ARM CCA introduces a new architectural security state—the Realm world—enforced by the Realm Management Extension (RME). This hardware mechanism dynamically partitions physical memory into private address spaces called Realms, cryptographically isolating a workload from the hypervisor, host operating system, and all other virtual machines, even if the hypervisor is compromised.
Glossary
ARM CCA

What is ARM CCA?
ARM Confidential Compute Architecture (CCA) is a hardware and firmware specification that introduces Realm Management Extension (RME) to create dynamically isolated, hardware-backed address spaces called Realms, protecting sensitive data and code from the hypervisor, host OS, and other virtual machines.
A Realm executes within a Trusted Execution Environment (TEE) where the Granule Protection Check at the memory controller level enforces access control. The architecture relies on a hardware root of trust and an attestation protocol, allowing a remote relying party to cryptographically verify the Realm's initial state and identity before provisioning secrets or trusting its outputs.
Key Features of ARM CCA
ARM Confidential Compute Architecture introduces hardware-backed Realms that fundamentally reshape the trust boundary in virtualized environments, protecting sensitive workloads from the hypervisor and host OS.
Hardware-Enforced Realms
ARM CCA introduces dynamically created address spaces called Realms that are isolated from the hypervisor and other virtual machines. Unlike traditional VMs, a Realm's memory is encrypted and integrity-protected at the hardware level. The Realm Management Monitor (RMM) is a small, formally verified firmware component that manages Realm transitions, ensuring the hypervisor cannot access Realm memory even during context switches. This creates a minimal Trusted Computing Base (TCB) that excludes the entire host OS and hypervisor stack.
Granular Memory Granule Protection
ARM CCA manages memory at the granule level, the same unit used by the Memory Management Unit (MMU). The Granule Protection Table (GPT) is a hardware-walked structure that assigns each granule a state: Non-Secure, Secure, Realm, or Root. This allows the architecture to dynamically transition memory pages between the hypervisor and a Realm while enforcing strict access controls. A granule assigned to a Realm cannot be read or written by the hypervisor, preventing data exfiltration even by a compromised host.
Confidential Compute for AI Workloads
ARM CCA is designed to protect Confidential AI workloads, including model inference and training. By placing a machine learning model and its input data inside a Realm, both the model's intellectual property and the user's sensitive data remain confidential even from the cloud provider. This enables private inference scenarios where:
- Model weights are never exposed to the host
- Input data is encrypted until inside the Realm
- Attestation verifies the inference environment before execution This is critical for regulated industries processing personally identifiable information (PII) or protected health information (PHI).
Delegated Realm Management
ARM CCA supports a Delegated Realm model where the initial measurement and attestation of a Realm can be delegated to a trusted service provider. This allows cloud operators to manage the lifecycle of Realms without being able to inspect their contents. The Realm Service Manager (RSM) concept separates the administrative plane from the data plane, enabling scalable confidential computing services where the infrastructure owner handles scheduling and resource allocation while remaining cryptographically excluded from the workload's data.
Formally Verified RMM Firmware
The Realm Management Monitor (RMM) is the critical firmware component that enforces isolation between Realms and the hypervisor. ARM has subjected the RMM specification to formal mathematical verification to prove its security properties. This verification ensures:
- No information leakage between Realm and non-Realm worlds
- Correct handling of all state transitions
- Absence of undefined behavior in the interface This rigorous approach reduces the attack surface to a minimal, auditable codebase, significantly raising the bar for potential attackers.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about the ARM Confidential Compute Architecture, Realm Management Extension, and how they redefine trust boundaries in modern cloud infrastructure.
ARM Confidential Compute Architecture (CCA) is a hardware and firmware specification that introduces a new class of isolated execution environment called a Realm. Unlike traditional Trusted Execution Environments that protect a single process, ARM CCA dynamically creates hardware-backed address spaces that shield entire virtual machines from all other software, including the hypervisor and host operating system.
It works by extending the ARM architecture with the Realm Management Extension (RME) , which introduces a new security state orthogonal to the traditional Exception Levels (EL0-EL3). This creates a two-dimensional security model where the physical address space is dynamically transitioned between four worlds: Root, Realm, Secure, and Non-secure. The hypervisor retains control over scheduling and resource allocation but is cryptographically prevented from inspecting or modifying Realm memory. A new firmware component, the Realm Management Monitor (RMM) , enforces these isolation guarantees at the hardware page-table level, ensuring that even a compromised cloud provider cannot access tenant data in use.
Related Terms
Core concepts and complementary technologies that form the foundation of ARM CCA's Realm architecture and the broader confidential computing landscape.
Confidential Computing
The overarching hardware-based security paradigm that protects data in use by performing computation within a hardware-enforced Trusted Execution Environment. ARM CCA is a specific architectural implementation of confidential computing that extends protection boundaries to entire virtual machines through Realms, shielding workloads from the hypervisor, host OS, and cloud provider.
Attestation
The cryptographic process by which an ARM CCA Realm proves its identity, integrity, and security posture to a remote relying party before secrets are provisioned. CCA uses the Hardware Enforced Security (HES) component and CCA Token format, enabling verifiers to cryptographically confirm that a Realm is genuine and running unmodified code on authentic ARM hardware.
Confidential VM
A full virtual machine instance running inside a hardware-backed TEE, encrypting its entire memory space. ARM CCA Realms are a type of Confidential VM that provide:
- Memory encryption transparent to the guest OS
- Hypervisor exclusion from the Trusted Computing Base
- Dynamic memory assignment through Granule Protection Tables
- Lift-and-shift migration without application modification
Trusted Computing Base (TCB)
The set of all hardware, firmware, and software components critical to a system's security. ARM CCA dramatically reduces the TCB by:
- Removing the hypervisor and host OS from the trust boundary
- Limiting trusted firmware to the Monitor at EL3 and the RMM at EL2
- Excluding the Realm owner's management software from the guest's TCB
- A smaller TCB means fewer attack surfaces and easier formal verification

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us