• State Not Answered
  • Replies 7 replies
  • Subscribers 91 subscribers
  • Views 374 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 360169
Options

Public and Private key generation for TLS communication using PSA Crypto calls.

AR Jadhav

Hello, 

Overview:

Currently we are using nRF9160 we are using mbedtls library for generating EC key based certificates (self-signed and CSR). Our code is built with TFM and application is non-secure. I need to understand following.
1. What is the role of TFM if application itself is in non-secure mode.

2. I want to remove mbedtls library and use PSA-crypto engine for certificate generation, parsing and signing how that can be possible.

Attaching the .config file after build for your reference. The aim to reduce the heap consumption done by mbedtls and optimize the code.

version used: nrf sdk version 2.7.0

3823.configFile.txt

Thanks,
Akshay

  • 0 in reply to AR Jadhav

    Hi  

    As I am looking into document. I am having few more queries. I am having built configuration with nrf9160_ns and I am using Modem for IP based communication with TLS enabled. Now if I build my code in nRF9160 mode then I can see my code fails by saying that TFM is need and following dependency is shown

    Some additional info about using TFM is, we are using nrf_modem_lib which cannot be used if we disable the TFM completely.

    menuconfig NRF_MODEM_LIB
    bool "Modem library"
    depends on SOC_SERIES_NRF91X
    depends on TRUSTED_EXECUTION_NONSECURE
    select NRF_MODEM
    imply NET_SOCKETS_OFFLOAD
    imply NET_SOCKETS_POSIX_NAMES if !POSIX_API
    # The modem must be turned on to achieve low power consumption.
    # But disable it for ZTEST's as some tests have HW
    # resource-conflicts with NRF_MODEM_LIB.
    default y if !ZTEST
    help
    Use Nordic Modem library.
    This is the kconfig at path: lib/nrf_modem_lib/Kconfig which has the check of dependency.

    - Following question is currently I am assigning 32 KB RAM to TFM out of which 44% is the runtime/static RAM consumption can you tell me how much peak consumption it can reach

    Regarding the example you provided. I was able to build the code with secure build and non-secure build. I think I have used this PSA_CRYPTO samples for 


    Thanks,
    Akshay

  • 0

    Hi,

    Thank you for the additional details. You have correctly identified the dependency that for nRF9160 applications that use the Modem Library, the supported build is the non-secure target with TF-M (nrf9160dk/nrf9160/ns). The Modem Library requires the application to run in the non-secure processing environment which is set up when TF-M is used. So Yes that's correct that TFM cannot be removed.

    And regarding your peak consumption question:

    We cannot give you one fixed peak value in kB from that percentage alone. From the Kconfig you shared, TF-M SRAM is 32 kB (CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0x8000), with minimal TF-M and small crypto buffers (CONFIG_TFM_CRYPTO_ENGINE_BUF_SIZE=1, CONFIG_TFM_CRYPTO_IOVEC_BUFFER_SIZE=1024, crypto stack 0x800). So you are not using the large default crypto scratch buffers from a full TF-M profile, most of what is reserved is already reflected in the build-time figure.

    If your build log shows ~44%, that is about 14 kB of 32 kB link time / static TF-M RAM. That is a good baseline. During active crypto (e.g. key generation or ECDSA), usage can go a bit higher for a short time (mainly stack and operation specific working memory), but it must stay within the 32 kB partition you assigned.

    If you need a project-specific peak number, please try to run west build -d build/<your_app> -t tfm_ram_report on the same build.

    Best Regards,
    Syed Maysum

Related
Terms of service