I created a basic kernel patch to test this. It only enables those ioctls when CONFIG_RANDOM_UNSAFE_IOCTL
is enabled. To disable them, compile your kernel with CONFIG_RANDOM_UNSAFE_IOCTL
disabled.
https://paste.debian.net/hidden/2ffaebb6/
I did some testing to see if the entropy decreased by a considerable amount.
“entropy” here being measured via the contents of /proc/sys/kernel/random/entropy_avail
.
With the ioctls enabled, entropy stays around 1180 - 1250.
With the ioctls disabled, entropy stays around 1220 - 1280.
Weirdly, the entropy seemed to increase with the ioctls disabled but it’s highly likely that’s just a coincidence as the contents of /proc/sys/kernel/random/entropy_avail
can fluctuate quite a bit.
The haveged systemd service failed with the message: haveged: RNDADDENTROPY failed!
.
The jitterentropy systemd service worked fine.
The virto-rng module seemed to work fine.
There was no noticeable slow down of boot and nothing else seemed to break.