It looks like firecracker already supports ACPI vmgenid, which will trigger Linux random to reseed? https://github.com/firecracker-microvm/firecracker/blob/main...

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...

So that just (!) leaves userspace PRNGs.