random-util: optionally enable blocking getrandom() behaviour

When generating the salt for the firstboot password logic, let's use
getrandom() blocking mode, and insist in the very best entropy.

1 files changed, 2 insertions, 1 deletions

diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
index ee267dcd7f..d8b5893f76 100644
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@@ -647,7 +647,8 @@ static int process_root_password(void) {
         if (!arg_root_password)
                 return 0;
 
-        r = genuine_random_bytes(raw, 16, 0);
+        /* Insist on the best randomness by setting RANDOM_BLOCK, this is about keeping passwords secret after all. */
+        r = genuine_random_bytes(raw, 16, RANDOM_BLOCK);
         if (r < 0)
                 return log_error_errno(r, "Failed to get salt: %m");