How to use a custom mbedTLS configuration (mbedtls_config.h) with TF-M and nrf_security in NCS v2.8.0?

Hi Nordic team.

I'm working on a project using the nRF9160 and nRF Connect SDK v2.8.0, and I would like to use a custom mbedtls_config.h file to configure mbedTLS according to my needs.

My goal:

• Keep TF-M enabled (required when using _ns targets).

• Avoid default PSA crypto config unless explicitly needed.

• Use my own mbedtls_config.h instead of nrf-config.h or config-tls-generic.h.

• Prevent nrf_security or TF-M from overriding my configuration.

• Build without any Kconfig warnings related to PSA dependencies

What I’ve already tried:

• Disabled nrf_security and enabled Zephyr's builtin mbedTLS:
  

  CONFIG_NRF_SECURITY=n
  CONFIG_MBEDTLS=y
  CONFIG_MBEDTLS_BUILTIN=y
  CONFIG_MBEDTLS_CFG_FILE="mbedtls_config.h"

  TF-M still pulls in nrf_security and forces PSA-related configs like PSA_WANT_GENERATE_RANDOM, even when I try to override them or set TFM_PROFILE_TYPE_MINIMAL=n.

• Tried manually disabling PSA features:
  

  CONFIG_MBEDTLS_PSA_CRYPTO_C=n
  CONFIG_PSA_WANT_ALG_HMAC_DRBG=n
  CONFIG_PSA_WANT_GENERATE_RANDOM=n

But those settings get overridden by TF-M and still trigger Kconfig warnings.

My question:

What is the correct and supported way to:

1. Use a custom mbedtls_config.h file in an application using TF-M?

2. Avoid nrf_security and TF-M from enabling PSA crypto features I don’t want?

3. Build without Kconfig warnings or symbol conflicts?

4. Have full control over which mbedTLS modules are included?

Any advice, official guidance, or workarounds would be greatly appreciated