Confidential computing on edge and embedded platforms increasingly requires isolation mechanisms that support mutually distrusting workloads and provide verifiable evidence of correct execution. Arm’s Confidential Compute Architecture (CCA) introduces hardware-protected Realms and an attestation framework that reports measurements of platform and Realm state. However, CCA offers no means to derive application identities or cryptographic keys bound to measured software, limiting its integration with infrastructures that rely on measurement-based identity and complicating scalable trust establishment. In contrast, the Device Identifier Composition Engine (DICE) specification defines a mechanism for deriving keys from a device-rooted secret and the measurements of successive boot stages, enabling implicit attestation: the ability to infer execution integrity from key use alone. This paper presents an architecture that integrates DICE-based derivation into the CCA firmware stack and Realm-initialisation process. The design produces Realm-specific keys that depend on both the hardware root of trust and the measured Realm image, enabling implicit attestation while remaining compatible with CCA’s explicit attestation tokens. This integration strengthens the trust guarantees available to confidential workloads and allows CCA devices to participate in ecosystems that employ DICE for supply-chain validation and policy enforcement. A case study on confidential machine-learning inference at the edge illustrates the practical implications of this design. It shows how DICE-anchored Realms can protect model weights, prompts, and inference outputs while providing verifiable evidence of their execution context. The combined use of CCA isolation and DICE-derived identities offers a scalable environment for trustworthy multi-tenant computation on Arm-based systems.

DICE-anchored Realms on Arm CCA / Ferro, L., Sisinni, S., Ciravegna, F., Bravi, E., Lioy, A.. - ELETTRONICO. - 4198:(2026). (ITASEC & SERICS 2026 Joint National Conference on Cybersecurity 2026 Cagliari (ITA) 9-13 February 2026).

DICE-anchored Realms on Arm CCA

Ferro, Lorenzo;Sisinni, Silvia;Ciravegna, Flavio;Bravi, Enrico;Lioy, Antonio
2026

Abstract

Confidential computing on edge and embedded platforms increasingly requires isolation mechanisms that support mutually distrusting workloads and provide verifiable evidence of correct execution. Arm’s Confidential Compute Architecture (CCA) introduces hardware-protected Realms and an attestation framework that reports measurements of platform and Realm state. However, CCA offers no means to derive application identities or cryptographic keys bound to measured software, limiting its integration with infrastructures that rely on measurement-based identity and complicating scalable trust establishment. In contrast, the Device Identifier Composition Engine (DICE) specification defines a mechanism for deriving keys from a device-rooted secret and the measurements of successive boot stages, enabling implicit attestation: the ability to infer execution integrity from key use alone. This paper presents an architecture that integrates DICE-based derivation into the CCA firmware stack and Realm-initialisation process. The design produces Realm-specific keys that depend on both the hardware root of trust and the measured Realm image, enabling implicit attestation while remaining compatible with CCA’s explicit attestation tokens. This integration strengthens the trust guarantees available to confidential workloads and allows CCA devices to participate in ecosystems that employ DICE for supply-chain validation and policy enforcement. A case study on confidential machine-learning inference at the edge illustrates the practical implications of this design. It shows how DICE-anchored Realms can protect model weights, prompts, and inference outputs while providing verifiable evidence of their execution context. The combined use of CCA isolation and DICE-derived identities offers a scalable environment for trustworthy multi-tenant computation on Arm-based systems.
2026
File in questo prodotto:
File Dimensione Formato  
paper40.pdf

accesso aperto

Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Creative commons
Dimensione 836.86 kB
Formato Adobe PDF
836.86 kB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/3006556