diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml
index 2ef6519d34..cde791e438 100644
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -45,6 +45,7 @@ jobs:
           - kernel
           - kernel-dragonball-experimental
           - kernel-nvidia-gpu
+          - kernel-cca-confidential
           - nydus
           - ovmf
           - qemu
diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
index 565c1eb157..d9f5183f69 100644
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -49,6 +49,15 @@ BASE_TARBALLS = serial-targets \
 	virtiofsd-tarball
 BASE_SERIAL_TARBALLS = rootfs-image-tarball \
 	rootfs-initrd-tarball
+else ifeq ($(ARCH), aarch64)
+BASE_TARBALLS = serial-targets \
+	kernel-cca-confidential-tarball \
+	kernel-tarball \
+	qemu-tarball \
+	shim-v2-tarball \
+	virtiofsd-tarball
+BASE_SERIAL_TARBALLS = rootfs-image-tarball \
+	rootfs-initrd-tarball
 endif
 
 define BUILD
@@ -135,6 +144,9 @@ kernel-tarball:
 kernel-confidential-tarball:
 	${MAKE} $@-build
 
+kernel-cca-confidential-tarball:
+	${MAKE} $@-build
+
 nydus-tarball:
 	${MAKE} $@-build
 
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 40b149135a..ab8e62597f 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -114,6 +114,7 @@ options:
 	kata-manager
 	kernel
 	kernel-confidential
+	kernel-cca-confidential
 	kernel-dragonball-experimental
 	kernel-experimental
 	kernel-nvidia-gpu
@@ -160,17 +161,22 @@ get_kernel_modules_dir() {
 	local version=${kernel_version#v}
 	local numeric_final_version=${version}
 
-	# Every first release of a kernel is x.y, while the resulting folder would be x.y.0
-	local rc=$(echo ${version} | grep -oE "\-rc[0-9]+$")
-	if [ -n "${rc}" ]; then
-		numeric_final_version="${numeric_final_version%"${rc}"}"
-	fi
+	if [ -z "${kernel_ref}" ]; then
+		# Every first release of a kernel is x.y, while the resulting folder would be x.y.0
+		local rc=$(echo ${version} | grep -oE "\-rc[0-9]+$")
+		if [ -n "${rc}" ]; then
+			numeric_final_version="${numeric_final_version%"${rc}"}"
+		fi
 
-	local dots=$(echo ${version} | grep -o '\.' | wc -l)
-	[ "${dots}" == "1" ] && numeric_final_version="${numeric_final_version}.0"
+		local dots=$(echo ${version} | grep -o '\.' | wc -l)
+		[ "${dots}" == "1" ] && numeric_final_version="${numeric_final_version}.0"
 
-	if [ -n "${rc}" ]; then
-		numeric_final_version="${numeric_final_version}${rc}"
+		if [ -n "${rc}" ]; then
+			numeric_final_version="${numeric_final_version}${rc}"
+		fi
+	else
+		# kernel_version should be vx.y.z-rcn-hash format when git is used
+		numeric_final_version="${numeric_final_version%-*}+"
 	fi
 
 	local kernel_modules_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/${kernel_name}/builddir/kata-linux-${version}-${kernel_kata_config_version}/lib/modules/${numeric_final_version}"
@@ -656,9 +662,10 @@ install_kernel_helper() {
 
 	export kernel_version="$(get_from_kata_deps .${kernel_yaml_path}.version)"
 	export kernel_url="$(get_from_kata_deps .${kernel_yaml_path}.url)"
+	export kernel_ref="$(get_from_kata_deps .${kernel_yaml_path}.ref)"
 	export kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)"
 
-	if [[ "${kernel_name}" == "kernel"*"-confidential" ]]; then
+	if [[ "${kernel_name}" == "kernel"*"-confidential" ]] && [[ "${ARCH}" == "x86_64" ]]; then
 		kernel_version="$(get_from_kata_deps .assets.kernel.confidential.version)"
 		kernel_url="$(get_from_kata_deps .assets.kernel.confidential.url)"
 	fi
@@ -681,6 +688,9 @@ install_kernel_helper() {
 
 	info "build ${kernel_name}"
 	info "Kernel version ${kernel_version}"
+	if [ -n "${kernel_ref}" ]; then
+		extra_cmd+=" -r ${kernel_ref}"
+	fi
 	DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" -f -u "${kernel_url}" "${extra_cmd}"
 }
 
@@ -705,6 +715,15 @@ install_kernel_confidential() {
 		"-x"
 }
 
+install_kernel_cca_confidential() {
+	export MEASURED_ROOTFS=yes
+
+	install_kernel_helper \
+		"assets.kernel-arm-experimental.confidential" \
+		"kernel-confidential" \
+		"-x -H deb"
+}
+
 install_kernel_dragonball_experimental() {
 	install_kernel_helper \
 		"assets.kernel-dragonball-experimental" \
@@ -1228,6 +1247,7 @@ handle_build() {
 		install_kata_manager
 		install_kernel
 		install_kernel_confidential
+		install_kernel_cca_confidential
 		install_kernel_dragonball_experimental
 		install_log_parser_rs
 		install_nydus
@@ -1271,6 +1291,8 @@ handle_build() {
 
 	kernel-confidential) install_kernel_confidential ;;
 
+	kernel-cca-confidential) install_kernel_cca_confidential ;;
+
 	kernel-dragonball-experimental) install_kernel_dragonball_experimental ;;
 
 	kernel-nvidia-gpu-dragonball-experimental) install_kernel_nvidia_gpu_dragonball_experimental ;;
diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
index f08a5d4e30..671c459cb7 100755
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -65,6 +65,8 @@ PREFIX="${PREFIX:-/usr}"
 kernel_url=""
 #Linux headers for GPU guest fs module building
 linux_headers=""
+# Kernel Reference to download using git
+kernel_ref=""
 # Enable measurement of the guest rootfs at boot.
 measured_rootfs="false"
 
@@ -109,6 +111,7 @@ Options:
 	-m              : Enable measured rootfs.
 	-k <path>   	: Path to kernel to build.
 	-p <path>   	: Path to a directory with patches to apply to kernel.
+	-r <ref>        : Enable git mode to download kernel using ref.
 	-s          	: Skip .config checks
 	-t <hypervisor>	: Hypervisor_target.
 	-u <url>	: Kernel URL to be used to download the kernel tarball.
@@ -138,6 +141,26 @@ check_initramfs_or_die() {
 		die "Initramfs for measured rootfs not found at ${default_initramfs}"
 }
 
+get_git_kernel() {
+	local kernel_path="${2:-}"
+
+	if [ ! -d "${kernel_path}" ] ; then
+		mkdir -p "${kernel_path}"
+		pushd "${kernel_path}"
+		local kernel_git_url="https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
+		if [ -n "${kernel_url}" ]; then
+			kernel_git_url="${kernel_url}"
+		fi
+		git init
+		git remote add origin "${kernel_git_url}"
+		popd
+	fi
+	pushd "${kernel_path}"
+	git fetch --depth 1 origin "${kernel_ref}"
+	git checkout "${kernel_ref}"
+	popd
+}
+
 get_kernel() {
 	local version="${1:-}"
 
@@ -341,6 +364,10 @@ get_kernel_frag_path() {
 	results=$(grep "${not_in_string}" <<< "$results")
 	# Do not care about options that are in whitelist
 	results=$(grep -v -f ${default_config_whitelist} <<< "$results")
+	local version_config_whitelist="${default_config_whitelist%.*}-${kernel_version}.conf"
+	if [ -f ${version_config_whitelist} ]; then
+		results=$(grep -v -f ${version_config_whitelist} <<< "$results")
+	fi
 
 	[[ "${skip_config_checks}" == "true" ]] && echo "${config_path}" && return
 
@@ -441,7 +468,11 @@ setup_kernel() {
 		[ -n "$kernel_version" ] || die "failed to get kernel version: Kernel version is emtpy"
 
 		if [[ ${download_kernel} == "true" ]]; then
-			get_kernel "${kernel_version}" "${kernel_path}"
+			if [ -z "${kernel_ref}" ]; then
+				get_kernel "${kernel_version}" "${kernel_path}"
+			else
+				get_git_kernel "${kernel_version}" "${kernel_path}"
+			fi
 		fi
 
 		[ -n "$kernel_path" ] || die "failed to find kernel source path"
@@ -591,7 +622,7 @@ install_kata() {
 }
 
 main() {
-	while getopts "a:b:c:dD:eEfg:hH:k:mp:st:u:v:x" opt; do
+	while getopts "a:b:c:dD:eEfg:hH:k:mp:r:st:u:v:x" opt; do
 		case "$opt" in
 			a)
 				arch_target="${OPTARG}"
@@ -638,6 +669,9 @@ main() {
 			p)
 				patches_path="${OPTARG}"
 				;;
+			r)
+				kernel_ref="${OPTARG}"
+				;;
 			s)
 				skip_config_checks="true"
 				;;
diff --git a/tools/packaging/kernel/configs/fragments/arm64/confidential/cca.conf b/tools/packaging/kernel/configs/fragments/arm64/confidential/cca.conf
new file mode 100644
index 0000000000..c4eaf2c839
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/arm64/confidential/cca.conf
@@ -0,0 +1,9 @@
+CONFIG_VIRT_DRIVERS=y
+CONFIG_TSM_REPORTS=y
+CONFIG_ARM_CCA_GUEST=y
+CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_ACPI_PROCESSOR=y
+CONFIG_HOTPLUG_CPU=y
+CONFIG_ACPI_HOTPLUG_CPU=y
+CONFIG_RODATA_FULL_DEFAULT_ENABLED=y
diff --git a/tools/packaging/kernel/configs/fragments/arm64/confidential/hotplug.conf b/tools/packaging/kernel/configs/fragments/arm64/confidential/hotplug.conf
new file mode 100644
index 0000000000..3a71fa8b58
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/arm64/confidential/hotplug.conf
@@ -0,0 +1,3 @@
+# Define hotplugs to be online immediately. Speeds things up, and makes things
+# work smoother on some arch's.
+CONFIG_MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO=y
diff --git a/tools/packaging/kernel/configs/fragments/arm64/confidential/rme.conf b/tools/packaging/kernel/configs/fragments/arm64/confidential/rme.conf
new file mode 100644
index 0000000000..58091ddecd
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/arm64/confidential/rme.conf
@@ -0,0 +1,3 @@
+CONFIG_ARCH_HAS_CC_PLATFORM=y
+CONFIG_ARCH_HAS_MEM_ENCRYPT=y
+CONFIG_ARCH_HAS_FORCE_DMA_UNENCRYPTED=y
diff --git a/tools/packaging/kernel/configs/fragments/whitelist-6.15.0-rc1-916aeec68dd4500a1cdf4ebf214c5620955daf3f.conf b/tools/packaging/kernel/configs/fragments/whitelist-6.15.0-rc1-916aeec68dd4500a1cdf4ebf214c5620955daf3f.conf
new file mode 100644
index 0000000000..bcdae9ed16
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/whitelist-6.15.0-rc1-916aeec68dd4500a1cdf4ebf214c5620955daf3f.conf
@@ -0,0 +1,9 @@
+# CONFIG_RANDOM_TRUST_CPU is removed from config since v6.2
+# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b9b01a5625b5a9e9d96d14d4a813a54e8a124f4b
+CONFIG_RANDOM_TRUST_CPU
+# CONFIG_ACPI_HOTPLUG_CPU is disabled arm64 and riscv since v6.8
+# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a02f66bb3cf475947b58dd3851b987b8ccd998c1
+CONFIG_ACPI_HOTPLUG_CPU
+# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is disabled since v6.14
+# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=44d46b76c3a4b514a0cc9dab147ed430e5c1d699
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE
diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
index fb402ef6a4..2cd1cfa2cf 100644
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-169
+170
diff --git a/tools/packaging/kernel/patches/6.15.x/no_patches.txt b/tools/packaging/kernel/patches/6.15.x/no_patches.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/versions.yaml b/versions.yaml
index e855a8bac1..8b68b06cc8 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -206,6 +206,11 @@ assets:
     description: "Linux kernel with cpu/mem hotplug support on arm64"
     url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
     version: "v5.15.138"
+    confidential:
+      description: "Linux kernel with RME support on arm64"
+      url: "https://gitlab.arm.com/linux-arm/linux-cca"
+      version: "v6.15.0-rc1-916aeec68dd4500a1cdf4ebf214c5620955daf3f"
+      ref: "916aeec68dd4500a1cdf4ebf214c5620955daf3f"
 
   kernel-dragonball-experimental:
     description: "Linux kernel with Dragonball VMM optimizations like upcall"