Inferensys

Glossary

ARM CCA

ARM Confidential Compute Architecture (CCA) is a hardware security architecture that creates isolated execution environments called Realms, protecting sensitive data and workloads from the host operating system and hypervisor on ARM-based processors.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
CONFIDENTIAL COMPUTING ARCHITECTURE

What is ARM CCA?

ARM Confidential Compute Architecture (CCA) is a hardware-based security framework that introduces a new isolation boundary called a Realm, protecting sensitive data and workloads from the hypervisor, host operating system, and other virtual machines on ARM-based processors.

ARM CCA extends the exception level hierarchy of the ARM architecture by introducing a new security state—the Realm world—managed by the Realm Management Monitor (RMM). This firmware component enforces isolation between Realms and the non-secure hypervisor, ensuring that even a compromised host cannot access the memory or execution state of a protected workload. The architecture relies on hardware-backed memory encryption and dynamic memory integrity checks implemented in the memory management unit.

A core component of ARM CCA is the Realm Service Interface (RSI), which allows a Realm to request attestation reports and cryptographic services from the RMM. The architecture supports confidential virtual machines where the entire guest OS and application run within a Realm, as well as lighter-weight confidential containers. ARM CCA enables attestation through a hardware root of trust, allowing remote parties to cryptographically verify the identity and integrity of the Realm before provisioning secrets or sensitive data.

ARCHITECTURAL PILLARS

Key Features of ARM CCA

ARM Confidential Compute Architecture introduces a hardware-backed Realm abstraction that isolates sensitive workloads from the hypervisor and host OS, fundamentally reducing the Trusted Computing Base.

01

Realm Management Extension (RME)

The foundational hardware extension that introduces a new security state and physical address space. RME enables the creation of Realms—isolated execution environments that sit beside the Normal and Secure worlds. It uses Granule Protection Tables (GPT) to enforce access control at the physical memory level, ensuring the hypervisor cannot access Realm memory even with the highest privilege level.

4
Distinct Security Worlds
02

Dynamic Attestation

ARM CCA implements a hardware-rooted attestation model where the Realm Initial Measurement (RIM) is cryptographically verified before any secrets are released. The CCA Token provides a signed, verifiable claim about the Realm's initial state, firmware integrity, and platform identity. This allows remote parties to establish trust before provisioning sensitive data or model weights into the Realm.

03

Granule Protection Tables (GPT)

A hardware-enforced access control structure that governs memory at a granule granularity (typically 4KB). The GPT assigns each physical page to one of four security states: Non-Secure, Secure, Realm, or Root. This prevents the hypervisor from mapping Realm memory into its own page tables, closing a critical attack vector where a compromised hypervisor could read confidential workload data.

04

Delegated Host Model

Unlike traditional virtualization where the hypervisor controls all resources, ARM CCA introduces a Realm Manager that runs in the Normal world but operates under strict architectural constraints. The hypervisor must explicitly delegate memory and CPU resources to the Realm Manager, which then assigns them to Realms. This separation of duties ensures the host cannot unilaterally inspect or modify Realm state.

05

Confidential AI Inference

ARM CCA enables model confidentiality by loading proprietary neural network weights directly into Realm memory, invisible to the cloud operator. Client input data is encrypted in transit and decrypted only inside the attested Realm. The inference results are encrypted before leaving the TEE, ensuring end-to-end protection of both the model intellectual property and the user's sensitive queries.

06

Realm Service Interface (RSI)

A narrow, well-defined API boundary between the Realm and the host. The RSI provides essential services like attestation reporting and measurement extension without exposing the Realm's internal state. This minimal interface reduces the attack surface compared to traditional paravirtualized drivers, aligning with the principle of a small Trusted Computing Base (TCB).

CONFIDENTIAL COMPUTING COMPARISON

ARM CCA vs. Other TEE Architectures

Architectural comparison of ARM Confidential Compute Architecture against Intel TDX and AMD SEV-SNP for confidential AI workloads

FeatureARM CCAIntel TDXAMD SEV-SNP

Isolation Granularity

Realm (VM-level)

Trust Domain (VM-level)

Secure VM (VM-level)

Hypervisor Exclusion

Dynamic Memory Attestation

Granule-Based Memory Protection

Hardware Root of Trust

CCA HES (Hardware Enforced Security)

TDX Module + MCHECK

AMD-SP + PSP

Side-Channel Resistance

Speculation barriers + granule delegation

Secure Arbitration Mode (SEAM)

Reverse Map Table (RMP)

Live Migration Support

Confidential GPU Integration

Planned (Armv9.5+)

Planned (TDX Connect)

Planned (SEV-SNP + CXL)

ARM CCA EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about the Arm Confidential Compute Architecture, Realm Management Extension, and how they isolate sensitive workloads from privileged software.

Arm Confidential Compute Architecture (CCA) is a hardware security architecture that creates isolated execution environments called Realms to protect sensitive data and workloads from the host operating system and hypervisor on ARM-based processors. It works by introducing a new architectural security state and a firmware component called the Realm Management Monitor (RMM) that sits alongside the hypervisor. When a workload is launched in a Realm, the RMM enforces hardware-backed memory isolation, ensuring that even a compromised or malicious hypervisor cannot access the Realm's memory pages. CCA relies on the Granule Protection Check mechanism in the memory management unit to enforce these boundaries at the hardware level. The architecture also introduces Dynamic Trusted Root of Trust for Measurement (DRTM) capabilities, allowing the system to establish a trusted execution state late in the boot process without requiring a full platform reset.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.