Firecracker runs a full Linux guest within KVM while TinyKVM runs just a single process within KVM and handles syscalls on the host by validating permissions then calling the host kernel syscall.

This minimises memory usage and lets us track file descriptors which lets us very quickly reset the guest process (under 100us for deno.)