Tag Archives: virtualization

Virtual Machine as a core Android Primitive

Posted by Sandeep Patil – Principal Software Engineer, and Irene Ang – Product Manager

The Android Virtualization Framework (AVF) will be available on upcoming select Android 14 devices. The AVF, first introduced in Android 13 on Pixel devices, provides new capabilities for platform developers working on privileged applications.

With AVF, we are more broadly supporting virtualization to Android. Virtualization is widely used and deployed to isolate workloads and operating systems from each other. It enables efficient scaling of infrastructure, testing environments, legacy software compatibility, creating virtual desktops and much more.

With AVF virtual machines become a core construct of the Android operating system, similar to the way Android utilizes Linux processes. Developers have the flexibility to choose the level of isolation for a virtual machine:

    • One-way isolation: Android (the host) can control and inspect the contents of the VM. These are most commonly used for sandboxing and separation, enabling multiple operating systems to run on the same machine / device, with one operating system host (Android) controlling and watching over all others.
    • Two-way isolation (Isolated VM): Android (the host) and the virtual machine (the guest) are completely isolated from each other. Developers who deal with or store sensitive data may benefit from an isolated virtual machine. An isolated virtual machine has a two-way barrier, where neither the host (Android) nor the VM have access to each other, except via explicitly-agreed-upon communication channels. This has 2 main properties:
  1. The workload and data inside the VM is inaccessible (confidential) from the host (Android).
  2. Even if Android is compromised all the way up to (and including) the host kernel, the isolated VM remains uncompromised.

Benefits of AVF


With an isolated VM, developers now have an alternative to Trustzone for use cases that need isolation from Android without escalated privilege.


Virtual machines and the applications running inside them are far more portable than trusted applets. For example, a Linux-based virtual machine with a Linux-application payload will work on all devices that support AVF. This means that developers can build an application once and deploy it everywhere. VMs also make porting of existing Linux based applications seamless and easy, compared to porting into a Trustzone operating system.


AVF is designed to be lightweight, efficient and flexible. Virtual machines can:

    • be as small as a single C program and as big as an entire operating system depending on the developer’s need;
    • be persistent or intermittent;
    • grow in memory or shrink depending on the overall system health; and
    • honor Android’s scheduler hints and low-memory warnings.


AVF is designed with developers in mind. Virtual machines can be customized to meet specific use-case needs. Developers can deploy any VM payload as long as it conforms to certain boot and communication protocols specified by AVF.

In addition to bringing the power of virtualization to Android and enabling all the possibilities of virtual desktops, sandboxing, AVF’s use of isolated virtual machines can benefit the following common Android use cases (and many more):

    • Biometrics: By deploying biometric trusted applets in an isolated virtual machine, developers will have the isolation guarantee, access to more compute power for biometric algorithms, easy updatability regardless of the Trustzone operating system, and a more streamlined deployment.
    • DRM: Widevine enables streaming DRM on Android devices. Once deployed in an isolated Virtual Machine, updates to Widevine become much easier across Android devices, regardless of the details of the various Trustzone operating systems being deployed on those devices.

AVF Usage

AVF provides easy APIs to query the device’s ability to create virtual machines and their supported types, and to set up secure communication channels with these virtual machines from applications and services that create them.

For example, to check for the availability of the AVF APIs, and of isolated and regular VM:

VirtualMachineManager manager =
if (manager == null) {
    // AVF not supported
} else {
    int capabilities = manager.getCapabilities();
    if ((capabilities & CAPABILITY_PROTECTED_VM) != 0) {
        // protected VM is supported
    if ((capabilities & CAPABILITY_NON_PROTECTED_VM) != 0) {
        // non protected VM is supported

Please find additional documentation on AVF and its APIs here.

AVF Components

AVF Component architecture

AVF consists of the framework APIs, the hypervisor, and the Virtual Machine Manager. The hypervisor guarantees virtual machines (including Android) are isolated from each other, much like how the Linux kernel does it for processes. The AVF hypervisor (pKVM), however, does that with a significantly smaller (~50x) code base compared to the Linux kernel.

The Hypervisor (pKVM)

The hypervisor is focused on open source availability, security, device assignment to VMs and security by isolation between virtual machines. It has a small attack surface that meets a higher security assurance level. AVF APIs and features are fully supported by the protected KVM hypervisor (pKVM).

pKVM is built on top of the industry standard Kernel-based Virtual Machine (KVM) in Linux. It means all existing operating systems and workloads that rely on KVM-based virtual machines can work seamlessly on Android devices with pKVM.

Virtual Machine Manager (crosvm)

crosvm, a Rust-based Virtual Machine Manager (VMM), provides the glue between the hypervisor and the AVF framework. It is responsible for creating, managing and destroying virtual machines. In addition, it provides an abstraction layer across multiple hypervisor implementations.

Isolated Virtual Machines

Isolated virtual machines are invisible to Android i.e. any process running in Android cannot inspect, see, tamper with the content of such a virtual machine. This guarantee is provided by the hypervisor.

Virtual Machines

Virtual machines are the same as isolated VMs, except they are accessible to Android processes with the right permissions and privilege.


Microdroid is a trimmed down Android OS package that is created to serve as a template for starting a virtual machine (VM). It provides developers with a familiar environment to build and run their workloads in a VM. Microdroid uses familiar Android tools and libraries, such as Bionic, Binder IPC and keystore support.

Virtualization Service

VirtualizationService manages all guest VMs, isolated or otherwise. It does so, primarily by managing instances of crosvm. It also exposes an AIDL API, which system services or privileged apps can use to start, monitor, and stop VMs.


RpcBinder is an all-new backend developed for the Android Interface Definition Language (AIDL). RpcBinder enables communication to and from virtual machines using the existing binder wire protocol. This means:

  1. Developers can write interfaces to virtual machines using the language and infrastructure they are already familiar with - AIDL.
  2. Simply continue using existing AIDL interfaces even if the binder endpoint moves into a virtual machine.

What’s new in Android 14?

Android 14, not only makes AVF available on more devices, it also provides a new toolkit to enable building more with AVF and its components:

    • Android System API for AVF 
Privileged applications can now use VMs for executing their critical workload needing isolation; 

    • Hypervisor DevEx toolkit 
Added tracing capability, improved debuggability and monitoring capabilities to provide insights and assist platform developers in developing inside Isolated VMs; 

    • Hypervisor Vendor Modules 
With vendor module extensions, our partners can customize Google’s hypervisor (pKVM) to meet their specific need and differentiate themselves; 

    • System Health Improvements 
With Android 14, a microdroid based VM boots 2 times faster compared to Android 13 while using half the memory.

The rest of the AVF framework makes virtualization easy to use by Android services and apps. For example by abstracting inter-VM communication using AIDL as a transport layer, managing the VM lifecycle or how VMs are created.

Where can you start?

The AVF is only for developers of privileged applications and platform developers. TheAndroid Virtualization Framework overview provides a high level guidance on the detailed components of AVF. If you’re an Android Platform developer, try creating a Virtual Machine today and contact us at android-kvm if you have any questions.

Google Summer of Code 2016 wrap-up: QEMU

This post is part of a series of guest posts from students, mentors and organization administrators reflecting on Google Summer of Code (GSoC) 2016.

QEMU is a machine emulator and virtualizer. It can run operating systems and programs made for one machine (e.g. an ARM board) on a different machine (e.g. your own PC).  It is also used by hypervisors like KVM and Xen to virtualize x86, ARM, POWER and other architectures so virtual machines can run at near-native performance.

This year was QEMU's sixth time participating in Google Summer of Code and we had 6 students from around the world. Here are highlights from GSoC 2016:

Pranith Kumar worked on Multi-threaded TCG, a larger effort to make QEMU's just-in-time compiler multi-core friendly. He studied the memory ordering CPU instructions for many architectures supported by QEMU and devised a TCG opcode that can represent the memory ordering semantics. His patches allow TCG to correctly translate memory ordering instructions (previously they were ignored!). This is one piece of the puzzle to support multi-threaded translation and will help emulation scale to many cores. Pranith also contributed to testing and debugging multi-threaded TCG issues that he encountered while contributing to this cutting-edge part of QEMU.

Gerard Garcia worked on packet capture support for AF_VSOCK in Linux, tcpdump and Wireshark. QEMU recently gained support for the virtio-vsock device that allows socket communication between guest and host. The AF_VSOCK address family didn't support packet capture yet, making it hard to debug and observe communication between applications. Gerard’s patches implement the kernel interfaces and tcpdump/Wireshark functionality needed to monitor traffic over AF_VSOCK. This project was challenging because it required getting code merged in multiple open source projects. Gerard pulled it off with great skill!

Every year QEMU applies to participate in GSoC and we’re delighted for the opportunity to mentor students interested in systems programming, emulation, compilers and low-level code like firmware. You are welcome to get in touch on IRC or our mailing lists any time of the year to find out about contributing to QEMU. We also have a wiki page with small tasks you can get started on as your first step in QEMU programming.

By Stefan Hajnoczi, Organization Administrator for QEMU