Good callout. We seed entropy before snapshot to unblock getrandom(), but forks ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		adammiribyan 20 days ago \| parent \| context \| favorite \| on: Show HN: Sub-millisecond VM sandboxes using CoW me... Good callout. We seed entropy before snapshot to unblock getrandom(), but forks still share CSPRNG state. The proper fix per Firecracker’s docs is RNDADDENTROPY + RNDRESEEDCRNG after each fork, plus reseeding userspace PRNGs like numpy separately. On the roadmap. https://github.com/firecracker-microvm/firecracker/blob/main...

mkj 20 days ago [–]

It looks like firecracker already supports ACPI vmgenid, which will trigger Linux random to reseed? https://github.com/firecracker-microvm/firecracker/blob/main...

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...

So that just (!) leaves userspace PRNGs.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact