StMM heap too small for Secure Boot with OpenSSL crypto; make configurable

[lizthegrey]

Summary

The StMM SP heap size is hardcoded to 402 pages (1.6 MB) in core/arch/arm/kernel/stmm_sp.c. This is too small when StandaloneMm links AuthVariableLib + VarCheckPolicyLib (which pull in OpenSSL for Secure Boot certificate verification), causing allocation failures during MM initialization.

I worked around this by increasing to 800 pages in our fork, but it would be better to make this configurable via a build option like CFG_STMM_HEAP_SIZE.

Reproduction

Build OP-TEE with a StandaloneMm binary that includes edk2's AuthVariableLib and VarCheckPolicyLibStandaloneMm (i.e., any Secure Boot configuration). The SP fails to initialize because the heap runs out during OpenSSL library constructors.

Proposed fix

Add a CFG_STMM_HEAP_SIZE build option (in pages) with a default of 402 for backwards compatibility, allowing platforms that need Secure Boot to increase it. For example:

// stmm_sp.c
#ifndef CFG_STMM_HEAP_SIZE
#define CFG_STMM_HEAP_SIZE 402
#endif

Or alternatively, just increase the default — 800 pages (3.2 MB) works well in practice and the memory is only allocated when StMM is enabled.

Environment

• OP-TEE 4.9.0
• edk2-stable202602 StandaloneMm with AuthVariableLib + VarCheckPolicyLib
• NXP LX2160A (SolidRun HoneyComb LX2K)
• Writeup: https://gist.github.com/lizthegrey/9344dc71dc4ac11f9d6c79d7c143e535

[jenswi-linaro]

@apalos what do you think?

[apalos]

@apalos what do you think?

The heap size was indeed calculated by trial and error in the past. We even had cases when we had to bump it with some ff-a and edk2 changes (e.g aa6d7fc).
@lizthegrey AuthVariableLib is always included when compiling PlatformStandaloneMmRpmb.dsc so I assume the crash happens when you add VarCheckPolicyLib?

[apalos]

@lizthegrey since you've been looking at this, I do have some very hacky patches that allow StMM to print on the uart. We only used the for debugging during development, but if you think they'll be useful I can share them

[lizthegrey]

The heap size was indeed calculated by trial and error in the past. We even had cases when we had to bump it with some ff-a and edk2 changes (e.g aa6d7fc). @lizthegrey AuthVariableLib is always included when compiling PlatformStandaloneMmRpmb.dsc so I assume the crash happens when you add VarCheckPolicyLib?

Correct. Because OpenSSL.

[apalos]

The heap size was indeed calculated by trial and error in the past. We even had cases when we had to bump it with some ff-a and edk2 changes (e.g aa6d7fc). @lizthegrey AuthVariableLib is always included when compiling PlatformStandaloneMmRpmb.dsc so I assume the crash happens when you add VarCheckPolicyLib?

Correct. Because OpenSSL.

@jenswi-linaro , I am fine with making the heap size configurable, as long as we add some reasonable limits to it.
@lizthegrey one option that broke the heap size in the past was gStandaloneMmPkgTokenSpaceGuid.PcdShadowBfv, any chance that's enabled on your build?

[lizthegrey]

$ grep -r 'PcdShadowBfv\|ShadowBfv' Platform/SolidRun/StandAloneMm/StandaloneMm.dsc)
gStandaloneMmPkgTokenSpaceGuid.PcdShadowBfv|FALSE

[apalos]

$ grep -r 'PcdShadowBfv|ShadowBfv' Platform/SolidRun/StandAloneMm/StandaloneMm.dsc)
gStandaloneMmPkgTokenSpaceGuid.PcdShadowBfv|FALSE

thanks. VarCheckPolicyLibStandaloneMm is not enabled in the edk2-platforms PlatformStandaloneMmRpmb.dsc. OTOH this isn't used in any native EDKII configuration AFAIK. It's only used with U-Boot to store UEFI variables on an RPMB. It might be worth checking if we can enable it there as well

[ldts]

um I hit a similar (Secure Boot + OpenSSL + AuthVariableLib) issue in EDK2 sometime ago with the scratch memory tianocore/edk2#6394

[github-actions]

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.

[lizthegrey]

not stale

[apalos]

not stale

@lizthegrey can you add a build config option and keep 402 as the default. Also fail the build if the value is < 402?