OVERVIEW

Protecting AI in Use

AI models and data are valuable, making them prime targets for theft and manipulation. Regulators are increasingly demanding stronger protection for AI privacy and sovereignty. Host software, like operating systems or hypervisors, allocate resources to applications. When doing so, it can see and modify an application’s content. To ensure confidentiality, compliance, and market access, AI applications must be adequately resourced while keeping code and data inaccessible to host software or other tenants.

 

Confidential Computing on Arm makes this possible. Hardware-based trusted execution environments and reference software protect AI models and data in use.

WHY ARM

Why Arm for Confidential Computing?

  • Built for AI: Armv9-A with Realm Management Extension (RME) creates secure “Realms” to isolate models and data. Realms are trusted execution environments.
  • CPU + GPU protection: Extends the circle of trust to accelerators, safeguarding AI workloads without restriction.
  • Scalable and efficient: Realms can scale with model size, with lift-and-shift migration from non-confidential Virtual Machines.
  • Open and auditable reference software: Developed with full transparency to the security community.
  • Aligned with standards: Active in global security communities to reduce fragmentation and ensure global consistency.
BENEFITS

Benefits Across AI Markets

With the approach to confidential computing consistent across environments, security leads get consistent controls and simpler compliance, ensuring a unified risk posture.

Arm icon edge chip in a lock

Cloud

Confidentiality for regulated workloads, such as healthcare or financial services, where data and IP must remain hidden to comply with regulation.

Arm icon edge chip in a lock

Edge

Protects senitive workloads in real time across industrial systems and personal devices.

HOW IT WORKS

How Confidential Computing on Arm Works

Arm’s Confidential Compute Architecture is associated with 3 three main execution states: 

  • The Normal world for running the non-confidential compute workloads, including the host hypervisor, such as KVM.
  • The Secure world for running first- party secure software used as part of our TrustZone architecture.
  • The Realm world that is used to support Realm-based confidential computing.

The switching between the Normal, Realm, and Secure worlds is performed by the TF-A Monitor operating in a fourth execution state, the Root world.  

TEE diagram


The Realm Management Monitor (TF-RMM) is the controlling software in the Realm world that reacts to requests from the hypervisor in the Normal world to allow the management of the Realm VM execution. The RMM communicates through the TF-A Monitor to control memory transitions between Normal Physical Address Space (PAS) and the Realm PAS. 


The RMM is responsible for managing communication and context switching, but it does not make policy decisions, such as which Realm to run or what memory to allocate to a Realm. Those decisions remain with the host hypervisor, consistent with its role of managing the resources of the overall system.


The TF-RMM operates in Realm EL2, and the TF-A Monitor runs at the root of trust of the CPU. Both are available and open for contributions at TrustedFirmware.org.

KEY RESOURCES