ArmDeveloperEcosystem · pareenaverma · Dec 17, 2025 · Dec 8, 2025
diff --git a/content/learning-paths/servers-and-cloud-computing/cca-container/_index.md b/content/learning-paths/servers-and-cloud-computing/cca-container/_index.md
@@ -10,19 +10,22 @@ learning_objectives:
     - Create a virtual machine in a Realm running guest Linux using a pre-built docker container.
     - Run a simple application in a Realm running guest Linux.
     - Obtain a CCA attestation token from the virtual guest in a Realm.
+    - Run the CCA software stack using MEC (Memory Encryption Contexts)
 
 prerequisites:
-    - An AArch64 or x86_64 computer running Linux. You can use cloud instances, refer to the list of [Arm cloud service providers](/learning-paths/servers-and-cloud-computing/csp/).
+    - An AArch64 or x86_64 computer running Linux or MacOS. You can use cloud instances, refer to the list of [Arm cloud service providers](/learning-paths/servers-and-cloud-computing/csp/).
 
-author: Pareena Verma
+author:
+    - Pareena Verma
+    - Arnaud de Grandmaison
 
 ### Tags
 skilllevels: Introductory
 subjects: Performance and Architecture
 armips:
-    - Neoverse 
+    - Neoverse
 operatingsystems:
-    - Linux 
+    - Linux
 tools_software_languages:
     - GCC
     - FVP
@@ -31,8 +34,12 @@ tools_software_languages:
     - Docker
     - Runbook
 
-    
+
 further_reading:
+    - resource:
+        title: Learn the architecture - Introducing Arm Confidential Compute Architecture
+        link: https://developer.arm.com/documentation/den0125
+        type: documentation
     - resource:
         title: Arm Confidential Compute Architecture
         link: https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture

diff --git a/content/learning-paths/servers-and-cloud-computing/cca-container/cca-container.md b/content/learning-paths/servers-and-cloud-computing/cca-container/cca-container.md
@@ -9,16 +9,16 @@ layout: "learningpathall"
 ---
 ## Download the docker image
 
-Start by downloading the docker container image. 
+Start by downloading the docker container image.
 
-This docker image contains the pre-built binaries for the Arm CCA reference software stack and the Armv-A Base Architecture Envelope Model (AEM) FVP with support for RME extensions. 
+This docker image contains the pre-built binaries for the Arm CCA reference software stack and the Armv-A Base Architecture Envelope Model (AEM) FVP with support for RME extensions.
 
 Install [docker engine](/install-guides/docker/docker-engine) on your machine.
 
 Pull the docker image from DockerHub:
 
 ```console
-docker pull armswdev/aemfvp-cca-v2-image
+docker pull armswdev/cca-learning-path:cca-simulation-v3
 ```
 Confirm that the docker container image was downloaded successfully:
 
@@ -29,31 +29,34 @@ docker image list
 The output should be similar to:
 
 ```output
-REPOSITORY        				TAG       IMAGE ID       CREATED       SIZE
-armswdev/aemfvp-cca-v2-image   	latest    e1c36b91d3d7   5 weeks ago   1.34GB
+IMAGE                                                                          ID             DISK USAGE   CONTENT SIZE   EXTRA
+
+...
+armswdev/cca-learning-path:cca-simulation-v3                                   21500198bb93       1.18GB             0B
+...
 ```
 Run the docker container:
 
 ```console
-docker run -it armswdev/aemfvp-cca-v2-image /bin/bash
+docker run --rm -it armswdev/cca-learning-path:cca-simulation-v3
 ```
-You are now inside the `/tmp/cca-stack` directory of the running `armswdev/aemfvp-cca-v2-image` container.
+You are now inside the home directory (`/home/cca`) of user `cca` in the running `armswdev/cca-learning-path:cca-simulation-v3` container.
 
 ```output
-ubuntu@84eb170a69b9:/tmp/cca-stack$
+cca@a9866f863546:~$
 ```
 
 ## Run the software stack
 
-The pre-built binaries for the Arm CCA reference software stack are present in the `output/aemfvp-a-rme` directory. 
+The pre-built binaries for the Arm CCA reference software stack are present in the `cca-3world/` directory.
 
 ```console
-ls output/aemfvp-a-rme/
+ls cca-3world/
 ```
-This includes the Trusted Firmware binaries, the host root filesystem and the host Linux kernel image:
+This includes the Realm Management Monitor (`rmm.img`), the host root filesystem (`host-rootfs.ext2`) and the host Linux kernel image (`Image`) and the trusted firmware binaries:
 
 ```output
-Image  KVMTOOL_EFI.fd  bl1-uefi.bin  bl1.bin  fip-std-tests.bin  fip-uefi.bin  fip.bin  host-fs.ext4
+FVP_AARCH64_EFI.fd  Image  bl1.bin  bl2.bin  bl31.bin  dt_bootargs.dtb  fip.bin  host-rootfs.ext2  kselftests.tgz  modules.tgz  rmm.img
 ```
 
 These binaries can run on an Armv-A Base Architecture Envelope Model (AEM) FVP with support for RME extensions. AEM FVPs are fixed configuration virtual platforms of Armv8-A and Armv9-A architectures with comprehensive system IP. The FVP is also contained within this docker container.
@@ -68,71 +71,75 @@ Launch the `run-cca-fvp.sh` script to run the Arm CCA pre-built binaries on the
 A number of `Info` and `Warning` messages will be emitted by the FVP. These can safely be ignored.
 {{% /notice %}}
 
-The `run-cca-fvp.sh` script uses the `screen` command to connect to the different UARTs in the FVP.  
+The `run-cca-fvp.sh` script uses the `screen` command to connect to the different UARTs in the FVP.
 
 You should see the host Linux kernel boot on your terminal:
 
 ```output
-udhcpc: started, v1.31.1
-udhcpc: sending discover
-udhcpc: sending select for 172.20.51.1
-udhcpc: lease of 172.20.51.1 obtained, lease time 86400
+udhcpc: started, v1.36.1
+udhcpc: broadcasting discover
+udhcpc: broadcasting select for 172.20.51.1, server 172.20.51.254
+udhcpc: lease of 172.20.51.1 obtained from 172.20.51.254, lease time 86400
 deleting routers
 adding dns 172.20.51.254
-FAIL
-Starting dropbear sshd: OK
+OK
+Starting chrony: OK
+Starting crond: OK
+Setting up macvtap... [   16.681271] smc91x 1a000000.ethernet eth0: entered promiscuous mode
+OK
 
-Welcome to Buildroot
-buildroot login:
+Welcome to the CCA host
+host login:
 ```
 
-You will be prompted to log in to buildroot. Enter `root` as both the username and password.
+You will be prompted to log in to the CCA host. Enter `root` as the username (no password is required).
 
-You have successfully booted four worlds (Root, Secure, Non-secure and Realm) on the FVP at this point:
+You have successfully booted 3 worlds (Root, Non-secure and Realm) on the FVP at this point:
 
 * Trusted Firmware-A is running in Root.
 * Realm Management Monitor (RMM) in Realm.
 * Host Linux in Non-secure.
-* Hafnium in Secure. 
 
 ## Create a virtual guest in a Realm
 
-Guest VMs can be launched in a Realm using `kvmtool` from your host Linux prompt. The kernel `Image` and filesystem `realm-fs.ext4` for the Realm are packaged into the buildroot host file system.
+Guest VMs can be launched in a Realm using `kvmtool` from your host Linux prompt. The realm disk image `guest-disk.img` is included into the host file system.
 
 Use `kvmtool` to launch guest Linux in a Realm:
 
 ```console
-lkvm run --realm --restricted_mem -c 2 -m 256 -k /realm/Image -d /realm/realm-fs.ext4 -p earlycon
+cd /cca
+./lkvm run --realm --disable-sve --irqchip=gicv3-its --firmware KVMTOOL_EFI.fd -c 1 -m 512 --no-pvtime --force-pci --disk guest-disk.img --measurement-algo=sha256 --restricted_mem
 ```
+
 You should see the guest Linux kernel starting to boot in a Realm. This step can take several minutes.
 
-After boot up, you will be prompted to log in at the guest Linux buildroot prompt. Use `root` again as both the username and password.
+After boot up, you will be prompted to log in at the guest Linux prompt, use the `root` username (no password required):
 
 ```output
-Starting network: udhcpc: started, v1.31.1
-udhcpc: sending discover
-udhcpc: sending select for 192.168.33.15
-udhcpc: lease of 192.168.33.15 obtained, lease time 14400
+udhcpc: started, v1.36.1
+udhcpc: broadcasting discover
+udhcpc: broadcasting select for 192.168.33.15, server 192.168.33.1
+udhcpc: lease of 192.168.33.15 obtained from 192.168.33.1, lease time 14400
 deleting routers
 adding dns 172.20.51.254
-OK
-Starting dropbear sshd: OK
+FAIL
+Starting chrony: OK
+Starting crond: OK
+Setting up macvtap... OK
 
-Welcome to Buildroot
-buildroot login:
+Welcome to the CCA realm
+realm login:
 ```
+
 You have successfully created a virtual guest in a Realm using the Arm CCA reference software stack.
 
 ## Obtain a CCA attestation token from the virtual guest in a Realm
 
-Attestation tokens are small reports that are produced by a device upon request. Those tokens are composed of key/value pairs called claims. A CCA attestation token is a collection of claims about the state of a Realm and the CCA platform on which the Realm is running. 
+Attestation tokens are small reports that are produced by a device upon request. Those tokens are composed of key/value pairs called claims. A CCA attestation token is a collection of claims about the state of a Realm and the CCA platform on which the Realm is running.
 
 Refer to [section A7.2 of the Realm Management Monitor Specification](https://developer.arm.com/documentation/den0137/latest/) to learn about the details of the CCA attestation token.
 
-To retrieve a CCA attestation token from the running guest, mount the `configfs` filesystem:
-```console
-mount -t configfs none /sys/kernel/config
-```
+The retrieval of a CCA attestation token from a running guest is done by reading from `/sys/kernel/config/tsm/report/`. This is available when linux's `configfs` has been mounted, which has been done automatically as part of the guest boot process --- if you are curious, this is the `configfs    /sys/kernel/config      configfs    defaults        0       0` line in `/etc/fstab`.
 
 You can now generate an attestation token by running the following commands:
 
@@ -145,62 +152,73 @@ hexdump -C $report/outblob
 
 The output should look like:
 ```output
-00000340  00 00 00 00 19 ac cd 58  61 04 76 f9 88 09 1b e5  |.......Xa.v.....|
-00000350  85 ed 41 80 1a ec fa b8  58 54 8c 63 05 7e 16 b0  |..A.....XT.c.~..|
-00000360  e6 76 12 0b bd 0d 2f 9c  29 e0 56 c5 d4 1a 01 30  |.v..../.).V....0|
-00000370  eb 9c 21 51 78 99 dc 23  14 6b 28 e1 b0 62 bd 3e  |..!Qx..#.k(..b.>|
-00000380  a4 b3 15 fd 21 9f 1c bb  52 8c b6 e7 4c a4 9b e1  |....!...R...L...|
-00000390  67 73 73 4f 61 a1 ca 61  03 1b 2b bf 3d 91 8f 2f  |gssOa..a..+.=../|
-000003a0  94 ff c4 22 8e 50 91 95  44 ae 19 ac cc 67 73 68  |...".P..D....gsh|
-000003b0  61 2d 32 35 36 19 ac d0  67 73 68 61 2d 32 35 36  |a-256...gsha-256|
-000003c0  19 ac ce 58 20 d7 6c b0  e0 f4 d1 00 4d 51 5f e6  |...X .l.....MQ_.|
-000003d0  c9 20 a8 e4 72 9d 26 61  0c cd 53 6b 8f 37 a3 65  |. ..r.&a..Sk.7.e|
-000003e0  aa 03 b0 a2 2c 19 ac cf  84 58 20 00 00 00 00 00  |....,....X .....|
-000003f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000400  00 00 00 00 00 00 00 00  00 00 00 58 20 00 00 00  |...........X ...|
-00000410  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000420  00 00 00 00 00 00 00 00  00 00 00 00 00 58 20 00  |.............X .|
-00000430  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000440  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 58  |...............X|
-00000450  20 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  | ...............|
-00000460  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000470  00 58 60 7c 2e 85 d2 b5  ba d8 ee e1 43 0c 5d f9  |.X`|........C.].|
-00000480  38 b8 83 64 a0 75 8d d5  02 a2 43 56 53 ba 2f bc  |8..d.u....CVS./.|
-00000490  f1 a9 c7 82 b4 d5 b4 63  15 45 71 5c 50 ea eb a0  |.......c.Eq\P...|
-000004a0  21 68 c4 7f 1a e5 00 b6  9a a5 3a 78 38 80 c6 96  |!h........:x8...|
-000004b0  c8 f6 eb 92 62 f8 80 43  fe dd 7b e6 af 16 f0 04  |....b..C..{.....|
-000004c0  54 95 6e 87 aa 53 4a bc  e2 a4 ab 4d 84 10 b1 c8  |T.n..SJ....M....|
-000004d0  84 0e 06                                          |...|
-000004d3
+00000000  d9 01 8f a2 19 ac ca 59  05 ee d2 84 44 a1 01 38  |.......Y....D..8|
+00000010  22 a0 59 05 81 a9 19 01  09 78 23 74 61 67 3a 61  |".Y......x#tag:a|
+00000020  72 6d 2e 63 6f 6d 2c 32  30 32 33 3a 63 63 61 5f  |rm.com,2023:cca_|
+00000030  70 6c 61 74 66 6f 72 6d  23 31 2e 30 2e 30 0a 58  |platform#1.0.0.X|
+00000040  20 0d 22 e0 8a 98 46 90  58 48 63 18 28 34 89 bd  | ."...F.XHc.(4..|
+00000050  b3 6f 09 db ef eb 18 64  df 43 3f a6 e5 4e a2 d7  |.o.....d.C?..N..|
+00000060  11 19 09 5c 58 20 7f 45  4c 46 02 01 01 00 00 00  |...\X .ELF......|
+00000070  00 00 00 00 00 00 03 00  3e 00 01 00 00 00 50 58  |........>.....PX|
+00000080  00 00 00 00 00 00 19 01  00 58 21 01 07 06 05 04  |.........X!.....|
+00000090  03 02 01 00 0f 0e 0d 0c  0b 0a 09 08 17 16 15 14  |................|
+000000a0  13 12 11 10 1f 1e 1d 1c  1b 1a 19 18 19 09 61 44  |..............aD|
+000000b0  cf cf cf cf 19 09 5b 19  30 03 19 09 62 67 73 68  |......[.0...bgsh|
+000000c0  61 2d 32 35 36 19 09 60  78 3a 68 74 74 70 73 3a  |a-256..`x:https:|
+000000d0  2f 2f 76 65 72 61 69 73  6f 6e 2e 65 78 61 6d 70  |//veraison.examp|
+000000e0  6c 65 2f 2e 77 65 6c 6c  2d 6b 6e 6f 77 6e 2f 76  |le/.well-known/v|
+000000f0  65 72 61 69 73 6f 6e 2f  76 65 72 69 66 69 63 61  |eraison/verifica|
+00000100  74 69 6f 6e 19 09 5f 8d  a4 01 69 52 53 45 5f 42  |tion.._...iRSE_B|
+00000110  4c 31 5f 32 05 58 20 53  78 79 63 07 53 5d f3 ec  |L1_2.X Sxyc.S]..|
+00000120  8d 8b 15 a2 e2 dc 56 41  41 9c 3d 30 60 cf e3 22  |......VAA.=0`.."|
+00000130  38 c0 fa 97 3f 7a a3 02  58 20 9a 27 1f 2a 91 6b  |8...?z..X .'.*.k|
+00000140  0b 6e e6 ce cb 24 26 f0  b3 20 6e f0 74 57 8b e5  |.n...$&.. n.tW..|
+00000150  5d 9b c9 4f 6f 3f e3 ab  86 aa 06 67 73 68 61 2d  |]..Oo?.....gsha-|
+00000160  32 35 36 a4 01 67 52 53  45 5f 42 4c 32 05 58 20  |256..gRSE_BL2.X |
+00000170  53 78 79 63 07 53 5d f3  ec 8d 8b 15 a2 e2 dc 56  |Sxyc.S]........V|
+...
+00000800  88 cf 5b 66 ce b5 30 59  0a d4 81 79 3d e5 02 dc  |..[f..0Y...y=...|
+00000810  ac 70 bc dc b7 05 b2 cc  40 f1 b6 05 a5 52 57 04  |.p......@....RW.|
+00000820  26 7a 24 c5 2e 88 6e a7  b6 18 59 2e 9f e8 58 8d  |&z$...n...Y...X.|
+00000830  a6 ea 0b 9b 18 90 62 62  07 f0 17 90 b4 27 04 e3  |......bb.....'..|
+00000840  ec 89 dd 67 5f 6b 07 47  55 4d a9 7b c1 be d2 03  |...g_k.GUM.{....|
+00000850  4f 5d d1 d0 55 d1                                 |O]..U.|
+00000856
 ```
+
 The output is a CCA attestation token from the guest in the Realm. The CCA attestation token is a Concise Binary Object Representation (CBOR) map, in which the map values are the Realm token and the CCA platform token.
 
-You have successfully generated a CCA attestation token from the guest. In later learning paths, you will learn how to use these tokens as part of the Arm CCA attestation flow. 
+You have successfully generated a CCA attestation token from the guest. In later learning paths, you will learn how to use these tokens as part of the Arm CCA attestation flow.
 
 You can now shutdown the guest. Use the `poweroff` command.
 
 You should see the following output from the guest:
 
 ```output
-Stopping dropbear sshd: OK
-Stopping network: OK
-Saving random seed: OK
+(realm) # Destroying macvtap... OK
+Stopping crond: stopped /usr/sbin/crond (pid 120) OK
+Stopping chrony: OK
+Stopping network: ifdown: interface lo not configured OK
 Stopping klogd: OK
-Stopping syslogd: OK
+Stopping syslogd: stopped /sbin/syslogd (pid 66) OK
 umount: devtmpfs busy - remounted read-only
-[   42.595975] EXT4-fs (vda): re-mounted 9e9fa588-c41f-404a-a627-6616bb8491b1 ro. Quota mode: none.
+[ 1172.990117] EXT4-fs (vda2): re-mounted b984c902-aed2-4217-bbf0-da44ee66446c ro.
 The system is going down NOW!
 Sent SIGTERM to all processes
-logout
 Sent SIGKILL to all processes
 Requesting system poweroff
-[   44.697156] reboot: Power down
+[ 1175.167522] reboot: Power down
   Info: KVM session ended normally.
 ```
+
 The guest has shut down and you are back at the host Linux kernel prompt.
 
-To exit the simulation, use `Ctrl-a + d`. You will be placed back into the running docker container. 
+To exit the host session and the simulation, use `poweroff`. You will be placed back into the running docker container.
 
 To exit the docker container, run `exit`.
 
 In the next section, you will learn how to run a simple application inside the Realm.
+
+{{% notice Note %}}
+The docker session has been started with the `--rm` option, which means the container will be destroyed when it is exited, allowing you to experiment with the images without fear: at the next session, you will get working pristine images ! If you intend your changes to persist across docker sessions, omit the `--rm` option to docker.
+{{% /notice %}}