On Fri, 23 Jun 2023 at 06:55, Ard Biesheuvel ardb@kernel.org wrote:
Setting the variable from user space is ultimately a better choice, I think.
Doing it from the kernel might still be an option, but I think it was a huge mistake to do it *early*.
Early boot is fragile to begin with when not everything is set up, and *much* harder to debug.
So not only are problems more likely to happen in the first place, when they do happen they are a lot harder to figure out.
Maybe it would make more sense to write a new seed at kernel shutdown. Not only do y ou presumably have a ton more entropy at that point, but if things go sideways it's also less of a problem to have dead machine.
Of course, shutdown is another really hard to debug situation, so not optimal either.
Linus