ARM CCA extends the exception level hierarchy of the ARM architecture by introducing a new security state—the Realm world—managed by the Realm Management Monitor (RMM). This firmware component enforces isolation between Realms and the non-secure hypervisor, ensuring that even a compromised host cannot access the memory or execution state of a protected workload. The architecture relies on hardware-backed memory encryption and dynamic memory integrity checks implemented in the memory management unit.
Glossary
ARM CCA

What is ARM CCA?
ARM Confidential Compute Architecture (CCA) is a hardware-based security framework that introduces a new isolation boundary called a Realm, protecting sensitive data and workloads from the hypervisor, host operating system, and other virtual machines on ARM-based processors.
A core component of ARM CCA is the Realm Service Interface (RSI), which allows a Realm to request attestation reports and cryptographic services from the RMM. The architecture supports confidential virtual machines where the entire guest OS and application run within a Realm, as well as lighter-weight confidential containers. ARM CCA enables attestation through a hardware root of trust, allowing remote parties to cryptographically verify the identity and integrity of the Realm before provisioning secrets or sensitive data.
Key Features of ARM CCA
ARM Confidential Compute Architecture introduces a hardware-backed Realm abstraction that isolates sensitive workloads from the hypervisor and host OS, fundamentally reducing the Trusted Computing Base.
Realm Management Extension (RME)
The foundational hardware extension that introduces a new security state and physical address space. RME enables the creation of Realms—isolated execution environments that sit beside the Normal and Secure worlds. It uses Granule Protection Tables (GPT) to enforce access control at the physical memory level, ensuring the hypervisor cannot access Realm memory even with the highest privilege level.
Dynamic Attestation
ARM CCA implements a hardware-rooted attestation model where the Realm Initial Measurement (RIM) is cryptographically verified before any secrets are released. The CCA Token provides a signed, verifiable claim about the Realm's initial state, firmware integrity, and platform identity. This allows remote parties to establish trust before provisioning sensitive data or model weights into the Realm.
Granule Protection Tables (GPT)
A hardware-enforced access control structure that governs memory at a granule granularity (typically 4KB). The GPT assigns each physical page to one of four security states: Non-Secure, Secure, Realm, or Root. This prevents the hypervisor from mapping Realm memory into its own page tables, closing a critical attack vector where a compromised hypervisor could read confidential workload data.
Delegated Host Model
Unlike traditional virtualization where the hypervisor controls all resources, ARM CCA introduces a Realm Manager that runs in the Normal world but operates under strict architectural constraints. The hypervisor must explicitly delegate memory and CPU resources to the Realm Manager, which then assigns them to Realms. This separation of duties ensures the host cannot unilaterally inspect or modify Realm state.
Confidential AI Inference
ARM CCA enables model confidentiality by loading proprietary neural network weights directly into Realm memory, invisible to the cloud operator. Client input data is encrypted in transit and decrypted only inside the attested Realm. The inference results are encrypted before leaving the TEE, ensuring end-to-end protection of both the model intellectual property and the user's sensitive queries.
Realm Service Interface (RSI)
A narrow, well-defined API boundary between the Realm and the host. The RSI provides essential services like attestation reporting and measurement extension without exposing the Realm's internal state. This minimal interface reduces the attack surface compared to traditional paravirtualized drivers, aligning with the principle of a small Trusted Computing Base (TCB).
ARM CCA vs. Other TEE Architectures
Architectural comparison of ARM Confidential Compute Architecture against Intel TDX and AMD SEV-SNP for confidential AI workloads
| Feature | ARM CCA | Intel TDX | AMD SEV-SNP |
|---|---|---|---|
Isolation Granularity | Realm (VM-level) | Trust Domain (VM-level) | Secure VM (VM-level) |
Hypervisor Exclusion | |||
Dynamic Memory Attestation | |||
Granule-Based Memory Protection | |||
Hardware Root of Trust | CCA HES (Hardware Enforced Security) | TDX Module + MCHECK | AMD-SP + PSP |
Side-Channel Resistance | Speculation barriers + granule delegation | Secure Arbitration Mode (SEAM) | Reverse Map Table (RMP) |
Live Migration Support | |||
Confidential GPU Integration | Planned (Armv9.5+) | Planned (TDX Connect) | Planned (SEV-SNP + CXL) |
Frequently Asked Questions
Clear, technical answers to the most common questions about the Arm Confidential Compute Architecture, Realm Management Extension, and how they isolate sensitive workloads from privileged software.
Arm Confidential Compute Architecture (CCA) is a hardware security architecture that creates isolated execution environments called Realms to protect sensitive data and workloads from the host operating system and hypervisor on ARM-based processors. It works by introducing a new architectural security state and a firmware component called the Realm Management Monitor (RMM) that sits alongside the hypervisor. When a workload is launched in a Realm, the RMM enforces hardware-backed memory isolation, ensuring that even a compromised or malicious hypervisor cannot access the Realm's memory pages. CCA relies on the Granule Protection Check mechanism in the memory management unit to enforce these boundaries at the hardware level. The architecture also introduces Dynamic Trusted Root of Trust for Measurement (DRTM) capabilities, allowing the system to establish a trusted execution state late in the boot process without requiring a full platform reset.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core technologies and concepts that form the foundation of ARM CCA and the broader confidential computing landscape.
Granule Protection Check
The hardware-enforced memory access control mechanism in ARM CCA. Physical memory is divided into fixed-size units called granules, and each granule is tagged with a state: RMM-managed, Host-managed, or Realm-managed. The memory management unit (MMU) performs a Granule Protection Check on every memory access, ensuring:
- The host cannot read or write Realm-private memory
- A Realm cannot access another Realm's granules
- State transitions require explicit RMM authorization This provides deterministic isolation enforced at the silicon level.
Confidential AI on ARM
ARM CCA enables end-to-end confidential AI workloads by protecting both model weights and input data during inference. A Realm can load a proprietary model, receive encrypted user queries, and return results—all while the cloud provider's hypervisor remains blind to the computation. Key benefits:
- Model IP protection: Weights never appear in plaintext to the host
- User privacy: Queries and responses are isolated from the infrastructure
- Attestable lineage: Clients verify the exact model hash before sending data This is foundational for sovereign AI deployments on ARM-based cloud instances.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us