2 releases
Uses new Rust 2024
| 0.1.1 | Jun 11, 2025 |
|---|---|
| 0.1.0 | Jun 10, 2025 |
#90 in WebAssembly
257 downloads per month
105KB
2K
SLoC
Hermit-WASM - Running WASM modules inside a lightweight VM
Hermit-WASM is able to run WASM Modules on top of the Unikernel Hermit inside a lightweight virtual machine. Its purpose is to enable applications to safely run untrusted or third party WASM code within a VM with very low latency/overhead.
The current version of Hermit-WASM requires the Rust's nightly compiler and is a prototype, which just supports the target wasm32-wasip1. In addition, Hermit-WASM realizes only a subset of the required bindings.
Requirements
rustup- Install required toolchain:
rustup target add wasm32-wasip1
Building from source
To build from source, simply checkout the code and use cargo build with a hermit target. The following commands build Hermit-WASM for aarch64 processors:
# clone Hermit repository
git clone --recurse-submodules https://github.com/hermit-os/hermit-rs.git
# switch the directory of the Hermit repository
cd hermit-rs
# build Hermit-WASM
cargo build -Zbuild-std=std,panic_abort -Zbuild-std-features=compiler-builtins-mem --target aarch64-unknown-hermit -p hermit-wasm --release
To build Hermit-WASM for other architecture, replace aarch64-unknown-hermit by x86_64-unknown-hermit for the x86 architecture or riscv64gc-unknown-hermit for RISC-V architecture.
Usage
This guideline assumes that Linux is used as host operating system on top of aarch64 processor and virtiofsd is installed. In addition, the host offers KVM to accelerate the virtual machine.
Build demo application wasm-test for the target wasm32-wasip1.
cargo build --target wasm32-wasip1 --release -p wasm-test
If Qemu is used as hypervisor, download the loader binary from its releases page. Use virtiofsd to provide the target directory for Hermit-WASM.
virtiofsd --socket-path=./vhostqemu --shared-dir ./target/wasm32-wasip1/release --announce-submounts --sandbox none --seccomp none --inode-file-handles=never
Start Hermit-WASM within the hypervisor Qemu as followed:
qemu-system-aarch64 --enable-kvm -display none -serial stdio -kernel hermit-loader-x86_64 -initrd target/aarch64-unknown-hermit/release/hermit-wasm -append "-- /root/wasm-test.wasm" -cpu host -device isa-debug-exit,iobase=0xf4,iosize=0x04 -smp 1 -m 2G -global virtio-mmio.force-legacy=off -chardev socket,id=char0,path=./vhostqemu -device vhost-user-fs-pci,queue-size=1024,packed=on,chardev=char0,tag=root -object memory-backend-file,id=mem,size=1024M,mem-path=/dev/shm,share=on -numa node,memdev=mem
As alternative, uhyve can be used, which is a minimal hypervisor for Hermit and offers direct access to a local directory. Consequently, uhyve doesn't depend on virtiofsd. In the following example, a local file is mounted to /root/wasm-test.wasm.
uhyve -c 1 -m 1GiB --file-isolation none --file-mapping target/wasm32-wasip1/release/wasm-test.wasm:/root/wasm-test.wasm target/aarch64-unknown-hermit/release/hermit-wasm -- -- /root/wasm-test.wasm
Credits
A similar project is this area is Hyperlight-Wasm. As far as known, Hyperlight-Wasm supports only x86 systems, while Hermit-WASM is also running on aarch64 and RISC-V processors.
Licensing
Licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
Hermit-WASM is being developed on GitHub. Create your own fork, send us a pull request, and chat with us on Zulip.
Dependencies
~24–36MB
~624K SLoC