Google’s pKVM Achieves SESIP Level 5 Certification, Setting New Standard for Mobile Security
Google’s pKVM becomes the first globally certified software for consumer electronics to achieve SESIP Level 5, enabling secure on-device AI and high-criticality workloads.
Google has announced a landmark achievement in mobile security with the SESIP Level 5 certification of protected KVM (pKVM), the hypervisor powering the Android Virtualization Framework (AVF). This milestone establishes pKVM as the first open-source software security system designed for large-scale deployment in consumer electronics to meet this rigorous assurance standard.
A New Benchmark for Mobile Security
The certification, awarded by Dekra, a globally recognized cybersecurity lab, validates pKVM’s resistance to highly skilled attackers, including those with insider access and advanced resources. Evaluated under the TrustCB SESIP scheme (compliant with EN-17927) and incorporating AVA_VAN.5—the highest level of vulnerability analysis under ISO 15408 (Common Criteria)—pKVM demonstrates unprecedented resilience in mobile security.
Technical Significance
- SESIP Level 5 ensures protection against advanced persistent threats (APTs) and sophisticated attack vectors.
- Unlike many Trusted Execution Environments (TEEs) in the industry—which often lack formal certification or rely on lower assurance levels—pKVM provides a consistent, verifiable, and open-source security foundation.
- The certification enables high-criticality isolated workloads, including on-device AI processing of sensitive user data, with strong privacy and integrity guarantees.
Impact on Android’s Security Architecture
This certification reinforces Android’s multi-layered security strategy, addressing a long-standing challenge for developers: the lack of a standardized, high-assurance isolation mechanism. With pKVM, device manufacturers now have a single, open-source firmware base that meets the highest security standards, reducing fragmentation and improving transparency.
Google has indicated that future Android devices will be required to use isolation technology meeting this security level for critical operations, ensuring a consistent and verifiable security baseline across the ecosystem.
A Collaborative Milestone
The achievement reflects years of collaboration between Google’s engineering teams, the Linux and KVM developer communities, and contributors to the Android Virtualization Framework (AVF). By open-sourcing pKVM, Google aims to foster broader adoption, enabling the mobile industry to build on a high-assurance security foundation.
Next Steps for the Ecosystem
- Device manufacturers can leverage pKVM to enhance security for next-gen Android features, including secure AI workloads.
- Developers gain a trustworthy isolation layer for building high-criticality applications with verifiable security.
- Security researchers can audit and contribute to pKVM’s open-source codebase, further strengthening its resilience.
This certification marks a watershed moment for mobile security, setting a new standard for open-source, high-assurance protection in consumer electronics.