On Fri, Jun 07, 2019 at 02:31:54PM -0400, Viktor Dukhovni wrote: > > That's a different issue. What I was suggesting was a service that > waits for seeding to be ready. So that other services can depend > on that service, with that service using various sources to adequately > seed the kernel RNG, with configurable additional sources beyond the > save file, possibly with a non-zero entropy estimate. Thus, for example, > a virtual machine or container might make use of an interface to get a > a trusted seed from the host hypervisor/OS. Or a physical host might > trust its TPM, ... > > This is not the sort of thing to bolt into the kernel, but is not > unreasonable for systemd and the like.
The kernel actually already does this in recent versions, if configured to do it. Kurt