diff --git a/config/FVP_Base_RevC-2xAEMvA-base.yaml b/config/FVP_Base_RevC-2xAEMvA-base.yaml
index a8761f7bf5c394a43cfed9659e8b3e7918376e20..89328ebc1a74a58a71f6d0d0947c168d7ca1c508 100644
--- a/config/FVP_Base_RevC-2xAEMvA-base.yaml
+++ b/config/FVP_Base_RevC-2xAEMvA-base.yaml
@@ -28,7 +28,6 @@ run:
     # Misc FVP controls.
     --stat: null
     -C bp.vis.disable_visualisation: 1
-    -C bp.dram_metadata.is_enabled: 1                                 # If false, disables the MetaData controller functionality, and makes the component invisible to passing transactions.
     -C bp.refcounter.non_arch_start_at_default: 1                     # Firmware is expected to enable the timer at boot time. However, turning this parameter on is a model-specific way of enabling the counter module out of reset.
     -C bp.refcounter.use_real_time: 0                                 # Update the Generic Timer counter at a real-time base frequency instead of simulator time
     -C bp.secure_memory: 1                                            # enable security checking by TZC-400
diff --git a/config/arch/v8.5.yaml b/config/arch/v8.5.yaml
index 11d88556b89f7f2776597432e2d26a134805c51e..a179717d2a5ae76c2d2db5c4bbc10c783612465c 100644
--- a/config/arch/v8.5.yaml
+++ b/config/arch/v8.5.yaml
@@ -27,5 +27,3 @@ run:
     -C cluster1.has_branch_target_exception: 1
     -C cluster0.has_rndr: 1                                           # Implement random number instructions to read from RNDR and RNDRSS random number registers from ARMv8.5 (FEAT_RNG). 1:feature is implemented if ARMv8.5 is enabled.
     -C cluster1.has_rndr: 1
-    -C cluster0.memory_tagging_support_level: 3                       # Specify the memory tagging extension support level: 0, not implemented. 1, instructions and registers only are implemented (FEAT_MTE). 2, implemented (FEAT_MTE2). 3, implemented with asymmetric handling of exceptions
-    -C cluster1.memory_tagging_support_level: 3
diff --git a/config/arch/v8.9.yaml b/config/arch/v8.9.yaml
index 82838e2df27e80af2ef5af0e3ad6d062a884ce4a..d4252071f7cd4ee58d688b38845f36b9d65af28f 100644
--- a/config/arch/v8.9.yaml
+++ b/config/arch/v8.9.yaml
@@ -30,5 +30,3 @@ run:
     -C cluster1.has_permission_overlay_s1: 1
     -C cluster0.has_permission_overlay_s2: 1
     -C cluster1.has_permission_overlay_s2: 1
-    -C cluster0.memory_tagging_support_level: 4                       # FEAT_MTE4 is mandatory from Armv8.9 when FEAT_MTE2 is implemented.
-    -C cluster1.memory_tagging_support_level: 4
diff --git a/config/arch/v9.4.yaml b/config/arch/v9.4.yaml
index 1b0baed2a90df52a314fc34408f2f32e347ad989..c29d4e4050d17a91a0ecfd6cc16fc22dc9d997b5 100644
--- a/config/arch/v9.4.yaml
+++ b/config/arch/v9.4.yaml
@@ -19,5 +19,3 @@ run:
     -C cluster1.has_arm_v9-4: 1
     -C cluster0.has_gcs: 1
     -C cluster1.has_gcs: 1
-    -C cluster0.memory_tagging_support_level: 4                       # FEAT_MTE4 is mandatory from Armv8.9 when FEAT_MTE2 is implemented. Due to the layers, 8.8 ends up on top of 8.9 so we have to override again.
-    -C cluster1.memory_tagging_support_level: 4
diff --git a/config/cca-3world.yaml b/config/cca-3world.yaml
index 713ffe5851519b65d1e2b641f23ea29606619eb1..ef58fe87d40c65fe887595c88cc26c47f14a9ce7 100644
--- a/config/cca-3world.yaml
+++ b/config/cca-3world.yaml
@@ -55,7 +55,7 @@ description: >-
 
   .. code-block:: shell
     $ cd ~/.shrinkwrap/package/cca-3world
-    $ shrinkwrap run cca-3world.yaml --rtvar ROOTFS=rootfs.ext2 SHARE=.
+    $ shrinkwrap run cca-3world.yaml --rtvar ROOTFS=rootfs.ext2 --rtvar SHARE=.
 
   Finally, once the host has booted, log in as "root" (no password), and launch
   a realm using kvmtool. Note the mount command is only required if sharing a
@@ -223,10 +223,6 @@ run:
     -C cluster0.output_attributes: ExtendedID[62:55]=MPAM_PMG,ExtendedID[54:39]=MPAM_PARTID,ExtendedID[38:37]=MPAM_SP
     -C cluster1.output_attributes: ExtendedID[62:55]=MPAM_PMG,ExtendedID[54:39]=MPAM_PARTID,ExtendedID[38:37]=MPAM_SP
 
-    # MTE is not supported by RMM yet.
-    -C cluster0.memory_tagging_support_level: 0
-    -C cluster1.memory_tagging_support_level: 0
-
     # CCA-specific SMMU settings.
     -C pci.pci_smmuv3.mmu.SMMU_ROOT_IDR0: 3
     -C pci.pci_smmuv3.mmu.SMMU_ROOT_IIDR: 0x43B
diff --git a/config/cca-4world.yaml b/config/cca-4world.yaml
index 9e3e506b54b9d119a6772f2866464a8bb8a16a49..d732314562326c37a90a92b09c4e2566d5543214 100644
--- a/config/cca-4world.yaml
+++ b/config/cca-4world.yaml
@@ -4,8 +4,33 @@
 %YAML 1.2
 ---
 description: >-
-  Builds on cca-3world.yaml, but adds support for running Hafnium along with
-  some secure partitions in Secure World.
+  Builds on cca-3world.yaml, and adds support for running Hafnium along with some
+  secure partitions in Secure World.
+  Build with:
+
+  .. code-block:: shell
+    $ shrinkwrap --image shrinkwraptool/base-full build cca-4world.yaml --overlay buildroot.yaml --btvar GUEST_ROOTFS='${artifact:BUILDROOT}'
+
+  Then run the model with:
+
+  .. code-block:: shell
+    $ cd ~/.shrinkwrap/package/cca-4world
+    $ shrinkwrap run cca-4world.yaml --rtvar ROOTFS=rootfs.ext2 --rtvar SHARE=.
+
+  Once the host has booted, log in as "root" (no password).
+
+  Secure partitions can be enumerated by:
+
+  .. code-block:: shell
+    # cat /sys/devices/arm-ffa-*/uuid
+
+    b4b5671e-4a90-4fe1-b81f-fb13dae1dacb
+    d1582309-f023-47b9-827c-4464f5578fc8
+    79b55c73-1d8c-44b9-8593-61e1770ad8d2
+    eaba83d8-baaf-4eaf-8144-f7fdcbe544a7
+
+  See cca-3worlds.yaml config :ref:`userguide/configstore/cca-3world:description`
+  if willing to launch a realm using kvmtool.
 
 concrete: true
 
@@ -23,7 +48,17 @@ build:
       SP_LAYOUT_FILE: ${artifact:SP_LAYOUT}
       BL32: ${artifact:HAFNIUM}
 
+  linux:
+    prebuild:
+      - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_ARM_FFA_TRANSPORT
+
 run:
   terminals:
     bp.terminal_2:
       friendly: hafnium
+
+  # SPMD doesn't permit use of SME options:
+  # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/arm/board/fvp/platform.mk?h=v2.10#n60
+  # This is mainly because Hafnium/S-EL2 doesn't support (yet) saving/restoring the NS SME state across SMC calls.
+  params:
+    -C SVE.ScalableVectorExtension.has_sme: 0
diff --git a/config/hafnium-base.yaml b/config/hafnium-base.yaml
index 3f98e6b61c28c254575288a0ebb9918b4b1382e6..2b40273953a401c13278eb9acbce6462e15dab26 100644
--- a/config/hafnium-base.yaml
+++ b/config/hafnium-base.yaml
@@ -43,3 +43,6 @@ run:
     -C gic_distributor.extended-spi-count: 1024
     -C cluster0.gicv3.extended-interrupt-range-support: 1
     -C cluster1.gicv3.extended-interrupt-range-support: 1
+    -C cluster0.memory_tagging_support_level: 2
+    -C cluster1.memory_tagging_support_level: 2
+    -C bp.dram_metadata.is_enabled: 1
diff --git a/documentation/userguide/configstore/cca-3world.rst b/documentation/userguide/configstore/cca-3world.rst
index 3c947b957864e6fd6383954d5da03530d24e1c8c..0049ceff1118abb0174b6a0ac4d9700e8728b212 100644
--- a/documentation/userguide/configstore/cca-3world.rst
+++ b/documentation/userguide/configstore/cca-3world.rst
@@ -57,7 +57,7 @@ Or if taking the shared directory approach, simply boot the host with the SHARE
 .. code-block:: shell
 
   $ cd ~/.shrinkwrap/package/cca-3world
-  $ shrinkwrap run cca-3world.yaml --rtvar ROOTFS=rootfs.ext2 SHARE=.
+  $ shrinkwrap run cca-3world.yaml --rtvar ROOTFS=rootfs.ext2 --rtvar SHARE=.
 
 
 Finally, once the host has booted, log in as "root" (no password), and launch a realm using kvmtool. Note the mount command is only required if sharing a directory:
diff --git a/documentation/userguide/configstore/cca-4world.rst b/documentation/userguide/configstore/cca-4world.rst
index 81e924721641fd7e2d83afcf58f2c2d7d456a4f3..70d4be8d1873e4c7be5df0ca45439f71bcfbe396 100644
--- a/documentation/userguide/configstore/cca-4world.rst
+++ b/documentation/userguide/configstore/cca-4world.rst
@@ -10,7 +10,35 @@ cca-4world.yaml
 Description
 ###########
 
-Builds on cca-3world.yaml, but adds support for running Hafnium along with some secure partitions in Secure World.
+Builds on cca-3world.yaml, and adds support for running Hafnium along with some secure partitions in Secure World. Build with:
+
+.. code-block:: shell
+
+  $ shrinkwrap --image shrinkwraptool/base-full build cca-4world.yaml --overlay buildroot.yaml --btvar GUEST_ROOTFS='${artifact:BUILDROOT}'
+
+
+Then run the model with:
+
+.. code-block:: shell
+
+  $ cd ~/.shrinkwrap/package/cca-4world
+  $ shrinkwrap run cca-4world.yaml --rtvar ROOTFS=rootfs.ext2 --rtvar SHARE=.
+
+
+Once the host has booted, log in as "root" (no password).
+
+Secure partitions can be enumerated by:
+
+.. code-block:: shell
+
+  # cat /sys/devices/arm-ffa-*/uuid
+  b4b5671e-4a90-4fe1-b81f-fb13dae1dacb
+  d1582309-f023-47b9-827c-4464f5578fc8
+  79b55c73-1d8c-44b9-8593-61e1770ad8d2
+  eaba83d8-baaf-4eaf-8144-f7fdcbe544a7
+
+
+See cca-3worlds.yaml config :ref:`userguide/configstore/cca-3world:description` if willing to launch a realm using kvmtool.
 
 Concrete
 ########
diff --git a/test/test.py b/test/test.py
index a55d3225af907db5b9649cbf67874bd1a65067eb..8d7c8e34bfb8a65212741d66e133cf9b23b4300a 100755
--- a/test/test.py
+++ b/test/test.py
@@ -259,9 +259,7 @@ def do_main(smoke_test):
 					{'GUEST_ROOTFS': ROOTFS}
 				])
 	run_config('cca-3world.yaml', None, make_rtcmds({'KERNEL': KERNEL, 'ROOTFS': ROOTFS}))
-	# TODO: Disabled due to Hafnium requiring MTE but RMM does not support
-	# it. Reenable when Hafnium fixed to remove dependency.
-	# run_config('cca-4world.yaml', None, make_rtcmds({'KERNEL': KERNEL, 'ROOTFS': ROOTFS}))
+	run_config('cca-4world.yaml', None, make_rtcmds({'KERNEL': KERNEL, 'ROOTFS': ROOTFS}))
 
 	print_results()