• State Verified Answer
  • Replies 10 replies
  • Subscribers 64 subscribers
  • Views 193 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 325169
Options

Configuration for native tls (no offload to modem)

Stefan Schmidt

Dear Support-Team,

due to the 2KB limitation of the secure buffers of the nrf9160 modem I am trying to setup native tls. I found the https_client sample which sounded promising, but when I use the same configuration as described in the sample (prj.conf + overlay-tfm_mbedtls.conf) I get a "region FLASH overflow", so I am a trying to figure out which settings do what.

Using https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.5.0/kconfig/index.html does not help as the description gives no clue at all:

Examples:
CONFIG_NRF_SECURITY_ADVANCED

Advanced mbed TLS Configuration Settings

This configuration has no effect and will be deprecated. It is kept in to ensure projects setting this aren't affected.

or

CONFIG_TFM_PROFILE_TYPE_NOT_SET

TF-M build profile is not set

Is there any other documentation for those configurations?

Best regards

Context: I am working on a MQTT project and I have provisioned the certificates to the modem. With setting set_native_tls in the mqtt_sec_config struct I am able to connect to the server and get the data I expect (> offloading to the modem). Now I have to change to native tls in order to receive some other data which does not fit into the 2kB secure buffer of the modem.

  • 0

    Hi,

     

    How much are you overflowing with?

     

    You can adjust the size of TFM using this configuration:

    CONFIG_PM_PARTITION_SIZE_TFM

     

    Note that the alignment can be a bit tricky here, especially when combining this with mcuboot.

    Try for instance 0x27E00 if you're building with mcuboot.

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Håkon,

    thanks a lot for your suggestion. I am currently using the https_client demo and reverse engineer the meaning of the different CONFIG options used there.

    Resizing a partition might be an option, but resizing because I don't know how to configure the mbed tls library is not a solution.

    Thanks

    Stefan

  • 0 in reply to Stefan Schmidt

    Hi,

     

    Can you share the build output?

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi,

     I can share my configuration and the final build output. With this configuration (related to mbedTLS)

    # MbedTLS and security
    CONFIG_TFM_PROFILE_TYPE_MINIMAL=y
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=8192
    CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=4096
    CONFIG_MBEDTLS_HEAP_SIZE=32768
    CONFIG_MBEDTLS_RSA_C=y
    CONFIG_MBEDTLS_GCM_C=y
    CONFIG_MBEDTLS_DHM_C=y
    CONFIG_MBEDTLS_TLS_LIBRARY=y
    CONFIG_MBEDTLS_X509_LIBRARY=y
    CONFIG_MBEDTLS_X509_REMOVE_INFO=y
    CONFIG_MBEDTLS_PKCS1_V15=y
    CONFIG_NRF_SECURITY=y
    CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

    I get this build output:

    [153/157] Linking C executable bin/tfm_s.axf
    Memory region         Used Size  Region Size  %age Used
               FLASH:       64332 B      65024 B     98.94%
                 RAM:       18888 B        32 KB     57.64%

    [433/444] Linking C executable zephyr/zephyr.elf
    Memory region         Used Size  Region Size  %age Used
               FLASH:      349572 B       352 KB     96.98%
                 RAM:      150204 B     211608 B     70.98%
            IDT_LIST:          0 GB         2 KB      0.00%

  • 0 in reply to Stefan Schmidt

    Ok, when I remove

    CONFIG_DEBUG=y
    CONFIG_DEBUG_INFO=y
    CONFIG_DEBUG_THREAD_INFO=y

    I get

    [153/157] Linking C executable bin/tfm_s.axf
    Memory region Used Size Region Size %age Used
    FLASH: 31544 B 32256 B 97.79%
    RAM: 14736 B 32 KB 44.97%

    and

    Memory region Used Size Region Size %age Used
    FLASH: 276600 B 384 KB 70.34%
    RAM: 149948 B 211608 B 70.86%
    IDT_LIST: 0 GB 2 KB 0.00%

Related