Hi Nordic team.
I'm working on a project using the nRF9160 and nRF Connect SDK v2.8.0, and I would like to use a custom mbedtls_config.h
file to configure mbedTLS according to my needs.
My goal:
-
Keep TF-M enabled (required when using
_ns
targets). -
Avoid default PSA crypto config unless explicitly needed.
-
Use my own
mbedtls_config.h
instead ofnrf-config.h
orconfig-tls-generic.h
. -
Prevent
nrf_security
or TF-M from overriding my configuration. -
Build without any Kconfig warnings related to PSA dependencies
What I’ve already tried:
-
Disabled
nrf_security
and enabled Zephyr's builtin mbedTLS:CONFIG_NRF_SECURITY=n CONFIG_MBEDTLS=y CONFIG_MBEDTLS_BUILTIN=y CONFIG_MBEDTLS_CFG_FILE="mbedtls_config.h"
TF-M still pulls in
nrf_security
and forces PSA-related configs likePSA_WANT_GENERATE_RANDOM
, even when I try to override them or setTFM_PROFILE_TYPE_MINIMAL=n
. -
Tried manually disabling PSA features:
CONFIG_MBEDTLS_PSA_CRYPTO_C=n CONFIG_PSA_WANT_ALG_HMAC_DRBG=n CONFIG_PSA_WANT_GENERATE_RANDOM=n
But those settings get overridden by TF-M and still trigger Kconfig warnings.
My question:
What is the correct and supported way to:
-
Use a custom
mbedtls_config.h
file in an application using TF-M? -
Avoid
nrf_security
and TF-M from enabling PSA crypto features I don’t want? -
Build without Kconfig warnings or symbol conflicts?
-
Have full control over which mbedTLS modules are included?
Any advice, official guidance, or workarounds would be greatly appreciated