System Architecture

The TEE Kit consists of the Kernel-based Virtual Machine (KVM), Trusted Management Interface (TMI), and Trusted Management Monitor (TMM). Figure 1 illustrates these modules.

Figure 1 Kunpeng BoostKit for Confidential Computing TEE Kit

The TEE Kit comprises the following components:

Category	Subcategory	Description
Industrial customers	Host/Guest OS	Customers can choose a Linux OS support Virtualized Arm Confidential Compute Architecture (virtCCA) to install the host and guest OSs. The host and guest OSs are open-sourced in the openEuler community. Libvirt and QEMU: They are used to deploy and manage cVMs. KVM: It runs in the normal world to schedule tasks, allocate resources, and manage the lifecycle of all cVMs. TMI: The KVM communicates with the TMM through the TMI.
Huawei deliverables	TMM	This virtualization component runs in the TEE and manages CPU and memory resources of cVMs. Generally, a Kunpeng server that supports the TEE Kit is equipped with the TMM (upgradeable) in the hardware platform.
	Hardware firmware	To support the TEE Kit, the hardware firmware is adapted as follows: BIOS: supports TMM decryption, secure boot, and function configuration. BMC: manages and upgrades the TMM. The hardware firmware that supports the TEE Kit is pre-installed with the hardware in the production line. You need to obtain the latest firmware version.
	TEE Kit SDK	To enable the remote attestation and key derivation functions of the TEE Kit to be integrated into customers' applications, the TEE Kit provides the following software development kits (SDKs) for customers: Remote attestation library Sealing key library RATS-TLS library

Parent topic: System Architecture of the Kunpeng BoostKit for Confidential Computing TEE Kit