pre-hashed version of mldsa signature

[ArthurHeymans]

Would it be acceptable to implement pre-hashed ml-dsa signature schemes (e.g. with OID fips204::ID_HASH_ML_DSA_87_WITH_SHA_512)?
We have a use-case with HW-accelerated sha512 and ml-dsa but the ML-DSA IP only takes a 512bit message, so we use sha512 to have arbitrary sized messages fit that 512bit.

https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/ism/cybersecurity-guidelines/guidelines-cryptography states using this scheme should only be used in special cases. Would putting it behind a feature flag ok?

[tarcieri]

I know there's been a bit of controversy surrounding the choice of HashML-DSA vs ExternalMu-ML-DSA:

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/OyQw3YpSh-s/m/2HtxpeKlAQAJ

The downside of HashML-DSA is it effectively adds a parallel, incompatible algorithm, whereas ExternalMu-ML-DSA functions just like the regular ML-DSA.