| ▲ | adammiribyan 7 hours ago | |
Good callout. We seed entropy before snapshot to unblock getrandom(), but forks still share CSPRNG state. The proper fix per Firecracker’s docs is RNDADDENTROPY + RNDRESEEDCRNG after each fork, plus reseeding userspace PRNGs like numpy separately. On the roadmap. https://github.com/firecracker-microvm/firecracker/blob/main... | ||
| ▲ | mkj 7 hours ago | parent [-] | |
It looks like firecracker already supports ACPI vmgenid, which will trigger Linux random to reseed? https://github.com/firecracker-microvm/firecracker/blob/main... https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin... So that just (!) leaves userspace PRNGs. | ||