If you’re into Android virtualization, you may have come across pKVM. This special version of the Kernel-based Virtual Machine (KVM), known as protected KVM or simply pKVM, is designed to enhance security on Android devices while improving OS-level virtualization.
pKVM is an extension of KVM that strengthens isolation between virtual machines (VMs), ensuring each VM runs independently without having access to Android’s core system data. It does this by assigning hardware resources more strictly, protecting both the Android host system and each VM. This isolation is crucial for Android, where privacy and security are essential, minimizing the risk of vulnerabilities or data leaks.
Key Advantages of pKVM on Android
Enhanced Security and Privacy: pKVM’s main advantage is that each VM has its own secure space, meaning compromised VMs cannot affect the main Android system. This high level of isolation is critical for protecting data and preventing threats.
Better Resource Management: pKVM allows for precise allocation of hardware resources (CPU, memory, GPU) to each VM, meaning they operate independently without sharing these directly with Android. This boosts overall performance and keeps VMs optimized.
Ideal for Virtualization Use Cases: pKVM offers a reliable and secure way to run isolated environments, which is especially valuable for Android-based enterprise services or large-scale app testing. Each environment can safely run apps, handle sensitive data, or perform simulations with minimal security risks.
Scalability Support: pKVM enables Android devices to manage multiple VMs simultaneously, each with its own protection level. This scalability is a game-changer for developers and companies that need constant testing and isolated simulations.
Virtual machines (VMs) bring powerful benefits, especially for developers and security-focused users:
-
Isolation and Security: VMs create a completely isolated environment, ideal for testing software safely without risking the main system.
-
Cross-Platform Flexibility: Run multiple operating systems on one device (Windows, Linux, Android) without rebooting—perfect for cross-platform testing.
-
Quick Snapshots and Rollbacks: Save VM states with snapshots and revert easily, making testing and debugging more efficient.
-
Optimized Resource Usage: Efficient VM management allows one machine to handle multiple systems, maximizing hardware use.
-
Perfect for Development: Developers can test apps, simulate network setups, and work with legacy software in a controlled, flexible environment.
-
Scalability: VMs are key to cloud solutions, letting you scale up or down quickly, supporting dynamic workloads and streamlined deployments.
-
Easy Backup and Transfer: VMs are simple to back up, move, and recover—especially valuable for transferring setups between devices or managing business continuity.
Android 13 and up, comes with KVM support and the virtualization framework which includes the tool crosvm.
Crosvm is a lightweight virtual machine monitor (VMM) designed by Google specifically for use with Chrome OS and Android, optimized to run Linux-based virtual machines efficiently and securely.
Compile Linux Kernel
wget https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.11.5.tar.xz
tar -xvf linux-6.11.5.tar.xz
cd linux-6.11.5
ARCH=arm64 make -j8 defconfig
ARCH=arm64 make -j8 olddefconfig
CROSS_COMPILE=aarch64-linux-gnu- make ARCH=arm64 -j8
adb push arch/arm64/boot/Image /data/local/tmp/Image6.11.5
Creating a rootfs
truncate -s 10G debian.ext4
mkfs.ext4 debian.ext4
CHROOT_PATH=$(pwd)/rootfs
mkdir rootfs
mount debian.ext4 "${CHROOT_PATH}"
debootstrap --arch=arm64 stable "${CHROOT_PATH}" http://deb.debian.org/debian/
chroot "${CHROOT_PATH}" /bin/sh
# Configure the system (eg. root password)
umount "${CHROOT_PATH}"
adb push kernel_crosvm/debian.ext4 /data/local/tmp/
Running the VM on Android
/apex/com.android.virt/bin/crosvm --log-level=debug run --shared-dir /data/local/tmp/test:testdir:type=9p --di
sable-sandbox --block /data/local/tmp/rootfs.ext4,root --cpus num-cores=8 --mem size=2048 --serial type=stdout,hardware=virtio-console,console,stdin /data/local/tmp/Image
Happy Hacking!