• State Not Answered
  • Replies 7 replies
  • Subscribers 91 subscribers
  • Views 370 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 360169
Options

Public and Private key generation for TLS communication using PSA Crypto calls.

AR Jadhav

Hello, 

Overview:

Currently we are using nRF9160 we are using mbedtls library for generating EC key based certificates (self-signed and CSR). Our code is built with TFM and application is non-secure. I need to understand following.
1. What is the role of TFM if application itself is in non-secure mode.

2. I want to remove mbedtls library and use PSA-crypto engine for certificate generation, parsing and signing how that can be possible.

Attaching the .config file after build for your reference. The aim to reduce the heap consumption done by mbedtls and optimize the code.

version used: nrf sdk version 2.7.0

3823.configFile.txt

Thanks,
Akshay

Parents
  • 0

    Hi,

    Thank you for the additional details. You have correctly identified the dependency that for nRF9160 applications that use the Modem Library, the supported build is the non-secure target with TF-M (nrf9160dk/nrf9160/ns). The Modem Library requires the application to run in the non-secure processing environment which is set up when TF-M is used. So Yes that's correct that TFM cannot be removed.

    And regarding your peak consumption question:

    We cannot give you one fixed peak value in kB from that percentage alone. From the Kconfig you shared, TF-M SRAM is 32 kB (CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0x8000), with minimal TF-M and small crypto buffers (CONFIG_TFM_CRYPTO_ENGINE_BUF_SIZE=1, CONFIG_TFM_CRYPTO_IOVEC_BUFFER_SIZE=1024, crypto stack 0x800). So you are not using the large default crypto scratch buffers from a full TF-M profile, most of what is reserved is already reflected in the build-time figure.

    If your build log shows ~44%, that is about 14 kB of 32 kB link time / static TF-M RAM. That is a good baseline. During active crypto (e.g. key generation or ECDSA), usage can go a bit higher for a short time (mainly stack and operation specific working memory), but it must stay within the 32 kB partition you assigned.

    If you need a project-specific peak number, please try to run west build -d build/<your_app> -t tfm_ram_report on the same build.

    Best Regards,
    Syed Maysum

Reply
  • 0

    Hi,

    Thank you for the additional details. You have correctly identified the dependency that for nRF9160 applications that use the Modem Library, the supported build is the non-secure target with TF-M (nrf9160dk/nrf9160/ns). The Modem Library requires the application to run in the non-secure processing environment which is set up when TF-M is used. So Yes that's correct that TFM cannot be removed.

    And regarding your peak consumption question:

    We cannot give you one fixed peak value in kB from that percentage alone. From the Kconfig you shared, TF-M SRAM is 32 kB (CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0x8000), with minimal TF-M and small crypto buffers (CONFIG_TFM_CRYPTO_ENGINE_BUF_SIZE=1, CONFIG_TFM_CRYPTO_IOVEC_BUFFER_SIZE=1024, crypto stack 0x800). So you are not using the large default crypto scratch buffers from a full TF-M profile, most of what is reserved is already reflected in the build-time figure.

    If your build log shows ~44%, that is about 14 kB of 32 kB link time / static TF-M RAM. That is a good baseline. During active crypto (e.g. key generation or ECDSA), usage can go a bit higher for a short time (mainly stack and operation specific working memory), but it must stay within the 32 kB partition you assigned.

    If you need a project-specific peak number, please try to run west build -d build/<your_app> -t tfm_ram_report on the same build.

    Best Regards,
    Syed Maysum

Children
No Data
Related
Terms of service