About this Learning Path

Who is this for?

This is an introductory topic for software developers who want to learn how to run their applications in a Realm using the Arm Confidential Compute Architecture (CCA).

What will you learn?

Upon completion of this Learning Path, you will be able to:

  • Run the Arm reference CCA software stack on an Armv-A AEM Base FVP (Fixed Virtual Platform) with support for RME extensions.
  • Create a virtual machine in a Realm running guest Linux using a pre-built docker container.
  • Run a simple application in a Realm running guest Linux.
  • Obtain a CCA attestation token from the virtual guest in a Realm.
  • Run the CCA software stack using MEC (Memory Encryption Contexts)

Prerequisites

Before starting, you will need the following:

Summary

AI-assisted

This summary was drafted with an approved AI-assisted workflow and reviewed by Arm contributors before publication. Human technical review remains part of the process so the final page reflects engineering rigor, accuracy, and Arm editorial standards.

Close
?
You’ll run the Arm Confidential Compute Architecture (CCA) reference software stack on an Armv‑A AEM Base FVP with Realm Management Extension (RME) support using a pre-built Docker image. First, you’ll boot a guest Linux virtual machine as a Realm, then inject and run a simple application inside that Realm so the program inherits the Realm’s confidential protections. You’ll also obtain a CCA attestation token from the Realm guest and learn about Memory Encryption Contexts (MEC) and how the CCA stack can run with multiple encryption contexts in the Realm Physical Address Space. By the end, you’ll see the Realm guest launch, run the injected app, and produce an attestation token.

Frequently asked questions

AI-assisted

These FAQs were drafted with an approved AI-assisted workflow and reviewed by Arm contributors before publication. Human technical review remains part of the process so the final page reflects engineering rigor, accuracy, and Arm editorial standards.

Close
?
Which Docker image does this path use, and how do I confirm it downloaded?
Pull armswdev/cca-learning-path:cca-simulation-v3. Run docker image list and check that this repository and tag appear in the output.
What result should I expect when the Realm guest virtual machine starts?
The guest virtual machine (VM) should boot as a Realm and run guest Linux. Continue when the VM is up and ready for the application injection step.
How do I place the sample application inside the Realm?
Inject the application into the guest filesystem as shown in the steps. Verify inside the guest that the file exists and is executable, then run it to confirm expected output.
Where do I retrieve the CCA attestation token in this workflow?
Request the token from inside the virtual guest running in the Realm. Follow the path step to capture the token and confirm that a token is returned.
What changes when running with Memory Encryption Contexts (MEC)?
Use the MEC section to run the CCA stack with multiple encryption contexts in the Realm Physical Address Space, identified by a MECID. The example follows the same Realm guest and application flow while enabling MEC.
Next