Reduce optee_os RAM footprint

[SimoneBongini]

Hello Team,
I'd like to reduce OP-TEE core RAM foot print as low as possible in order to run:

• PKCS11 TA, and
• Secure Storage TA
  By default should be 32MB, may I reduce it? If yes how?
  Thanks a lot in advance

[etienne-lms]

What is the footprint you target?
PKCS#11 TA does not require much memory, far less than 1MByte (depending on your usecases of course).

On a 64bit platform, using 3MByte or 4MByte of secure RAM should be quite straight forward (aside platform specific dependencies), set CFG_TZDRAM_SIZE accordingly. Using 2MByte or less becomes tricky (needs implementation changes) unless you enable OP-TEE pager which may affect some performances.
On a 32bit platform, 2MByte of secure RAM should work fine with CFG_TZDRAM_SIZE=0x200000 CFG_WITH_LAPE=n, less than 1MBytes falls in the same consideration as stated above (implementation changes or enable pager).

[SimoneBongini]

Thanks a lot for the reply Ethienne.
I tried but I got
core/arch/arm/plat-sam/conf.mk:37: *** CFG_TZDRAM_SIZE is set to '0x200000' (from command line) but its value must be '0x800000'. Stop.

On core/arch/arm/plat-sam/conf.mk I've found

These values are forced because of matrix configuration for secure area.
When modifying these, always update matrix settings in
matrix_configure_slave_h64mx().
$(call force,CFG_TZDRAM_START,0x20000000)
$(call force,CFG_TZDRAM_SIZE,0x800000)

How I could safely resolve?

[etienne-lms]

I don't know the constraints related to plat-sam. Please ask @nodeax for assistance.

[nodeax]

@SimoneBongini in addition to changing CFG_TZDRAM_SIZE you will need to change the below lines depending on the size:
sasplit_setting and the compile time assert

The MATRIX peripheral is responsible for enforcing the access control between secure and non-secure world. Overview and the resolutions available for split is here

[SimoneBongini]

Hello @nodeax , really thanks for your reply, I'm gonna digging on it.
Looking at https://github.com/linux4sam/linux-at91/blob/master/arch/arm/boot/dts/sama5d2-optee.dtsi
I'd like to shrink optee-core reserved space.

	optee_core@20000000 {
		no-map;
		reg = <0x20000000 0x00800000>;
	};
	optee_shm@21000000 {
		no-map;
		reg = <0x21000000 0x00400000>;
	};
	scmi0_shmem: scmi0_shmem@21400000 {
		compatible = "arm,scmi-shmem";
		no-map;
		reg = <0x21400000 0x80>;
	};

Why optee_shm starts at 21000000 instead at 2080000?
Have a good day,
Simone

[nodeax]

Why optee_shm starts at 21000000 instead at 2080000? Have a good day, Simone

The optee_shm in the device tree should match the CFG_SHMEM_START offset used in op-tee.

https://github.com/OP-TEE/optee_os/blob/master/core/arch/arm/plat-sam/conf.mk#L60

ifeq ($(CFG_SAMA5D2),y)
$(call force,CFG_TZDRAM_START,0x20000000)
endif

CFG_SHMEM_START  ?= ($(CFG_TZDRAM_START) + 0x1000000)

CFG_SCMI_SHMEM_START  ?= ($(CFG_TZDRAM_START) + 0x1400000)

As long as the core/shmem/scmi_shmem addresses matches between the dts / op-tee, does not overlap and the matrix split / permission is set correctly, you should be able to play around and change the values to shrink/expand/align the regions as per your needs (within the resolution that the matrix split allows). I believe the existing values were chosen so that it can expand in the future if needed without having to re-align everything but that work was done by @clementleger