About this Learning Path

Who is this for?

This Learning Path is for software developers who want to run an end-to-end attestation flow using Arm Confidential Compute Architecture (CCA) and Trustee services.

What will you learn?

Upon completion of this Learning Path, you will be able to:

  • Describe how you can use attestation with Arm's Confidential Computing Architecture (CCA) and Trustee services
  • Deploy a simple workload in a CCA realm on an Armv9-A AEM Base Fixed Virtual Platform (FVP) that has support for RME extensions
  • Connect the workload with Trustee services to create an end-to-end example that uses attestation to unlock the confidential processing of data

Prerequisites

Before starting, you will need the following:

Summary

AI-assisted

This summary was drafted with an approved AI-assisted workflow and reviewed by Arm contributors before publication. Human technical review remains part of the process so the final page reflects engineering rigor, accuracy, and Arm editorial standards.

Close
?
You’ll complete an end-to-end confidential computing attestation flow on an Arm Fixed Virtual Platform using Arm Confidential Compute Architecture and Trustee services. First, you’ll start the Trustee components, launch a Linux realm on an Armv9-A FVP with Realm Management Extension (RME), and generate attestation evidence from the realm. After intentionally denying the first secret request to see how policy-based gating works, you’ll endorse the realm initial measurement (RIM), repeat attestation, and retrieve the secret after the environment proves its isolation properties. By the end, you’ll exercise and validate the complete path from evidence generation to policy-controlled secret release.

Frequently asked questions

AI-assisted

These FAQs were drafted with an approved AI-assisted workflow and reviewed by Arm contributors before publication. Human technical review remains part of the process so the final page reflects engineering rigor, accuracy, and Arm editorial standards.

Close
?
What result should I expect from the first secret request?
The initial request is expected to fail. The attestation policy blocks secret release until the realm initial measurement (RIM) is endorsed.
How do I know the Trustee services are running correctly before launching the realm?
Check the Docker container status and logs for the Trustee services. They should start without errors and be ready to accept requests.
When should I endorse the RIM, and how do I confirm it worked?
Endorse the RIM after the first secret request is denied. After endorsement, re-run attestation and expect the secret request to succeed.
How can I verify that the realm generated attestation evidence?
The realm run produces evidence that the Attestation Service (AS) processes. Check the output and logs for evidence generation and a corresponding response from the AS.
How do I know the FVP realm is ready before requesting a secret?
The Linux realm should complete boot on the FVP and be able to produce attestation evidence. If evidence generation fails, resolve that before proceeding to secret requests.
Next