Inferensys

Glossary

ARM CCA

ARM Confidential Compute Architecture (CCA) is a hardware architecture that introduces dynamically created, hardware-backed address spaces called Realms to protect sensitive data and code from the hypervisor and other virtual machines.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CONFIDENTIAL COMPUTING ARCHITECTURE

What is ARM CCA?

ARM Confidential Compute Architecture (CCA) is a hardware and firmware specification that introduces Realm Management Extension (RME) to create dynamically isolated, hardware-backed address spaces called Realms, protecting sensitive data and code from the hypervisor, host OS, and other virtual machines.

ARM CCA introduces a new architectural security state—the Realm world—enforced by the Realm Management Extension (RME). This hardware mechanism dynamically partitions physical memory into private address spaces called Realms, cryptographically isolating a workload from the hypervisor, host operating system, and all other virtual machines, even if the hypervisor is compromised.

A Realm executes within a Trusted Execution Environment (TEE) where the Granule Protection Check at the memory controller level enforces access control. The architecture relies on a hardware root of trust and an attestation protocol, allowing a remote relying party to cryptographically verify the Realm's initial state and identity before provisioning secrets or trusting its outputs.

REALM MANAGEMENT EXTENSION

Key Features of ARM CCA

ARM Confidential Compute Architecture introduces hardware-backed Realms that fundamentally reshape the trust boundary in virtualized environments, protecting sensitive workloads from the hypervisor and host OS.

01

Hardware-Enforced Realms

ARM CCA introduces dynamically created address spaces called Realms that are isolated from the hypervisor and other virtual machines. Unlike traditional VMs, a Realm's memory is encrypted and integrity-protected at the hardware level. The Realm Management Monitor (RMM) is a small, formally verified firmware component that manages Realm transitions, ensuring the hypervisor cannot access Realm memory even during context switches. This creates a minimal Trusted Computing Base (TCB) that excludes the entire host OS and hypervisor stack.

Granular
Per-VM Isolation
02

Granular Memory Granule Protection

ARM CCA manages memory at the granule level, the same unit used by the Memory Management Unit (MMU). The Granule Protection Table (GPT) is a hardware-walked structure that assigns each granule a state: Non-Secure, Secure, Realm, or Root. This allows the architecture to dynamically transition memory pages between the hypervisor and a Realm while enforcing strict access controls. A granule assigned to a Realm cannot be read or written by the hypervisor, preventing data exfiltration even by a compromised host.

04

Confidential Compute for AI Workloads

ARM CCA is designed to protect Confidential AI workloads, including model inference and training. By placing a machine learning model and its input data inside a Realm, both the model's intellectual property and the user's sensitive data remain confidential even from the cloud provider. This enables private inference scenarios where:

  • Model weights are never exposed to the host
  • Input data is encrypted until inside the Realm
  • Attestation verifies the inference environment before execution This is critical for regulated industries processing personally identifiable information (PII) or protected health information (PHI).
05

Delegated Realm Management

ARM CCA supports a Delegated Realm model where the initial measurement and attestation of a Realm can be delegated to a trusted service provider. This allows cloud operators to manage the lifecycle of Realms without being able to inspect their contents. The Realm Service Manager (RSM) concept separates the administrative plane from the data plane, enabling scalable confidential computing services where the infrastructure owner handles scheduling and resource allocation while remaining cryptographically excluded from the workload's data.

06

Formally Verified RMM Firmware

The Realm Management Monitor (RMM) is the critical firmware component that enforces isolation between Realms and the hypervisor. ARM has subjected the RMM specification to formal mathematical verification to prove its security properties. This verification ensures:

  • No information leakage between Realm and non-Realm worlds
  • Correct handling of all state transitions
  • Absence of undefined behavior in the interface This rigorous approach reduces the attack surface to a minimal, auditable codebase, significantly raising the bar for potential attackers.
ARM CCA EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about the ARM Confidential Compute Architecture, Realm Management Extension, and how they redefine trust boundaries in modern cloud infrastructure.

ARM Confidential Compute Architecture (CCA) is a hardware and firmware specification that introduces a new class of isolated execution environment called a Realm. Unlike traditional Trusted Execution Environments that protect a single process, ARM CCA dynamically creates hardware-backed address spaces that shield entire virtual machines from all other software, including the hypervisor and host operating system.

It works by extending the ARM architecture with the Realm Management Extension (RME) , which introduces a new security state orthogonal to the traditional Exception Levels (EL0-EL3). This creates a two-dimensional security model where the physical address space is dynamically transitioned between four worlds: Root, Realm, Secure, and Non-secure. The hypervisor retains control over scheduling and resource allocation but is cryptographically prevented from inspecting or modifying Realm memory. A new firmware component, the Realm Management Monitor (RMM) , enforces these isolation guarantees at the hardware page-table level, ensuring that even a compromised cloud provider cannot access tenant data in use.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.