> On the better bootloaders, an initramfs segment can be loaded > independently (and you can have as many as required), which makes an > early_initramfs a more palatable vector to inject large amounts of > entropy into the next boot than, say, modifying the kernel image > directly at every boot/shutdown to stash entropy in there somewhere. Modifying the kernel image on storage isn't compatible with verified boot so it's not really a solution. The kernel, initrd and rest of the OS are signed and verified on operating systems like Android, Android Things, ChromeOS and many embedded devices, etc. putting some basic effort into security. I didn't really understand the device tree approach and mentioned a few times before. Passing via the kernel cmdline is a lot simpler than modifying the device tree in-memory and persistent modification isn't an option unless verified boot is missing anyway.