• State Not Answered
  • Replies 10 replies
  • Subscribers 64 subscribers
  • Views 1218 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 299537
Options

Downsizing the TFM with PSA support

Tim Chao

Hi,

I am developing application on NRF9160 right now.

When I trying to enable AES CTR enc/dec follow the aes_ctr sample in my application, I got the FLASH overflow error.

I realized it cause by the TFM size increase from 48kB to 256kB after enable CONFIG_TFM_PROFILE_TYPE_NOT_SET.

flash_primary (0x100000 - 1024kB):
+--------------------------------------------------+
| 0x0: mcuboot (0xc000 - 48kB) |
| 0xc000: EMPTY_0 (0x4000 - 16kB) |
+---0x10000: mcuboot_primary (0x70000 - 448kB)-----+
+---0x10000: tfm_secure (0x40200 - 256kB)----------+
| 0x10000: mcuboot_pad (0x200 - 512B) |
+---0x10200: mcuboot_primary_app (0x6fe00 - 447kB)-+
| 0x10200: tfm (0x40000 - 256kB) |
+---0x50200: tfm_nonsecure (0x2fe00 - 191kB)-------+
| 0x50200: app (0x2fe00 - 191kB) |
+--------------------------------------------------+
| 0x80000: mcuboot_secondary (0x70000 - 448kB) |
+---0xf0000: nonsecure_storage (0x2000 - 8kB)------+
| 0xf0000: settings_storage (0x2000 - 8kB) |
+--------------------------------------------------+
| 0xf2000: EMPTY_1 (0x6000 - 24kB) |
+---0xf8000: tfm_storage (0x8000 - 32kB)-----------+
| 0xf8000: tfm_its (0x2000 - 8kB) |
| 0xfa000: tfm_otp_nv_counters (0x2000 - 8kB) |
| 0xfc000: tfm_ps (0x4000 - 16kB) |
+--------------------------------------------------+

That cause the app image size limit down to 191kB, and that is not enough for my application.

Can you give me some advices how to down szie the tfm image or another approach to avoid the FLASH overflow?

The feature I required it just the AES 128 CTR enc/dec and key import.

Thanks.

(ps. I already disable the debug build option, and I need the DFU for firmware upgrade support)

  • 0

    Hi,

    It is possible to enable only certain features in TF-M and get the size down. It is not entirely straight-forward though, but my colleague   have looked into this in the past. That has not been public, so I am sharing his suggestions here:

    Firstly, Trusted Firmware-M builds as a Minimal Build by default, but you could double check that CONFIG_TFM_PROFILE_TYPE_MINIMAL is set in your project. Inn addition, it is possible to set CONFIG_PSA_DEFAULT_OFF and enable algorithms specifically by using CONFIG_PSA_WANT_ALG_XXXX.

    To show how the CONFIG_PSA_DEFAULT_OFF can be used, Sigurd created a custom version of our Crypto: Chacha20-Poly1305 example (2185.chachapoly_custom_psa_includes.zip). This shows how to include only the PSA drivers you need.

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    Thanks for reply.

    I just test to build the example with NCS 2.1.2, but get FLASH overflow error, too.

    And when I look into the project, it set CONFIG_TFM_PROFILE_TYPE_NOT_SET=y in nrf9160dk_nrf9160_ns.conf just like aes_ctr examlpe do. This config will disable the CONFIG_TFM_PROFILE_TYPE_MINIMAL and them the partition manager will arrange 256KB partition for TFM image.

    flash_primary (0x100000 - 1024kB):
    +---------------------------------------------+
    +---0x0: tfm_secure (0x40000 - 256kB)---------+
    | 0x0: tfm (0x40000 - 256kB) |
    +---0x40000: tfm_nonsecure (0xb8000 - 736kB)--+
    | 0x40000: app (0xb8000 - 736kB) |

    I had try to disable CONFIG_TFM_PROFILE_TYPE_NOT_SET to keep minimal setting of TFM. But seems most feattures cannot be enable with CONFIG_TFM_PROFILE_TYPE_MINIMAL on. I will keep looking into it.

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    When I enable CONFIG_PSA_DEFAULT_OFF with CONFIG_TFM_PROFILE_TYPE_NOT_SET=y, the TF-M image become even larger. I need to set CONFIG_PM_PARTITION_SIZE_TFM to 320kB to make build successed. 

    Can you double check if there is anything wrong?  (I'm using ncs 2.1.2)

  • 0 in reply to Tim Chao

    I was too quick yesterday, the approach I suggested there is flawed and will not reduce the size of TF-M. I am checking with the TF-M team to see if I can find a way and will get back to you.

  • 0 in reply to Einar Thorsrud

    Hi,

    The team working with our TF-M implementation have optimization on their agenda but it is an ongoing process. However, for now there is no straight-forward way to do this and the suggestion at this time is to do a graphical diff of the build before and after minimal config was changed and first look for changes in build/zephyr/.config. Maybe some of the TF-M features aren't needed by the application. After that I would inspect the CMakeCache.txt of the TF-M build, and after that the .map file of TF-M.

Related