| ▲ | flaminHotSpeedo 4 days ago | |
Yeah, in some (rare) situations physical isolation is a more appropriate level of security. Or if you want to land somewhere in between, you can use VM's with single tenant NUMA nodes. But for a typical case, VM's are the bare minimum to say you have a _secure_ isolation boundary because the attack surface is way smaller. | ||
| ▲ | vel0city 4 days ago | parent [-] | |
Yeah, so secure. https://support.broadcom.com/web/ecx/support-content-notific... https://nvd.nist.gov/vuln/detail/CVE-2019-5183 https://nvd.nist.gov/vuln/detail/CVE-2018-12130 https://nvd.nist.gov/vuln/detail/CVE-2018-2698 https://nvd.nist.gov/vuln/detail/CVE-2017-4936 In the end you need to configure it properly and pray there's no escape vulnerabilities. The same standard you applied to containers to say they're definitely never a security boundary. Seems like you're drawing some pretty arbitrary lines here. | ||