Snapshot restore reuses the stored vsock session secret (contradicts documented "unique secret per restore")

[cspinetta]

What: MicroVm::from_snapshot re-creates the VsockDevice with the secret stored in the snapshot (src/vmm/mod.rs:646-665), re-randomizing only the socket-path runtime ID. The vsock session secret is therefore reused across restores.

Why it happens: Resume-from-memory restores the guest's RAM, so the guest-agent still holds the original secret in-memory and never re-reads /proc/cmdline; the host must reuse the stored secret for the restored guest to authenticate. So this isn't a trivial fix — it needs either a guest-side re-key over the control channel, or a docs correction.

Security implication: the snapshot file contains the session secret (in state.bin and in the RAM dump); anyone who can read a snapshot can authenticate to a restored instance's vsock socket, and all restores from one snapshot share the secret. Mitigated only by treating snapshots as confidential.

Options:

• (a) implement a per-restore guest-side re-key over the control channel; or
• (b) correct the docs to reflect the inherent reuse and document that snapshots are confidential (they contain the session secret).

Surfaced during the credential-broker design's threat-model review; may overlap the existing snapshot trust-model work.