On Wed, Oct 31, 2018 at 11:21:59AM +0000, Sebastian Andrzej Siewior wrote: > On October 30, 2018 8:51:36 PM UTC, "Theodore Y. Ts'o" <ty...@mit.edu> wrote: > > > >So it's complicated. It's not a binary trusted/untrusted sort of > >thing. > > What about RNDRESEEDCRNG? Would it be reasonable to issue it after writing > the seed as part of the boot process?
No, that's for debugging purposes only. When there is sufficient entropy added (either through a hw_random subsystem, or because RDRAND is trusted, or the RNDADDENTORPY ioctl), the crng is automatically reseeded by credit_entropy_bits(). So it's not needed to use RNDRESEEDCRNG. - Ted