[cedws]

> With unikernels you get hardware-level isolation AND, interestingly, the performance thanks to the lack of strong syscall boundaries

How does this compare to gVisor? My understanding is that it's the same.

Thanks for the detailed response. I might give it a go some weekend.

[nderjung]

In fact gVisor is the opposite, it injects more guard instructions between the application and the kernel across the syscall layer in order to make stronger security guarantees. These additional guards slow the application even further by however long it takes to perform necessary permission checks.

It is not necessary to have such checks in a unikernel because the kernel inherently trusts the application because together they were constructed in the same pipeline. The hardware then protects the two together.