Downsizing the TFM with PSA support

Hi,

It is possible to enable only certain features in TF-M and get the size down. It is not entirely straight-forward though, but my colleague Sigurd Hellesvik  have looked into this in the past. That has not been public, so I am sharing his suggestions here:

Firstly, Trusted Firmware-M builds as a Minimal Build by default, but you could double check that CONFIG_TFM_PROFILE_TYPE_MINIMAL is set in your project. Inn addition, it is possible to set CONFIG_PSA_DEFAULT_OFF and enable algorithms specifically by using CONFIG_PSA_WANT_ALG_XXXX.

To show how the CONFIG_PSA_DEFAULT_OFF can be used, Sigurd created a custom version of our Crypto: Chacha20-Poly1305 example (2185.chachapoly_custom_psa_includes.zip). This shows how to include only the PSA drivers you need.

Hi,

It is possible to enable only certain features in TF-M and get the size down. It is not entirely straight-forward though, but my colleague Sigurd Hellesvik  have looked into this in the past. That has not been public, so I am sharing his suggestions here:

Firstly, Trusted Firmware-M builds as a Minimal Build by default, but you could double check that CONFIG_TFM_PROFILE_TYPE_MINIMAL is set in your project. Inn addition, it is possible to set CONFIG_PSA_DEFAULT_OFF and enable algorithms specifically by using CONFIG_PSA_WANT_ALG_XXXX.

To show how the CONFIG_PSA_DEFAULT_OFF can be used, Sigurd created a custom version of our Crypto: Chacha20-Poly1305 example (2185.chachapoly_custom_psa_includes.zip). This shows how to include only the PSA drivers you need.

Hi Einar,

Thanks for reply.

I just test to build the example with NCS 2.1.2, but get FLASH overflow error, too.

And when I look into the project, it set CONFIG_TFM_PROFILE_TYPE_NOT_SET=y in nrf9160dk_nrf9160_ns.conf just like aes_ctr examlpe do. This config will disable the CONFIG_TFM_PROFILE_TYPE_MINIMAL and them the partition manager will arrange 256KB partition for TFM image.

flash_primary (0x100000 - 1024kB):
+---------------------------------------------+
+---0x0: tfm_secure (0x40000 - 256kB)---------+
| 0x0: tfm (0x40000 - 256kB) |
+---0x40000: tfm_nonsecure (0xb8000 - 736kB)--+
| 0x40000: app (0xb8000 - 736kB) |

I had try to disable CONFIG_TFM_PROFILE_TYPE_NOT_SET to keep minimal setting of TFM. But seems most feattures cannot be enable with CONFIG_TFM_PROFILE_TYPE_MINIMAL on. I will keep looking into it.

Hi Einar,

When I enable CONFIG_PSA_DEFAULT_OFF with CONFIG_TFM_PROFILE_TYPE_NOT_SET=y, the TF-M image become even larger. I need to set CONFIG_PM_PARTITION_SIZE_TFM to 320kB to make build successed. 

Can you double check if there is anything wrong?  (I'm using ncs 2.1.2)

I was too quick yesterday, the approach I suggested there is flawed and will not reduce the size of TF-M. I am checking with the TF-M team to see if I can find a way and will get back to you.

Hi,

The team working with our TF-M implementation have optimization on their agenda but it is an ongoing process. However, for now there is no straight-forward way to do this and the suggestion at this time is to do a graphical diff of the build before and after minimal config was changed and first look for changes in build/zephyr/.config. Maybe some of the TF-M features aren't needed by the application. After that I would inspect the CMakeCache.txt of the TF-M build, and after that the .map file of TF-M.

Hi,

Actually, I already did.

Before I know how to use CONFIG_PSA_DEFAULT_OFF, I did compare the .config with minial build, and disable the features one-by-one. But the TF-M image size still > 200kB.

For now, I think I will use mbedtls crypt functions instead of PSA API in my project. And wait for good news from Nordic TF-M team.