Use cases

This page contains common use cases for AVF.

Isolated compilation

As a software-secure enclave, a protected virtual machine (VM) provides a safe environment to compile security-sensitive code. This environment allows moving the compilation of bootclasspath and system server JARs (triggered by an APEX update) from early boot to before reboot, and significantly reduces the post APEX update boot time.

The implementation is in the com.android.compos APEX. This component is optional and can be included using a makefile.

Isolated compilation

Figure 1. Compiling JARs on Mainline updates. Compiling JARs on Mainline updates

The security goal is to truthfully compile verified input and produce the output in isolation; Android as an untrusted client can't alter the compilation output in any way other than causing it to fail (when Android falls back to boot time compilation).

The compilation service in the VM generates a signature only if there's no error during the entire compilation. Android can retrieve the public key from the VM for signature verification.

The VM's key is generated from the VM's DICE profile, defined by the APEXes and APKs mounted to the VM, in addition to other VM parameters, such as debuggability.

To determine if the public key isn't from an unexpected VM, Android boots the VM to determine if the key is correct. The VM is booted at early boot after each APEX update.

With Protected VM's Verified Boot, the compilation service runs only verified code. As a result the code can therefore determine to accept only inputs that satisfy certain conditions, for example, accept an input file only where its name and the fs-verity digest are defined in an allowlist.

Any exposed APIs from the VM are attack surfaces. All input files and parameters are assumed to be from an untrusted client, and must be verified and vetted before processing.

Input and output file integrity is verified by the VM, with the files stored on Android as an untrusted file server, as follows:

  • The content of an input file must be verified before use using the fs-verity algorithm. For an input file to become available in the VM, its root hash must be provided in a container (APK) that contributes to the VM’s DICE profile. With the trusted root hash, an attacker can't tamper with the input without being detected.
  • The integrity of the output file must be maintained in the VM. Even if an output file is stored on Android, during the generation, the integrity is maintained with the same fs-verity tree format but can be dynamically updated. The final output file can be identified with the root hash, which is isolated in the VM. The service in the VM protects the output files by signature.

Linux development environment

Android has traditionally been the only major operating system that doesn't let users develop apps on the platform itself. With the introduction of the Linux development environment, we aim to provide a Linux-based development environment to Android users who are developers. In the future, we plan to expand the effort to make it possible for our partners to implement innovative VM use cases like running graphical user interface apps and even games.

The Linux development environment is available on select devices and runs in a non protected virtual machine.

Linux development environment use case

Figure 2. Linux development environment use case.

The high-level components of the Linux VM are as follows:

  • Terminal app: An Android application providing a terminal interface. It uses a WebView to connect to a web service running in the VM for interaction. This app is disabled by default. Activate it in Developer Settings.
  • Android Virtualization Framework (AVF): Android's existing subsystem for VM creation and management. It requires minimal modification to support custom OS images for this feature.
  • virtual machine: A VM that AVF generates. It hosts the terminal service, and AVF creates it specifically for the Terminal app's functionality.
  • OS image: A slightly modified Debian-based OS image from upstream Debian. The Terminal app downloads this image from an external Google server. It serves as the foundation for the VM's operation.
  • Guest Agent: New software in the VM. It reports the OS's state to AVF and provides control of the virtual machine.
  • ttyd: Open-source software running in the VM that implements terminal emulation over HTTP. The Terminal app's WebView connects to it.
  • Tethering Manager: An existing Android subsystem. It provides network access to the virtual machine by tethering the VM to the Android-powered device.