On Thu, Oct 20, 2022 at 2:40 AM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > For maximum simplicity, just concatenate the existing seed with the one > obtained from EFI_RNG_PROTOCOL if both are available, and leave it to > the core kernel code to mix it in and credit it appropriately. This way, > we have no need for copies of the Blake2s library in the EFI stub and in > the zboot decompressor. FTR, while I think this is okay for the final stage that the kernel's EFI loader does, it's less good for earlier stages. So, for example, systemd-boot should still use the hashing scheme we discussed.
