Explore secure device attach in Arm CCA Realms
Introduction
About CCA Realms
VirtIO for device attach
Bounce buffers in Realms
Exercise: observe bounce buffers in a Realm
Next Steps

  Log an issue

  Fork and edit

  Discuss on Discord

What are bounce buffers?

Bounce buffers are temporary memory areas used when a device cannot perform DMA on the original buffer.

Common reasons include:

  • The original buffer is not physically contiguous.
  • The buffer resides in memory not accessible by the device.
  • The buffer does not meet the device alignment or boundary constraints.

Why use bounce buffers?

Data bounces between:

  • The original buffer in user space or kernel space
  • The DMA-capable bounce buffer used for device I/O

This indirection allows data transfer to proceed when the original buffer is unsuitable for DMA.

CCA Realms, VirtIO, and bounce buffers

A defining feature of a Realm is that its memory (Realm memory) is cryptographically isolated from both Normal Secure Worlds:

This means:

  • Realm memory is encrypted with unique keys.
  • The host OS and hypervisor cannot directly read or write Realm memory.
  • Direct Memory Access (DMA) from peripherals or untrusted drivers cannot access Realm data.

This isolation ensures confidentiality but requires a secure way to exchange data with untrusted components such as host network stacks or storage subsystems. Bounce buffers provide this mechanism.

How are bounce buffers used with RME?

With RME, Realms use bounce buffers to export and import data.

Exporting data:

  • A Realm application prepares data (for example, the results of computation)
  • It copies the data from protected Realm memory into a bounce buffer
  • The Realm notifies the untrusted host or hypervisor
  • The host retrieves the data from the bounce buffer

Importing data:

  • The host places data into a bounce buffer
  • The Realm is notified and validates the source
  • The Realm copies the data from the bounce buffer into protected memory

This pattern preserves confidentiality and integrity of Realm data because:

  • The Realm never allows direct access to its memory
  • Incoming data can be validated and sanitized before import
  • Only data explicitly copied out leaves Realm protection

Does a bounce buffer preserve confidentiality?

A bounce buffer preserves the confidentiality of other Realm data because only the explicitly shared region is exposed. However, the transferred data is outside Realm protection once it leaves. Use protocol-level encryption such as TLS for network traffic to keep that data confidential in transit.

Next steps

In the next section, you’ll test this by tracing SWIOTLB activity.

Back
Next