Open-source multi-persona phone OS for the Pixel 9/10.
Boots a thin base layer that hosts multiple full Android instances as hardware-isolated pKVM guests. Switch between them in under 5 seconds. Each persona has its own apps, accounts, network egress (WireGuard / Tor / raw), and snapshot. pKVM enforces memory isolation in hardware — personas can't see each other. Foreground persona owns NFC, modem, biometrics, display, audio, input — via host arbitrator daemons. Background personas live as encrypted snapshots on disk.
The development model is a Cuttlefish-based dev loop: the entire system runs on a Linux dev box via Cuttlefish (Google's reference virtual Pixel, with crosvm + nested pKVM). Iterate on Cuttlefish in minutes, deploy to real hardware when ready.
┌───────────────────────────────────────────────────────────────┐
│ Pixel 9 / 10 hardware │
│ │
│ ┌─ Base layer (custom AOSP, ~1.2GB) ──────────────────────┐ │
│ │ pKVM hypervisor at EL2 │ │
│ │ SurfaceFlinger · InputDispatcher · AudioFlinger │ │
│ │ PersonaLauncher · personad │ │
│ │ Arbitrators: NFC · RIL · Biometric · TEE-broker │ │
│ │ Per-persona netns + WireGuard/Tor/nftables │ │
│ └─────────────────────┬───────────────────────────────────┘ │
│ │ │
│ ┌────────────────┼────────────────┐ │
│ ▼ ▼ ▼ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Persona │ │ Persona │ │ Persona │ │
│ │ A (FG) │ │ B (sus) │ │ C (cold) │ │
│ │ Graphene │ │ Stock+GP │ │ Burner │ │
│ │ as pVM │ │ snapshot │ │ snapshot │ │
│ └──────────┘ └──────────┘ └──────────┘ │
└───────────────────────────────────────────────────────────────┘
| Path | What |
|---|---|
PLAN.md |
Master build spec — start here |
docs/ |
Architecture, dev-loop, references, threat model, runbook |
tools/ |
Build, signing, flash, test orchestration |
host/ |
Base layer (device config, launcher, arbitrators) |
guest/ |
Android-as-pVM image (kernel, virt HALs, system overlays) |
pkvm/, crosvm/, avf/ |
Patches to upstream hypervisor / VMM / VirtualizationService |
networking/ |
Per-persona netns + WireGuard + Tor configs |
tests/ |
Cuttlefish suite, real-Pixel e2e, unit, fuzz |
ci/ |
GitHub Actions + Drone CI |
third_party/ |
Vendored references |
git clone https://github.com/<you>/personaphone
cd personaphone
./tools/build/setup-host.sh # one-time dev host setup
./tools/build/sync-sources.sh # one-time, ~250GB AOSP + deps
./tools/build/build-all.sh # full build
./tools/build/cuttlefish-up.sh # boot in Cuttlefish
./tools/test/run.sh --suite cuttlefishWhen the Cuttlefish suite is green:
./tools/flash/flash-pixel.sh --device <serial>
./tools/test/run.sh --suite e2e --device <serial>Specification complete. Implementation in progress. See PLAN.md § 1 for success criteria; CI badge here will reflect their pass rate.
Apache 2.0 for our code. Upstream components retain their licenses (Linux GPL-2, crosvm BSD-3, AOSP Apache 2.0, etc.).
PLAN.md— the master specdocs/architecture.md— deep architecturedocs/dev-loop.md— Cuttlefish dev environmentdocs/references.md— all the forkable repos this project draws from