AOSP Insider
AOSP Expert & Production Engineering
3 min read

Microdroid

Microdroid is a deeply stripped-down version of the Android OS designed specifically to run as a guest operating system within the Android Virtualization Framework (AVF). It provides a familiar Android-like environment (Bionic libc, Binder, standard system properties) but removes heavy components like the UI framework, Java Zygote, and graphical services.

Microdroid: Tiny Android-Based Guest OS

The goal of Microdroid is to provide a minimalistic, highly secure execution environment. By sharing the same build system and libraries as the host Android OS, developers can write native code (C/C++/Rust) that runs seamlessly in both environments.

What is included in Microdroid:

  • Linux Kernel (GKI)
  • Init system
  • Bionic libc and core native libraries
  • Binder RPC
  • Keystore (for cryptographic operations)

What is excluded:

  • SurfaceFlinger and WindowManager
  • Dalvik/ART (Java environment is heavily restricted or absent)
  • ActivityManager and PackageManager

Microdroid VM Lifecycle

The lifecycle of a Microdroid VM is tightly controlled by the host's VirtualizationService:

  1. Configuration: The host app defines the VM configuration, specifying the payload, memory, and CPU limits.
  2. Initialization: VirtualizationService launches crosvm. crosvm loads the Microdroid bootloader and kernel.
  3. Boot Phase: The Microdroid kernel boots, mounts its internal partitions (read-only), and starts its lightweight init process.
  4. Payload Execution: Microdroid init starts the payload daemon (microdroid_manager), which verifies the cryptographic signatures of the user payload before executing it.
  5. Termination: The VM is stateless. Once the payload completes or the host kills the VM, all runtime state is destroyed. There is no persistent storage across reboots.

Running APKs Inside Microdroid

While Microdroid lacks a full PackageManager, it supports executing payloads packaged inside standard Android APKs. This simplifies distribution, as the payload logic is shipped within the host application's APK.

The host app passes a file descriptor to its own APK to the VirtualizationService. Microdroid mounts this APK, extracts the native shared libraries (.so files) located in a specific directory (e.g., lib/ or assets/), and executes the defined entry point.

Communication is strictly via RPC over vsock.

// Example: Native entry point inside the Microdroid payload
extern "C" int main(int argc, char** argv) {
    // Initialize Binder RPC over vsock
    ABinderRpc_startServer(...);
    
    // Process secure workload
    ProcessHighlySensitiveData();
    
    return 0;
}

Microdroid Payload Signing

Security is the primary mandate of Microdroid. To prevent arbitrary code execution, Microdroid strictly enforces payload signing.

When Microdroid boots, microdroid_manager uses dm-verity and fs-verity to ensure the integrity of the payload. The payload (packaged in the APK) must be cryptographically signed by a key that is trusted by the host configuration.

If the signature validation fails or the APK has been tampered with, Microdroid refuses to execute the payload and shuts down the VM immediately. This creates a secure chain of trust from the host hardware all the way into the guest payload execution.

Previous Lesson
Virtualization Framework
Next Lesson
Hypervisor & Protected VMs