Arm Introduces Its Confidential Compute Architecture

Software developers will be able to check for CCA support by checking if the Realm Management Extension (RME) feature is present on the CPU (more on this later).Previously, a high-trust environment was only accessible to silicon vendors and OEMs through things such as TrustZones. With the new Realm Management Extension, pages can now transition from the non-secure world to the secure world and back again. As a side note, when RME is being used exclusively for the enhancement of TrustZone (i.e., no Realms) with dynamic memory capabilities, this specific feature is now being called “Arm Dynamic TrustZone Technology.”Under the current architecture (Armv8.4-SecEL2), there are two worlds: Secure and Non-Secure (Normal). Software running within the secure world is able to access both secure and normal world memory.Under the new RME, two new security states have been added: Root and Realm. The new Root address space is protected from all other address spaces even the secure world.The new Realm Management Extension provides the ability to dynamically transition pages of memory between these physical address spaces. Note that any memory assigned to the Normal, Secure, Root, and Realm world is encrypted by the hardware prior to written to DRAM.As part of the Arm CCA, a new firmware/software architecture is also defined.