OVERVIEW

Protecting AI with Confidential Computing

Confidential computing for AI enables sensitive data and models to remain protected while they are actively processed, using hardware-based isolation to ensure workloads run securely in shared environments. This approach is increasingly critical as AI workloads scale across cloud infrastructure and handle regulated or proprietary data.

WHY ARM

Why Arm for Confidential Computing?

  • Built for AI: Armv9-A with Realm Management Extension (RME) creates secure “Realms” to isolate models and data. Realms are trusted execution environments.
  • CPU + GPU protection: Extends the circle of trust to accelerators, safeguarding AI workloads without restriction.
  • Scalable and efficient: Realms can scale with model size, with lift-and-shift migration from non-confidential Virtual Machines.
  • Open and auditable reference software: Developed with full transparency to the security community.
  • Aligned with standards: Active in global security communities to reduce fragmentation and ensure global consistency.
BENEFITS

Benefits Across AI Markets

With the approach to confidential computing consistent across environments, security leads get consistent controls and simpler compliance, ensuring a unified risk posture.

Arm icon edge chip in a lock

Cloud

Confidentiality for regulated workloads, such as healthcare or financial services, where data and IP must remain hidden to comply with regulation.

Arm icon edge chip in a lock

Edge

Protects senitive workloads in real time across industrial systems and personal devices.

HOW IT WORKS

How Confidential Computing on Arm Works

Arm’s Confidential Compute Architecture is associated with 3 three main execution states: 

  • The Normal world for running the non-confidential compute workloads, including the host hypervisor, such as KVM.
  • The Secure world for running first- party secure software used as part of our TrustZone architecture.
  • The Realm world that is used to support Realm-based confidential computing.

The switching between the Normal, Realm, and Secure worlds is performed by the TF-A Monitor operating in a fourth execution state, the Root world.  

TEE diagram


The Realm Management Monitor (TF-RMM) is the controlling software in the Realm world that reacts to requests from the hypervisor in the Normal world to allow the management of the Realm VM execution. The RMM communicates through the TF-A Monitor to control memory transitions between Normal Physical Address Space (PAS) and the Realm PAS. 


The RMM is responsible for managing communication and context switching, but it does not make policy decisions, such as which Realm to run or what memory to allocate to a Realm. Those decisions remain with the host hypervisor, consistent with its role of managing the resources of the overall system.


The TF-RMM operates in Realm EL2, and the TF-A Monitor runs at the root of trust of the CPU. Both are available and open for contributions at TrustedFirmware.org.

KEY RESOURCES

Key Takeaways

  • Confidential computing protects data while it is actively being processed, not just when it is stored or transmitted.

  • Hardware-based isolation ensures that sensitive AI workloads remain secure even in shared cloud environments.

  • This approach enables organizations to use AI with regulated or proprietary data more safely.

  • Reduces the risk of data exposure across infrastructure layers and operators.

  • Confidential computing is becoming essential as AI workloads scale across multi-tenant environments.