[spacecadet404]

What's the use case for this rather than containers? Separation from the hypervisor kernel?

[Imustaskforhelp]

Containers (docker/podman) are still not as secure as virtualization (qemu,kvm,proxmox)

Plus these might be smaller and might run faster than containers too.

[throwaway894345]

Smaller than containers seems unlikely since a container doesn't have any kernel at all, while these microvms have to reproduce at least the amount of kernel they would otherwise need (e.g., a networking stack). I'm sure some will be inclined to compare an optimized microvm to an application binary slapped into an Ubuntu container image, but that's obviously apples/oranges.

Faster might be possible without the context switching between kernel and app? And maybe additional opportunities for the compiler to optimize the entire thing (e.g., LTO)?

[justatdotin]

container can be smaller at rest, but larger at runtime

if you're not sure which you want its probably container

[m00dy]

yeah it's a fairy tale.

[ignoramous]

> Separation from the hypervisor kernel?

Not really. Separation from (type 1) hypervisor (or rather distrust of the host [0]) requires hardware support; ex: ARM CCA / AMD SEV-SNP / Intel TDX.

For separation from the supervisor, Android developed a peculiar approach in "pKVM" for ARM where the host (supervisor) is partitioned away from the guest [1].

Both those "separations" is not something Toro provides on its own; the Toro unikernel would totally be under the control of the host, from what I can tell. That said, what Toro (or any unikernel, really) does is reduce the attack surface area, as the (guest) supervisor is pruned to run just one particular application (more code to partition things up will eliminate a class of attacks but may result in new attack vectors [2]).

[0] ex: https://news.ycombinator.com/item?id=44678249

[1] Protected KVM on Arm64: A Technical Deep Dive - Quentin Perret, Google https://www.youtube.com/watch?v=9npebeVFbFw (2023)

[2] Mitigations are attack surface, too https://projectzero.google/2020/02/mitigations-are-attack-su... (2020)

[mvaralar]

> Both those "separations" is not something Toro provides on its own; the Toro unikernel would totally be under the control of the host, from what I can tell. That said, what Toro (or any unikernel, really) does is reduce the attack surface area, as the (guest) supervisor is pruned to run just one particular application (more code to partition things up will eliminate a class of attacks but may result in new attack vectors [2]).

Toro does not provides that separation. However, I was having some thoughs about running the user app in ring1 to provide some sort of separation whereas the kernel runs in ring0. However, in that case, we may end up in the current user/kernel level separation of general purpose OSs.

[eru]

It can be much faster, and much smaller surface area for attacks than using a full Linux kernel.

[ahepp]

Presumably to avoid the cost of context switches or copying between kernel/user address spaces? Looks to be the opposite of userspace networking like DPDK: kernel space application programming.

[justatdotin]

anywhere you want hard isolation and only a subset of OS. especially multiple instances thereof.

so, generally at the edge (gateways, shims, protocol boundaries)