From a46f678c7f8715fd1cedd1102f9815b9d845ccb3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 5 Nov 2025 00:05:17 +0000 Subject: [PATCH] Update docs on latent entropy --- README.md | 3 +++ .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dc9649d..35005e7 100644 --- a/README.md +++ b/README.md @@ -261,6 +261,9 @@ Entropy: - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +- Obtain more entropy at boot from RAM as the runtime memory allocator is being + initialized to maximize the absolute quantity of entropy in the combined pool. + Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2b7d217..db65fea 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -324,8 +324,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. -## Entropy will be extracted from up to the first 4GB of RAM. +## Entropy will be extracted from up to the first 4GB of RAM as another source. ## Note that entropy extracted this way is not cryptographically secure and so is not credited. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. ## This will increase boot time due to interrupting the boot process. ## Requires the linux-hardened kernel patch. ##