The ChromeOS Virtual Machine Monitor
crosvm is a secure, lightweight, and performant Virtual Machine Monitor (VMM) written in Rust. Originally developed for ChromeOS to run Linux (Crostini) and Android guests (ARCVM). It is now used across multiple products and platforms such as TerminalApp on Android, Cuttlefish and Windows.
crosvm focuses on security through strong isolation and a modern, memory-safe implementation. It leverages hardware-assisted virtualization to provide a robust execution environment for untrusted code.
- Security First: Built with Rust's memory safety guarantees. Each virtual device can be run in its own sandboxed process with restricted system access.
- Isolation: Uses Linux namespaces, seccomp filters, and Minijail to create a multi-layered security boundary.
- Performance: Optimized for modern workloads with features like
io_uring,vhost, and an internal async runtime (cros_async). - Portability: Supports multiple CPU architectures and hypervisor backends.
- x86_64
- aarch64
- riscv64
- Linux/Android: KVM, Gunyah (Qualcomm), GenieZone (MediaTek), Halla (Exynos).
- Windows: WHPX (Windows Hypervisor Platform), HAXM (Intel).
crosvm implements a wide range of paravirtualized devices via the virtio standard:
- Network:
virtio-netwith optional vhost and slirp backends. - Storage:
virtio-blocksupporting raw, qcow2, zstd, and Android sparse formats. - Graphics:
virtio-gpuwith 2D and 3D acceleration (viavirglrenderer,gfxstream, orvulkano). - Display/Input: Integrated virtio gpu cross domain support for wayland passthrough
- Audio:
virtio-sndwith backends for CRAS (ChromeOS), AAudio (Android), and more. - File System:
virtio-fsandvirtio-9p. - Other: Console, RNG, Balloon, Vsock, TPM, Pmem, Video Decoder/Encoder, etc.
crosvm is designed with a "process-per-device" model:
- Main Process: Handles VM initialization and core orchestration.
- Device Processes: Each virtio device can be
forked into its own process. - Sandboxing: Each device process is jailed using
Minijail:
- Namespaces: VFS (pivot_root), PID, User, and Network isolation.
- Seccomp: Strict BPF filters restrict syscalls to only those required by the specific device.
- Capabilities: All unnecessary Linux capabilities are dropped.
- User Guide & Documentation: Comprehensive guide for users and developers.
- Architecture Deep Dive: Details on the internal design and communication framework.
- API Documentation: Auto-generated Rust API docs, useful for searching internal types and functions.
- Source Code: The authoritative Chromium Git repository.
- Contributor Guide: Workflow and coding standards.
- Note that the GitHub repository is a read-only mirror. All contributions are submitted via Chromium Gerrit.
The recommended way to build and develop crosvm is using the provided development container.
- Linux: A modern kernel (5.x+) with KVM access.
- Podman or Docker: Installed and configured.
Use the dev container to build a release version of crosvm:
./tools/dev_container ./tools/build_releaseFollow this example usage to run a simple Linux guest.
- Announcements: Join to watch for announcements
- Matrix Chat: Join the
#crosvmchannel on Matrix. - Issue Tracker:
Report bugs or request features.
- For Googlers: See go/crosvm#filing-bugs.
- Mailing List: Developer discussions.
crosvm is an open-source project licensed under the BSD-3-Clause License.