AOSP Insider
AOSP Expert & Production Engineering
3 min read

Virtualization Framework

The Android Virtualization Framework (AVF) introduces secure, lightweight virtualization to the Android OS. It provides a standardized environment to run code in isolated virtual machines (VMs) with strict security guarantees, protecting workloads even if the host Android kernel is compromised.

Android Virtualization Framework (AVF)

AVF bridges the gap between hardware hypervisors and Android applications. It leverages the pKVM (Protected KVM) hypervisor on ARM architectures. AVF is not designed for running desktop OSes; it is tailored for isolated, headless, and specialized workloads.

Key architectural layers:

  • pKVM / Hypervisor: Provides the fundamental memory and CPU isolation.
  • crosvm: The Virtual Machine Monitor (VMM).
  • VirtualizationService: The Android system service managing VM lifecycles.
  • Microdroid: The specialized, stripped-down Android OS running inside the guest VM.

VirtualizationService and VirtualMachine API

VirtualizationService runs in the host Android OS and orchestrates the creation, execution, and teardown of VMs. It enforces security policies, ensuring only signed and verified payloads can run.

Android exposes the VirtualMachine API to privileged apps and system components, allowing them to spin up VMs programmatically.

// Example: Creating a VirtualMachine config (conceptual)
VirtualMachineConfig config = new VirtualMachineConfig.Builder()
    .setPayloadBinary(myPayloadFileDescriptor)
    .setMemoryBytes(256 * 1024 * 1024) // 256MB RAM
    .setProtectedVm(true)
    .build();

VirtualMachineManager vmm = context.getSystemService(VirtualMachineManager.class);
VirtualMachine vm = vmm.create(config);
vm.start();

Communication between the host app and the guest VM is typically handled via specialized vsock (Virtual Socket) connections, or bound RPC mechanisms defined by AVF.

crosvm: Chrome OS Virtual Machine Monitor

crosvm is the VMM used by AVF, originally developed for Chrome OS to run Linux and Android apps securely. Written in Rust for memory safety, crosvm interfaces directly with the kernel's KVM API (/dev/kvm).

Responsibilities of crosvm:

  • Allocating memory and virtual CPUs for the guest.
  • Emulating essential hardware devices (virtio-blk for storage, virtio-net for networking).
  • Managing secure boot loading of the guest kernel.

When AVF starts a VM, it actually forks a crosvm process tailored with the specific configuration for that VM.

# Monitoring crosvm processes via adb
adb shell ps -A | grep crosvm

Use Cases: Isolated Code Execution

AVF enables high-assurance use cases that require extreme isolation:

  1. DRM and Media Processing: Running proprietary Widevine decryption or video processing in a protected VM ensures that DRM keys cannot be leaked, even to rooted host processes.
  2. Compilation and Code Generation: Compiling DEX to OAT on-device can be risky if malicious code exploits the compiler. Moving compilation into an isolated VM contains any potential vulnerabilities.
  3. Privacy-Preserving Computation: Running machine learning models on sensitive user data inside a protected VM guarantees that the host OS cannot inspect the data or the model weights.
Previous Lesson
Enterprise APIs
Next Lesson
Microdroid