The buster arm64 images on Amazon EC2 appear to have insufficient
entropy at boot, and thus take several minutes to complete the boot
process.
There are a couple of potential fixes (or at least workarounds) for this
problem, but none is entirely perfect.
Option 1:
We add haveged to the arm64 EC2 AMI. This appears to work, and is
something we can do today. The debian-installer has previously used
haveged to ensure reasonable entropy during installation, so there is
some precident for this.
Option 2:
There is a mechanism by which the VM host can pass entropy to the guest
at boot time using the EFI_RNG protocol. This won't require any
additional software in our images, but it has a couple of other notable
drawbacks:
a. It depends on kernel functionality from Linux 5.4. This could
probably be backported to 4.19, but it would take work.
b. It isn't clear that we want this functionality enabled globally. It
is not currently enabled in our generic 5.4 kernel configs for
arm64. If it's not desirable on the generic kernel, we could
enable it only on the cloud flavour, but we don't currently have a
cloud flavour for 4.19.
c. It requires EFI_RNG support from EC2, which is not currently
available. We can request this, but I don't know when/if they
would provide it.
I'm not aware of any other options. Given the above, it seems that
haveged is the only really feasible choice right now. Does anyone
disagree with that assessment? Are there options I've missed?