How to use a custom mbedTLS configuration (mbedtls_config.h) with TF-M and nrf_security in NCS v2.8.0?

Translator

Translator

Hi Nordic team.

I'm working on a project using the nRF9160 and nRF Connect SDK v2.8.0, and I would like to use a custom mbedtls_config.h file to configure mbedTLS according to my needs.

My goal:

  • Keep TF-M enabled (required when using _ns targets).

  • Avoid default PSA crypto config unless explicitly needed.

  • Use my own mbedtls_config.h instead of nrf-config.h or config-tls-generic.h.

  • Prevent nrf_security or TF-M from overriding my configuration.

  • Build without any Kconfig warnings related to PSA dependencies

What I’ve already tried:

  • Disabled nrf_security and enabled Zephyr's builtin mbedTLS:

    CONFIG_NRF_SECURITY=n
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_BUILTIN=y
    CONFIG_MBEDTLS_CFG_FILE="mbedtls_config.h"

    TF-M still pulls in nrf_security and forces PSA-related configs like PSA_WANT_GENERATE_RANDOM, even when I try to override them or set TFM_PROFILE_TYPE_MINIMAL=n.

  • Tried manually disabling PSA features:

    CONFIG_MBEDTLS_PSA_CRYPTO_C=n
    CONFIG_PSA_WANT_ALG_HMAC_DRBG=n
    CONFIG_PSA_WANT_GENERATE_RANDOM=n

But those settings get overridden by TF-M and still trigger Kconfig warnings.

My question:

What is the correct and supported way to:

  1. Use a custom mbedtls_config.h file in an application using TF-M?

  2. Avoid nrf_security and TF-M from enabling PSA crypto features I don’t want?

  3. Build without Kconfig warnings or symbol conflicts?

  4. Have full control over which mbedTLS modules are included?

Any advice, official guidance, or workarounds would be greatly appreciated

Related