The paper referred is regarding Linux, however, its conclusion at the start of the paper states “As a summary, the major finding of this study is that all assessed VMs depending on their configuration, allow Linux to obtain sufficient entropy.”.
Regardless of whether SPP is running as a VM or hardware, the password generation logic within SPP is exactly the same. We use all FIPS 140-2 certified modules from the underlying operating system. That is, we do not attempt to write our own algorithms to generate a password. We use the operating system cryptography to generate cryptographically strong random data, and then take the bytes of that data to create a password.