This page includes some of the optimizations possible that can help you reduce the RAM and/or ROM footprint of the mbed TLS library. These are generic optimizations that do not require massive modifications to code. So if you need more size reduction or have related questions, please contact us!.
We always welcome additions that people found to help reduce size in RAM of ROM storage. Let us know if you have other improvements that can help people!
This page is split into two parts. One for reductions of the compiled library and one for reductions to the runtime memory required.
All of the settings described here are available in config.h, see "How do I configure mbed TLS".
The binary footprint is the size of the actual file on disk, in the ROM or the flash
mbed TLS has a lot of options enabled by default that provide compatibility and much-used functionality. In order to reduce the footprint adapt config.h to disable functions that you do not need.
The memory footprint is the size of the memory needed at runtime to store variables, contexts and other runtime information.
Reduce the maximum size of an MPI
If you know in advance you will not use larger MPIs you can reduce MBEDTLS_MPI_MAX_SIZE to match. By default MBEDTLS_MPI_MAX_SIZE is set at 1024 bytes (i.e. 8192 bits).
Disabling unused ECP curves
Disabling big elliptic curves that you do not use in your application saves quite some amount of memory.
Reduce the maximum ECP bits
By default the MBEDTLS_ECP_MAX_BITS is set at 521 to support 521 bits elliptic curves. If you know in advance you will only use smaller curves, you can safely reduce this value as well. This has only minimal effect on the memory used though. Only has an effect if you use Elliptic Curves.
Reduce the ECP window size
By default elliptic curve multiplications use a window size (MBEDTLS_ECP_WINDOW_SIZE) of up to 6. You can reduce this value down to 2, which reduces the memory used at a performance penalty. Only has an effect if you use Elliptic Curves. Has more impact on larger elliptic curves. (See also how to tune ECC resource usage.)
Disable the ECP Fixed point optimizations
By disabling the ECP Fixed point optimizations (MBEDTLS_ECP_FIXED_POINT_OPTIM), you loose some performance but use less memory. Only has an effect if you use Elliptic Curves. (See also how to tune ECC resource usage.)
Reduce the MPI window size
mbedtls_mpi_exp_mod()uses a sliding window size (MBEDTLS_MPI_WINDOW_SIZE) of up to 6. You can reduce this value down to 1, which reduces the memory used at a performance penalty. Only has an effect if you use RSA, DHM or
Reduce SSL frame buffer
By default, mbed TLS uses a 16k frame buffer to hold data for incoming and outgoing frames. This is what the TLS standard requires. If you control both sides of a connection (Server and Client) you can reduce the maximum frame size to reduce the buffer's needed to store the data. The size of this frame is determined by MBEDTLS_SSL_MAX_CONTENT_LEN. You can safely reduce this to a more appropriate size (like 2k bytes) if:
- both sides support the max_fragment_length SSL extension (allowing reduction to < 1k bytes for the buffers.
- you control both sides of the connection or know the maximum size that will ever be sent in a single SSL/TLS frame.
Store AES tables in ROM
By default, our AES implementation uses tables that are computed the first time AES is used and then stored in RAM. You can instead store them in ROM by enabling MBEDTLS_AES_ROM_TABLES. This is a RAM-ROM trade-off.
We provide a few example configurations in the configs directory. Two of them feature footprint optimisation for a specific usage profile:
- config-suite-b.h is a minimal configuration supporting NSA Suite B.
- config-ccm-psk-tls1_2.h is a minimal configuration supporting pre-shared key and with AES-CCM.