Unikernels and MirageOS are a step up (or in same direction) from this work, actually. ;) Unikernels are similar to L4 community's device-driver reuse but often have a larger TCB from my reading. (Not an expert on unikernels, to be clear!) MirageOS combines virtualization-based security with language-based protections and good build tools to aim at more secure, special-purpose deployments. The two are similar. The Nizza Security Architecture and Genode Architecture have each been able to do this with more efficiency and smaller TCB (attack surface). MirageOS's use of language security is a differentiator that's orthogonal to other aspects. I've encouraged such things in Genode, etc albeit with safer, low-level languages and static/dynamic analysis.

EDIT to Add: Just remembered that MILS separation kernel vendors (eg INTEGRITY-178B) have been doing this for over a decade with combinations such as sep kernel, Ada runtime for critical stuff, and user-mode VM's for legacy stuff. Long proven approach that mainstream is just catching up to.

I suspect you'd run unikernels under Geode. Instead of targeting Xen resources and Xen event/message channels and Xen security modules/FLASK, MirageOS would target Geode instead but perhaps have slightly higher-level resources and better-featured interfaces to lean on.

But I haven't quite had time to figure it out myself yet; I've been interested in exploring Geode for a while.

Exactly. The question is how mature they are and what you're implementation language would be. The MILS security people have been doing this for over a decade with the effective approach of combining separation kernels, user-mode OS's for GUI/legacy, and critical stuff running right on the kernel. Relative to MirageOS, several vendors developed special runtimes for Ada and Java to leverage their safety properties without the complexity of a standard runtime.

So, it's a proven approach that could be implemented in GenodeOS and probably easier given others were bare-bones.

Running unikernels on top of a microkernel OS makes a lot of sense.

You could also interconnect multiple unikernels via nanokernels running off picokernel cloud

You mean MirageOS-based unikernel instances running on a L4 nanokernel running as Single-System Image on a Distributed Shared Memory machine made up of interconnected motes running the Contiki pico-OS? Sounds tricky to integrate and extend despite most of that being built already. Might be better to avoid the pico stuff given all the overheads and lack of cache.

It's been proven in practice for reliability and security in embedded space. They just called them Ada/Java "runtimes in dedicated partitions on microkernels." :) I always say that when mainstream starts to converge on what top engineers have been doing, then it's a good bandwagon to jump on. ;)