Understanding the Android Virtualization Framework (AVF)
I’ve had the opportunity to host meetings with security experts discussing the Android Virtualization Framework (AVF) and how to bring it to market. Terms like pKVM, pVM, TEE, SecretKeeper, and Microdroid can be confusing, so I’ve compiled a concise explanation to make sense of it all.
As the complexity of mobile applications and the sensitivity of the data they handle increase, so does the need for robust security solutions. Enter the Android Virtualization Framework (AVF), a groundbreaking innovation designed to enhance security, efficiency, and flexibility in Android devices. In this blog post, we’ll explore AVF and how its key components work together to create a more secure mobile ecosystem.
The Android Virtualization Framework (AVF) is a comprehensive set of technologies enabling the creation and management of isolated execution environments on Android devices. These environments, known as Protected Virtual Machines (pVMs), are designed to securely isolate workloads from the main operating system, thus enhancing security and efficiency.
At the heart of AVF is the Protected KVM (pKVM), an open-source Type-1 hypervisor that runs directly on the device’s hardware. By operating below the Linux kernel, pKVM ensures robust isolation of pVMs and securely manages their execution. This setup addresses the limitations of traditional Trusted Execution Environments (TEEs), such as TrustZone, which have been constrained by hardware dependencies and less flexible resource allocation.
