Thanks for taking a look, Xin!

In D20318#438316, @delphij wrote:

It do beg the question: why wasn't the bzero done in ra_event_processor instead? (i.e. an event should be considered as "consumed" upon return).

That might be reasonable. I put it here mostly because (1) it is generic to any event processor; i.e., I don't think it makes sense to duplicate in Fortuna, AlgorithmX, etc. This point is mostly hypothetical since we only support Fortuna, though. And (2), it can be done outside the CONFIG_S_LOCK for RANDOM_LOADABLE (which again is moot in the GENERIC kernel). I guess a weak (3) would be that randomdev_accumulate reuses the same event structure repeatedly and only needs to explicit_bzero it once; pushing it inside ra_event_processor duplicates work.

It would be totally acceptable to me to move it in ra_event_processor instead, if that is your preference.

One other minor thing I noticed is that our Fortuna pool accumulators (fsp_hash) do not actually use SHA_d-256(), i.e., SHA-256(SHA-256(0^512 || ·)), but instead SHA-256²(), i.e., SHA-256(SHA-256(·)). FS&K §9.5.5 RandomData() suggests accumulating pool entropy P_i with the SHA_d-256 construction. However, in this particular case, I don't think there is any security benefit to SHA-d-256 over SHA-256², nor SHA-256² over plain SHA-256 (I don't think length extension attacks are relevant to this use).