Adjustments

Author: madeline-underwood

content/learning-paths/servers-and-cloud-computing/cca-device-attach/3.bounce_buffers.md

@@ -10,46 +10,44 @@ layout: learningpathall
 
 Bounce buffers are temporary memory areas used when a device cannot perform DMA on the original buffer. 
 
-Common reasons for this include:
+Common reasons include:
 
-- The original buffer is not physically contiguous
-- The buffer resides in memory not accessible by the device
-- The buffer does not meet the device alignment or boundary constraints 
+- The original buffer is not physically contiguous.
+- The buffer resides in memory not accessible by the device.
+- The buffer does not meet the device alignment or boundary constraints. 
 
 ## Why use bounce buffers?
 
-Data bounces between:
+Data *bounces* between:
 
 - The original buffer in user space or kernel space
 - The DMA-capable bounce buffer used for device I/O
 
-This indirection allows the transfer to proceed when the original buffer is unsuitable for DMA.
+This indirection allows data transfer to proceed when the original buffer is unsuitable for DMA.
 
 ## CCA Realms, VirtIO, and bounce buffers
 
-A defining feature of a Realm is that its memory (Realm memory) is cryptographically isolated from both the Normal and Secure Worlds. 
+A defining feature of a Realm is that its memory (Realm memory) is cryptographically isolated from both Normal Secure Worlds: 
 
 This means:
 
-- Realm memory is encrypted with unique keys
-- Non-Realm entities (host OS, hypervisor) cannot directly read or
-  write to Realm memory
-- Direct Memory Access (DMA) from peripherals or untrusted drivers cannot
-  access Realm data
+- Realm memory is encrypted with unique keys.
+- The host OS and hypervisor cannot directly read or write Realm memory.
+- Direct Memory Access (DMA) from peripherals or untrusted drivers cannot access Realm data.
 
-This design ensures confidentiality but presents a challenge: how can a Realm exchange data with untrusted components such as host network stacks or storage subsystems? The practical answer is to use bounce buffers as intermediaries - exchanging data securely with untrusted components (for example, network stacks, storage subsystems).
+This isolation ensures confidentiality but requires a secure way to exchange data with untrusted components such as host network stacks or storage subsystems. Bounce buffers provide this mechanism.
 
-### How are bounce buffers used with RME?
+## How are bounce buffers used with RME?
 
-Bounce buffers are used with RME to export and import data:
+With RME, Realms use bounce buffers to export and import data.
 
-For exporting data:
+**Exporting data**:
    - A Realm application prepares data (for example, the results of computation)
    - It copies the data from protected Realm memory into a bounce buffer
    - The Realm notifies the untrusted host or hypervisor
    - The host retrieves the data from the bounce buffer
 
-For importing Data:
+**Importing data**:
    - The host places data into a bounce buffer
    - The Realm is notified and validates the source
    - The Realm copies the data from the bounce buffer into protected memory
@@ -60,7 +58,7 @@ This pattern preserves confidentiality and integrity of Realm data because:
    - Incoming data can be validated and sanitized before import
    - Only data explicitly copied out leaves Realm protection
 
-### Does a bounce buffer preserve confidentiality?
+## Does a bounce buffer preserve confidentiality?
 
 A bounce buffer preserves the confidentiality of other Realm data because only the explicitly shared region is exposed. However, the transferred data is outside Realm protection once it leaves. Use protocol-level encryption such as TLS for network traffic to keep that data confidential in transit.
 

content/learning-paths/servers-and-cloud-computing/cca-device-attach/4.lab-observe-bounce-buffers.md

@@ -8,11 +8,11 @@ layout: learningpathall
 
 ## See a Realm's bounce buffers in action
 
-You will confirm bounce buffer usage using the Key Broker demo from the [CCA Essentials Learning Path](/learning-paths/servers-and-cloud-computing/cca-essentials/example/).
+In this exercise, you’ll run the CCA Key Broker demo inside a Realm and use kernel tracing to confirm that bounce buffers (SWIOTLB) are used for VirtIO network I/O. You will confirm bounce buffer usage using the Key Broker demo from the [CCA Essentials Learning Path](/learning-paths/servers-and-cloud-computing/cca-essentials/example/).
 
-### Start the Key Broker Server (KBS)
+## Start the Key Broker server (KBS)
 
-Pull the docker container image with the pre-built KBS, and run the container:
+Pull the Docker container image with the pre-built KBS, and run the container:
 
 ```bash
 docker pull armswdev/cca-learning-path:cca-key-broker-v2 
@@ -54,12 +54,12 @@ INFO Actix runtime found; starting in Actix runtime
 INFO starting service: "actix-web-service-172.17.0.2:8088", workers: 16, listening on: 172.17.0.2:8088
 ```
 
-### Get into a Realm
+## Get into a Realm guest
 
 With the Key Broker Server running in one terminal, open up a new terminal in
 which you will run the Key Broker Client (KBC). The intent is to confirm that the data transmitted over the network (through `virtio_net`) are indeed using bounce buffers.
 
-Pull the docker container image with the pre-built KBC, and then run the container:
+Pull the Docker container image with the pre-built KBC, and then run the container:
 
 ```bash
 docker pull armswdev/cca-learning-path:cca-simulation-v2
@@ -102,7 +102,7 @@ cd /cca
 
 You should see the realm boot. Note that `lkvm` is invoked with `--network mode=user`, which makes the guest see the network through a VirtIO device.
 
-After boot up, which might take some time, you will be prompted to log in at the guest Linux prompt. Use root again as the username:
+After boot, which might take some time, you will be prompted to log in at the guest Linux prompt. Use root again as the username:
 
 ```output
 Starting syslogd: OK
@@ -121,7 +121,7 @@ realm login: root
 (realm) #
 ```
 
-### Observe bounce buffer usage in the Realm
+## Observe bounce buffer usage in the Realm
 
 Confirm that kernel tracing is available:
 
@@ -185,7 +185,7 @@ grep keybroker-app- /sys/kernel/debug/tracing/trace_pipe &
 keybroker-app -v --endpoint http://172.17.0.2:8088 skywalker
 ```
 
-In the `keybroker-app`command above, `skywalker` is the key name that is requested from the KBS.
+In the `keybroker-app` command above, `skywalker` is the key name that is requested from the KBS.
 
 The output should look like: