Downsizing the TFM with PSA support

RE: Downsizing the TFM with PSA support

Einar Thorsrud — Fri, 16 Feb 2024 08:07:02 GMT

That is correct, you will need RSA-2048 for that.

RE: Downsizing the TFM with PSA support

GilDev — Thu, 15 Feb 2024 15:31:18 GMT

Thanks for the information. If I’m not mistaken though, using AWS IoT (like with the Nordic’s aws_iot sample) requires RSA?

RE: Downsizing the TFM with PSA support

Einar Thorsrud — Thu, 15 Feb 2024 15:30:02 GMT

Hi,

There are no major improvements on TF-M size optimization and configurability, but we are working on it. There have been one recent optimization though, which is disabling RSA to save 30 kB (it can still be enabled if needed). See this PR.

RE: Downsizing the TFM with PSA support

GilDev — Thu, 15 Feb 2024 10:57:50 GMT

Hi,

Any “good news” on this matter?

RE: Downsizing the TFM with PSA support

Tim Chao — Thu, 08 Dec 2022 02:14:08 GMT

Hi,

Actually, I already did.

Before I know how to use CONFIG_PSA_DEFAULT_OFF, I did compare the .config with minial build, and disable the features one-by-one. But the TF-M image size still > 200kB.

For now, I think I will use mbedtls crypt functions instead of PSA API in my project. And wait for good news from Nordic TF-M team.

RE: Downsizing the TFM with PSA support

Einar Thorsrud — Wed, 07 Dec 2022 10:16:52 GMT

Hi,

The team working with our TF-M implementation have optimization on their agenda but it is an ongoing process. However, for now there is no straight-forward way to do this and the suggestion at this time is to do a graphical diff of the build before and after minimal config was changed and first look for changes in build/zephyr/.config. Maybe some of the TF-M features aren't needed by the application. After that I would inspect the CMakeCache.txt of the TF-M build, and after that the .map file of TF-M.

RE: Downsizing the TFM with PSA support

Einar Thorsrud — Tue, 06 Dec 2022 14:45:24 GMT

I was too quick yesterday, the approach I suggested there is flawed and will not reduce the size of TF-M. I am checking with the TF-M team to see if I can find a way and will get back to you.

RE: Downsizing the TFM with PSA support

Tim Chao — Tue, 06 Dec 2022 02:51:40 GMT

Hi Einar,

When I enable CONFIG_PSA_DEFAULT_OFF with CONFIG_TFM_PROFILE_TYPE_NOT_SET=y, the TF-M image become even larger. I need to set CONFIG_PM_PARTITION_SIZE_TFM to 320kB to make build successed.

Can you double check if there is anything wrong? (I'm using ncs 2.1.2)

RE: Downsizing the TFM with PSA support

Tim Chao — Tue, 06 Dec 2022 02:29:19 GMT

Hi Einar,

Thanks for reply.

I just test to build the example with NCS 2.1.2, but get FLASH overflow error, too.

And when I look into the project, it set CONFIG_TFM_PROFILE_TYPE_NOT_SET=y in nrf9160dk_nrf9160_ns.conf just like aes_ctr examlpe do. This config will disable the CONFIG_TFM_PROFILE_TYPE_MINIMAL and them the partition manager will arrange 256KB partition for TFM image.

flash_primary (0x100000 - 1024kB):
+---------------------------------------------+
+---0x0: tfm_secure (0x40000 - 256kB)---------+
| 0x0: tfm (0x40000 - 256kB) |
+---0x40000: tfm_nonsecure (0xb8000 - 736kB)--+
| 0x40000: app (0xb8000 - 736kB) |

I had try to disable CONFIG_TFM_PROFILE_TYPE_NOT_SET to keep minimal setting of TFM. But seems most feattures cannot be enable with CONFIG_TFM_PROFILE_TYPE_MINIMAL on. I will keep looking into it.

RE: Downsizing the TFM with PSA support

Einar Thorsrud — Mon, 05 Dec 2022 14:22:23 GMT

Hi,

It is possible to enable only certain features in TF-M and get the size down. It is not entirely straight-forward though, but my colleague Sigurd Hellesvik have looked into this in the past. That has not been public, so I am sharing his suggestions here:

Firstly, Trusted Firmware-M builds as a Minimal Build by default, but you could double check that CONFIG_TFM_PROFILE_TYPE_MINIMAL is set in your project. Inn addition, it is possible to set CONFIG_PSA_DEFAULT_OFF and enable algorithms specifically by using CONFIG_PSA_WANT_ALG_XXXX.

To show how the CONFIG_PSA_DEFAULT_OFF can be used, Sigurd created a custom version of our Crypto: Chacha20-Poly1305 example (devzone.nordicsemi.com/.../2185.chachapoly_5F00_custom_5F00_psa_5F00_includes.zip). This shows how to include only the PSA drivers you need.