Confidential computing on edge and embedded platforms increasingly requires isolation mechanisms that support mutually distrusting workloads and provide verifiable evidence of correct execution. Arm’s Confidential Compute Architecture (CCA) introduces hardware-protected Realms and an attestation framework that reports measurements of platform and Realm state. However, CCA offers no means to derive application identities or cryptographic keys bound to measured software, limiting its integration with infrastructures that rely on measurement-based identity and complicating scalable trust establishment. In contrast, the Device Identifier Composition Engine (DICE) specification defines a mechanism for deriving keys from a device-rooted secret and the measurements of successive boot stages, enabling implicit attestation: the ability to infer execution integrity from key use alone. This paper presents an architecture that integrates DICE-based derivation into the CCA firmware stack and Realm-initialisation process. The design produces Realm-specific keys that depend on both the hardware root of trust and the measured Realm image, enabling implicit attestation while remaining compatible with CCA’s explicit attestation tokens. This integration strengthens the trust guarantees available to confidential workloads and allows CCA devices to participate in ecosystems that employ DICE for supply-chain validation and policy enforcement. A case study on confidential machine-learning inference at the edge illustrates the practical implications of this design. It shows how DICE-anchored Realms can protect model weights, prompts, and inference outputs while providing verifiable evidence of their execution context. The combined use of CCA isolation and DICE-derived identities offers a scalable environment for trustworthy multi-tenant computation on Arm-based systems.
DICE-anchored Realms on Arm CCA / Ferro, L., Sisinni, S., Ciravegna, F., Bravi, E., Lioy, A.. - ELETTRONICO. - 4198:(2026). (ITASEC & SERICS 2026 Joint National Conference on Cybersecurity 2026 Cagliari (ITA) 9-13 February 2026).
DICE-anchored Realms on Arm CCA
Ferro, Lorenzo;Sisinni, Silvia;Ciravegna, Flavio;Bravi, Enrico;Lioy, Antonio
2026
Abstract
Confidential computing on edge and embedded platforms increasingly requires isolation mechanisms that support mutually distrusting workloads and provide verifiable evidence of correct execution. Arm’s Confidential Compute Architecture (CCA) introduces hardware-protected Realms and an attestation framework that reports measurements of platform and Realm state. However, CCA offers no means to derive application identities or cryptographic keys bound to measured software, limiting its integration with infrastructures that rely on measurement-based identity and complicating scalable trust establishment. In contrast, the Device Identifier Composition Engine (DICE) specification defines a mechanism for deriving keys from a device-rooted secret and the measurements of successive boot stages, enabling implicit attestation: the ability to infer execution integrity from key use alone. This paper presents an architecture that integrates DICE-based derivation into the CCA firmware stack and Realm-initialisation process. The design produces Realm-specific keys that depend on both the hardware root of trust and the measured Realm image, enabling implicit attestation while remaining compatible with CCA’s explicit attestation tokens. This integration strengthens the trust guarantees available to confidential workloads and allows CCA devices to participate in ecosystems that employ DICE for supply-chain validation and policy enforcement. A case study on confidential machine-learning inference at the edge illustrates the practical implications of this design. It shows how DICE-anchored Realms can protect model weights, prompts, and inference outputs while providing verifiable evidence of their execution context. The combined use of CCA isolation and DICE-derived identities offers a scalable environment for trustworthy multi-tenant computation on Arm-based systems.| File | Dimensione | Formato | |
|---|---|---|---|
|
paper40.pdf
accesso aperto
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
Creative commons
Dimensione
836.86 kB
Formato
Adobe PDF
|
836.86 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/3006556
