How to use a custom mbedTLS configuration (mbedtls_config.h) with TF-M and nrf_security in NCS v2.8.0?

Translator

Translator

Hi Nordic team.

I'm working on a project using the nRF9160 and nRF Connect SDK v2.8.0, and I would like to use a custom mbedtls_config.h file to configure mbedTLS according to my needs.

My goal:

  • Keep TF-M enabled (required when using _ns targets).

  • Avoid default PSA crypto config unless explicitly needed.

  • Use my own mbedtls_config.h instead of nrf-config.h or config-tls-generic.h.

  • Prevent nrf_security or TF-M from overriding my configuration.

  • Build without any Kconfig warnings related to PSA dependencies

What I’ve already tried:

  • Disabled nrf_security and enabled Zephyr's builtin mbedTLS:

    CONFIG_NRF_SECURITY=n
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_BUILTIN=y
    CONFIG_MBEDTLS_CFG_FILE="mbedtls_config.h"

    TF-M still pulls in nrf_security and forces PSA-related configs like PSA_WANT_GENERATE_RANDOM, even when I try to override them or set TFM_PROFILE_TYPE_MINIMAL=n.

  • Tried manually disabling PSA features:

    CONFIG_MBEDTLS_PSA_CRYPTO_C=n
    CONFIG_PSA_WANT_ALG_HMAC_DRBG=n
    CONFIG_PSA_WANT_GENERATE_RANDOM=n

But those settings get overridden by TF-M and still trigger Kconfig warnings.

My question:

What is the correct and supported way to:

  1. Use a custom mbedtls_config.h file in an application using TF-M?

  2. Avoid nrf_security and TF-M from enabling PSA crypto features I don’t want?

  3. Build without Kconfig warnings or symbol conflicts?

  4. Have full control over which mbedTLS modules are included?

Any advice, official guidance, or workarounds would be greatly appreciated

Parents Reply Children
No Data
Related