Downsizing the TFM with PSA support

Hi,

It is possible to enable only certain features in TF-M and get the size down. It is not entirely straight-forward though, but my colleague Sigurd Hellesvik  have looked into this in the past. That has not been public, so I am sharing his suggestions here:

Firstly, Trusted Firmware-M builds as a Minimal Build by default, but you could double check that CONFIG_TFM_PROFILE_TYPE_MINIMAL is set in your project. Inn addition, it is possible to set CONFIG_PSA_DEFAULT_OFF and enable algorithms specifically by using CONFIG_PSA_WANT_ALG_XXXX.

To show how the CONFIG_PSA_DEFAULT_OFF can be used, Sigurd created a custom version of our Crypto: Chacha20-Poly1305 example (2185.chachapoly_custom_psa_includes.zip). This shows how to include only the PSA drivers you need.

Hi Einar,

When I enable CONFIG_PSA_DEFAULT_OFF with CONFIG_TFM_PROFILE_TYPE_NOT_SET=y, the TF-M image become even larger. I need to set CONFIG_PM_PARTITION_SIZE_TFM to 320kB to make build successed. 

Can you double check if there is anything wrong?  (I'm using ncs 2.1.2)

I was too quick yesterday, the approach I suggested there is flawed and will not reduce the size of TF-M. I am checking with the TF-M team to see if I can find a way and will get back to you.

Hi,

The team working with our TF-M implementation have optimization on their agenda but it is an ongoing process. However, for now there is no straight-forward way to do this and the suggestion at this time is to do a graphical diff of the build before and after minimal config was changed and first look for changes in build/zephyr/.config. Maybe some of the TF-M features aren't needed by the application. After that I would inspect the CMakeCache.txt of the TF-M build, and after that the .map file of TF-M.

Hi,

The team working with our TF-M implementation have optimization on their agenda but it is an ongoing process. However, for now there is no straight-forward way to do this and the suggestion at this time is to do a graphical diff of the build before and after minimal config was changed and first look for changes in build/zephyr/.config. Maybe some of the TF-M features aren't needed by the application. After that I would inspect the CMakeCache.txt of the TF-M build, and after that the .map file of TF-M.

Hi,

Actually, I already did.

Before I know how to use CONFIG_PSA_DEFAULT_OFF, I did compare the .config with minial build, and disable the features one-by-one. But the TF-M image size still > 200kB.

For now, I think I will use mbedtls crypt functions instead of PSA API in my project. And wait for good news from Nordic TF-M team.

Hi,

Any “good news” on this matter?

Hi,

There are no major improvements on TF-M size optimization and configurability, but we are working on it. There have been one recent optimization though, which is disabling RSA to save 30 kB (it can still be enabled if needed). See this PR.

Thanks for the information. If I’m not mistaken though, using AWS IoT (like with the Nordic’s aws_iot sample) requires RSA?

That is correct, you will need RSA-2048 for that.