Firecracker Entropy for VM Clones
a year ago
- #Linux RNG
- #Security
- #VM Cloning
- Linux kernel provides three main RNG interfaces: /dev/random, /dev/urandom, and getrandom syscall.
- VM clones from a single snapshot may have issues with stale RNG state, requiring reinitialization.
- CPU HWRNG output is mixed into the entropy pool when present, enhancing randomness.
- VMGenID is used to notify guests of time shift events, ensuring distinct RNG states post-restore.
- Firecracker supports VMGenID, but ARM systems require backported kernel changes for full functionality.
- Recommendations include deleting random-seed files, using virtio-rng, and specific ioctl calls for reseeding.
- A C program is provided to handle RNG reinitialization steps in guest kernels.