATE_IO_BUFS | CAP_SYNC_OPS;
+}
+
+static int crypto_rpi_pico_sha256_hash_begin_session(const struct device *dev, struct hash_ctx *ctx,
+						     enum hash_algo algo)
+{
+	struct crypto_rpi_pico_sha256_data *data = dev->data;
+	k_spinlock_key_t key;
+	int ret;
+
+	if (data->state.locked) {
+		LOG_ERR("Invalid lock status: locked");
+		return -EINVAL;
+	}
+
+	if (algo != CRYPTO_HASH_ALGO_SHA256) {
+		LOG_ERR("Unsupported algo: %d", algo);
+		return -EINVAL;
+	}
+
+	if (ctx->flags & ~(crypto_rpi_pico_sha256_query_hw_caps(dev))) {
+		LOG_ERR("Unsupported flag %x", ctx->flags);
+		return -EINVAL;
+	}
+
+	key = k_spin_lock(&data->lock);
+
+	ret = bootrom_try_acquire_lock(BOOTROM_LOCK_SHA_256);
+	if (!ret) {
+		LOG_ERR("bootrom_try_acquire_lock failed");
+		k_spin_unlock(&data->lock, key);
+		return -EBUSY;
+	}
+
+	data->state.locked = true;
+
+	k_spin_unlock(&data->lock, key);
+
+	ctx->hash_hndlr = crypto_rpi_pico_sha256_hash_handler;
+
+	return 0;
+}
+
+static int crypto_rpi_pico_sha256_hash_session_free(const struct device *dev, struct hash_ctx *ctx)
+{
+	struct crypto_rpi_pico_sha256_data *data = dev->data;
+	k_spinlock_key_t key;
+
+	if (!data->state.locked) {
+		LOG_ERR("Invalid lock status: unlocked");
+		return -EINVAL;
+	}
+
+	key = k_spin_lock(&data->lock);
+	bootrom_release_lock(BOOTROM_LOCK_SHA_256);
+	data->state.locked = false;
+	k_spin_unlock(&data->lock, key);
+
+	return 0;
+}
+
+static DEVICE_API(crypto, crypto_rpi_pico_sha256_crypto_api) = {
+	.query_hw_caps = crypto_rpi_pico_sha256_query_hw_caps,
+	.hash_begin_session = crypto_rpi_pico_sha256_hash_begin_session,
+	.hash_free_session = crypto_rpi_pico_sha256_hash_session_free,
+};
+
+#define CRYPTO_RPI_PICO_SHA256_INIT(idx)                                                           \
+	static struct crypto_rpi_pico_sha256_data crypto_rpi_pico_sha256_##idx##_data;             \
+	DEVICE_DT_INST_DEFINE(idx, NULL, NULL, &crypto_rpi_pico_sha256_##idx##_data, NULL,         \
+			      POST_KERNEL, CONFIG_CRYPTO_INIT_PRIORITY,                            \
+			      &crypto_rpi_pico_sha256_crypto_api);
+
+DT_INST_FOREACH_STATUS_OKAY(CRYPTO_RPI_PICO_SHA256_INIT)

dts/bindings/crypto/raspberrypi,pico-sha256.yaml

@@ -0,0 +1,8 @@
+# Copyright (c) 2025 TOKITA Hiroshi
+# SPDX-License-Identifier: Apache-2.0
+
+description: RaspberryPi Pico SHA256 accelerator
+
+compatible: "raspberrypi,pico-sha256"
+
+include: base.yaml

dts/vendor/raspberrypi/rpi_pico/rp2350.dtsi

@@ -395,6 +395,12 @@
 			status = "disabled";
 		};
 
+		sha256: sha256@400f8000 {
+			compatible = "raspberrypi,pico-sha256";
+			reg = <0x400f8000 0x200>;
+			status = "disabled";
+		};
+
 		dma: dma@50000000 {
 			compatible = "raspberrypi,pico-dma";
 			reg = <0x50000000 DT_SIZE_K(64)>;

modules/hal_rpi_pico/CMakeLists.txt

@@ -82,8 +82,10 @@ if(CONFIG_HAS_RPI_PICO)
     ${rp2_common_dir}/hardware_boot_lock/include
     ${rp2_common_dir}/hardware_ticks/include
     ${rp2_common_dir}/hardware_sync_spin_lock/include
+    ${rp2_common_dir}/hardware_rcp/include
     ${rp2_common_dir}/pico_bootrom/include
     ${rp2_common_dir}/pico_flash/include
+    ${rp2_common_dir}/pico_platform_common/include
     ${rp2_common_dir}/pico_platform_compiler/include
     ${rp2_common_dir}/pico_platform_sections/include
     ${rp2_common_dir}/pico_platform_panic/include
@@ -155,6 +157,12 @@ if(CONFIG_HAS_RPI_PICO)
   zephyr_include_directories_ifdef(CONFIG_PICOSDK_USE_CLAIM
           ${common_dir}/hardware_claim/include)
 
+  zephyr_library_sources_ifdef(CONFIG_PICOSDK_USE_SHA256
+          ${rp2_common_dir}/pico_sha256/sha256.c)
+  zephyr_include_directories_ifdef(CONFIG_PICOSDK_USE_SHA256
+          ${rp2_common_dir}/hardware_sha256/include
+          ${rp2_common_dir}/pico_sha256/include)
+
   zephyr_include_directories_ifdef(CONFIG_RISCV
           ${common_dir}/pico_sync/include
           ${common_dir}/pico_time/include

modules/hal_rpi_pico/Kconfig

@@ -54,3 +54,8 @@ config PICOSDK_USE_RTC
 	bool
 	help
 	  Use the RTC driver from pico-sdk
+
+config PICOSDK_USE_SHA256
+	bool
+	help
+	  Use the SHA256 driver and utilities from pico-sdk

modules/hal_rpi_pico/bootloader/CMakeLists.txt

@@ -37,6 +37,7 @@ target_include_directories(boot_stage2 PUBLIC
   ${rp2040_dir}/pico_platform/include
   ${rp2040_dir}/hardware_regs/include
   ${common_dir}/pico_base_headers/include
+  ${rp2_common_dir}/pico_platform_common/include
   ${rp2_common_dir}/pico_platform_compiler/include
   ${rp2_common_dir}/pico_platform_sections/include
   ${rp2_common_dir}/pico_platform_panic/include

tests/crypto/crypto_hash/socs/rp2350a_m33.overlay

@@ -0,0 +1,9 @@
+/*
+ * Copyright (c) 2025 TOKITA Hiroshi
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+&sha256 {
+	status = "okay";
+};

tests/crypto/crypto_hash/src/main.c

@@ -15,6 +15,8 @@
 #define CRYPTO_DEV_COMPAT renesas_smartbond_crypto
 #elif DT_HAS_COMPAT_STATUS_OKAY(st_stm32_hash)
 #define CRYPTO_DEV_COMPAT st_stm32_hash
+#elif DT_HAS_COMPAT_STATUS_OKAY(raspberrypi_pico_sha256)
+#define CRYPTO_DEV_COMPAT raspberrypi_pico_sha256
 #else
 #error "You need to enable one crypto device"
 #endif

tests/crypto/crypto_hash/testcase.yaml

@@ -3,6 +3,7 @@ tests:
     platform_allow:
       - native_sim
       - nucleo_u575zi_q
+      - rpi_pico2/rp2350a/m33
     integration_platforms:
       - native_sim
       - nucleo_u575zi_q

west.yml

@@ -231,7 +231,7 @@ manifest:
         - hal
     - name: hal_rpi_pico
       path: modules/hal/rpi_pico
-      revision: b547a36a722af7787e5f55b551fd6ce72dcba5a4
+      revision: 09e957522da60581cf7958b31f8e625d969c69a5
       groups:
         - hal
     - name: hal_sifli