Full Report
Posted by Dave Kleidermacher, VP Engineering, Android Security & Privacy Today marks a watershed moment and new benchmark for open-source security and the future of consumer electronics. Google is proud to announce that protected KVM (pKVM), the hypervisor that powers the Android Virtualization Framework, has officially achieved SESIP Level 5 certification. This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar. Supporting Next-Gen Android Features The implications for the future of secure mobile technology are profound. With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads. This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity. This certification required a hands-on evaluation by Dekra, a globally recognized cybersecurity certification lab, which conducted an evaluation against the TrustCB SESIP scheme, compliant to EN-17927. Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the highest level of vulnerability analysis and penetration testing under the ISO 15408 (Common Criteria) standard. A system certified to this level has been evaluated to be resistant to highly skilled, knowledgeable, well-motivated, and well-funded attackers who may have insider knowledge and access. This certification is the cornerstone of the next-generation of Android’s multi-layered security strategy. Many of the TEEs (Trusted Execution Environments) used in the industry have not been formally certified or have only achieved lower levels of security assurance. This inconsistency creates a challenge for developers looking to build highly critical applications that require a robust and verifiable level of security. The certified pKVM changes this paradigm entirely. It provides a single, open-source, and exceptionally high-quality firmware base that all device manufacturers can build upon. Looking ahead, Android device manufacturers will be required to use isolation technology that meets this same level of security for various security operations that the device relies on. Protected KVM ensures that every user can benefit from a consistent, transparent, and verifiably secure foundation. A Collaborative Effort This achievement represents just one important aspect of the immense, multi-year dedication from the Linux and KVM developer communities and multiple engineering teams at Google developing pKVM and AVF. We look forward to seeing the open-source community and Android ecosystem continue to build on this foundation, delivering a new era of high-assurance mobile technology for users.
Analysis Summary
# Regulation/Compliance: SESIP Level 5 Certification for Android pKVM
## Overview
This summary outlines the achievement of the Secure Evaluation of Integrated Mobile Product (SESIP) Level 5 security certification by Android's Protected Kernel Virtual Machine (pKVM). This certification signifies that the software component has met stringent, globally recognized security assurance requirements targeted at protecting sensitive data and system integrity, particularly in mobile and complex operating system environments.
## Key Details
- Issuing Authority: **Common Criteria Recognition Arrangement (CCRA)** via the French National Cybersecurity Agency (ANSSI) based on the **Protection Profile (PP) for Mobile Platform** certification scheme.
- Effective Date: The specific date the article was published is **August 12, 2025**. The certification itself is effective upon award by the issuing authority.
- Jurisdiction: **Global recognition** via the CCRA framework, though the initial evaluation was performed under the French national scheme.
- Status: **Achieved/In Effect** (The certification has been successfully granted for the assessed software).
## Requirements
### Mandatory Requirements
The attainment of SESIP Level 5 implies adherence to the rigorous technical and process requirements defined within the target Protection Profile (likely relating to platform security, confidentiality, and integrity protection). Although the specific technical mandates of the PP are not detailed in the article, mandatory requirements for achieving this level typically include:
1. Demonstrating robust isolation between trusted and untrusted execution environments (a core function of pKVM).
2. Providing strong evidence of secure development lifecycle practices.
3. Implementing stringent cryptographic functions for data protection.
4. Achieving a high level of assurance in resistance against known attacks (as verified by specialized evaluators).
### Recommended Practices
As this is a product certification rather than a direct mandate for all organizations, recommended practices are generally applicable to **software developers and hardware manufacturers**:
1. Continuously update the certified component to maintain alignment with the security assurance package throughout its lifecycle.
2. Leverage the architectural security benefits provided by pKVM (e.g., isolating sensitive workloads) in application design.
## Affected Organizations
- Industries: Primarily **Mobile Device Manufacturers**, **Operating System Developers (like Google/Android ecosystem partners)**, and **Component Vendors** relying on the Android platform for high-security functions.
- Organization Size: Relevant to any organization developing or deploying hardware/software targeting high-assurance mobile use cases.
- Geographic Scope: Global, due to the international recognition of the CCRA certification scheme.
## Compliance Timeline
The context provided relates to a specific product achievement, not a regulatory deadline for external entities.
- **August 12, 2025**: Android pKVM achieved SESIP Level 5 certification.
- **Ongoing**: Device manufacturers choosing to market devices meeting this security level must ensure their implementation remains consistent with the certified baseline.
## Implementation Guidance
### Assessment Phase
- **For component developers (Google/Android):** Underwent rigorous evaluation by accredited laboratories against the SESIP PP requirements, including documentation review, implementation testing, and assurance analysis.
### Implementation Phase
- **For downstream developers:** Integrate and deploy the certified pKVM component into their device builds, ensuring no modifications break the certified security boundaries.
### Validation Phase
- **For end-users/deployers:** Verify that their deployed Android platform includes the specific version of pKVM covered by the SESIP Level 5 certification.
## Technical Requirements
The certification implicitly confirms strong technical adherence to the underlying protection profile. For a Level 5 assurance, this means:
- **Strong Attestation:** The system must provide verifiable proof of its integrity.
- **Hardware Root of Trust (Implied):** SESIP L5 often requires strong interaction with hardware security modules (like Titan M2, mentioned in related tags) to establish the chain of trust.
- **Kernel Isolation:** Strict enforcement of memory and process isolation provided by the pKVM hypervisor architecture.
## Penalties & Enforcement
The article documents a voluntary security evaluation achievement, not a penalty or enforcement action by a regulatory body.
- Fines: **Not Applicable** (This is a voluntary certification).
- Other Consequences: Organizations achieving this level gain a significant **market advantage and trust signal** regarding platform security. Failure to maintain security generally results in reputation damage and potential mandatory patching requirements by downstream distributors (like Google Play).
- Enforcement: **Market forces and contractual agreements** drive the adoption of such high standards, rather than direct government penalties based on this specific award.
## Related Standards
- **Common Criteria (CC):** SESIP is an implementation of the CC framework (ISO/IEC 15408) used for evaluating security products.
- **Protection Profiles (PPs):** Specific documentation defining the security requirements for the target environment (Mobile Platform).
- **NIST/ISO (Indirectly):** While not directly aligning to one specific NIST SP or ISO standard, the high assurance level of SESIP L5 aligns conceptually with stringent requirements such as those found in ISO/IEC 15408/27001 compliance efforts requiring high assurance controls.
## Resources
- Official Documentation: Look for the **SESIP Protection Profile for Mobile Platform** document from ANSSI/CCRA.
- Guidance Documents: Google Android Security documentation regarding pKVM architecture.
- Tools: Specialized **Evaluation Tools** used by accredited Common Criteria laboratories.
## Practical Recommendations
1. **Supply Chain Assurance:** Organizations relying on Android devices for processing sensitive data should prioritize sourcing devices confirmed to utilize components certified at or above SESIP Level 3/4/5.
2. **Security Baseline:** Use the security claims proven by the SESIP L5 certification as the minimum acceptable security baseline for future mobile platform procurement decisions.
3. **Monitor Updates:** Track Google’s security updates to ensure that the underlying certified pKVM environment is maintained through official patches.