• State Not Answered
  • Replies 10 replies
  • Subscribers 64 subscribers
  • Views 1248 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 299537
Options

Downsizing the TFM with PSA support

Tim Chao

Hi,

I am developing application on NRF9160 right now.

When I trying to enable AES CTR enc/dec follow the aes_ctr sample in my application, I got the FLASH overflow error.

I realized it cause by the TFM size increase from 48kB to 256kB after enable CONFIG_TFM_PROFILE_TYPE_NOT_SET.

flash_primary (0x100000 - 1024kB):
+--------------------------------------------------+
| 0x0: mcuboot (0xc000 - 48kB) |
| 0xc000: EMPTY_0 (0x4000 - 16kB) |
+---0x10000: mcuboot_primary (0x70000 - 448kB)-----+
+---0x10000: tfm_secure (0x40200 - 256kB)----------+
| 0x10000: mcuboot_pad (0x200 - 512B) |
+---0x10200: mcuboot_primary_app (0x6fe00 - 447kB)-+
| 0x10200: tfm (0x40000 - 256kB) |
+---0x50200: tfm_nonsecure (0x2fe00 - 191kB)-------+
| 0x50200: app (0x2fe00 - 191kB) |
+--------------------------------------------------+
| 0x80000: mcuboot_secondary (0x70000 - 448kB) |
+---0xf0000: nonsecure_storage (0x2000 - 8kB)------+
| 0xf0000: settings_storage (0x2000 - 8kB) |
+--------------------------------------------------+
| 0xf2000: EMPTY_1 (0x6000 - 24kB) |
+---0xf8000: tfm_storage (0x8000 - 32kB)-----------+
| 0xf8000: tfm_its (0x2000 - 8kB) |
| 0xfa000: tfm_otp_nv_counters (0x2000 - 8kB) |
| 0xfc000: tfm_ps (0x4000 - 16kB) |
+--------------------------------------------------+

That cause the app image size limit down to 191kB, and that is not enough for my application.

Can you give me some advices how to down szie the tfm image or another approach to avoid the FLASH overflow?

The feature I required it just the AES 128 CTR enc/dec and key import.

Thanks.

(ps. I already disable the debug build option, and I need the DFU for firmware upgrade support)

Parents
  • 0

    Hi,

    It is possible to enable only certain features in TF-M and get the size down. It is not entirely straight-forward though, but my colleague   have looked into this in the past. That has not been public, so I am sharing his suggestions here:

    Firstly, Trusted Firmware-M builds as a Minimal Build by default, but you could double check that CONFIG_TFM_PROFILE_TYPE_MINIMAL is set in your project. Inn addition, it is possible to set CONFIG_PSA_DEFAULT_OFF and enable algorithms specifically by using CONFIG_PSA_WANT_ALG_XXXX.

    To show how the CONFIG_PSA_DEFAULT_OFF can be used, Sigurd created a custom version of our Crypto: Chacha20-Poly1305 example (2185.chachapoly_custom_psa_includes.zip). This shows how to include only the PSA drivers you need.

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    Thanks for reply.

    I just test to build the example with NCS 2.1.2, but get FLASH overflow error, too.

    And when I look into the project, it set CONFIG_TFM_PROFILE_TYPE_NOT_SET=y in nrf9160dk_nrf9160_ns.conf just like aes_ctr examlpe do. This config will disable the CONFIG_TFM_PROFILE_TYPE_MINIMAL and them the partition manager will arrange 256KB partition for TFM image.

    flash_primary (0x100000 - 1024kB):
    +---------------------------------------------+
    +---0x0: tfm_secure (0x40000 - 256kB)---------+
    | 0x0: tfm (0x40000 - 256kB) |
    +---0x40000: tfm_nonsecure (0xb8000 - 736kB)--+
    | 0x40000: app (0xb8000 - 736kB) |

    I had try to disable CONFIG_TFM_PROFILE_TYPE_NOT_SET to keep minimal setting of TFM. But seems most feattures cannot be enable with CONFIG_TFM_PROFILE_TYPE_MINIMAL on. I will keep looking into it.

Reply
  • 0 in reply to Einar Thorsrud

    Hi Einar,

    Thanks for reply.

    I just test to build the example with NCS 2.1.2, but get FLASH overflow error, too.

    And when I look into the project, it set CONFIG_TFM_PROFILE_TYPE_NOT_SET=y in nrf9160dk_nrf9160_ns.conf just like aes_ctr examlpe do. This config will disable the CONFIG_TFM_PROFILE_TYPE_MINIMAL and them the partition manager will arrange 256KB partition for TFM image.

    flash_primary (0x100000 - 1024kB):
    +---------------------------------------------+
    +---0x0: tfm_secure (0x40000 - 256kB)---------+
    | 0x0: tfm (0x40000 - 256kB) |
    +---0x40000: tfm_nonsecure (0xb8000 - 736kB)--+
    | 0x40000: app (0xb8000 - 736kB) |

    I had try to disable CONFIG_TFM_PROFILE_TYPE_NOT_SET to keep minimal setting of TFM. But seems most feattures cannot be enable with CONFIG_TFM_PROFILE_TYPE_MINIMAL on. I will keep looking into it.

Children
No Data
Related