How much of that code has to be resident in SRAM or XIP cache once a session key has been established to handle the common TLS record types? Is it feasible to execute the whole TLS session setup code either in place from serial flash or at least copy it to SRAM on demand allowing the application to use more SRAM once a session has been established?