You own firmware for a security appliance that runs on a memory-constrained embedded Linux platform. Recent features increased RAM pressure, and the device now shows intermittent watchdog resets and packet-processing latency spikes during configuration reloads and TLS-heavy traffic. You cannot simply add hardware, and the platform must continue to enforce secure boot, protect cryptographic material, and preserve useful forensic logs.
How would you optimize memory usage in this codebase and runtime while keeping the system secure and operationally debuggable? Be explicit about the tradeoffs you would make, the threats you would avoid introducing, and how you would verify the changes under realistic failure conditions.