##Sysctls and the blocking pool.
You can increase the value of the kernel.random.read_wakeup_threshold sysctl. This sysctl changes the behavior of the blocking pool, forcing users of the blocking pool to wait until the entropy estimate exceeds this value. From the manpage at random(4):
read_wakeup_threshold This file contains the number of bits of entropy required for waking up processes that sleep waiting for entropy from /dev/random. The default is 64. Note however that the blocking behavior you describe only applies to the system at very early boot. Once it has enough entropy, it will change to non-blocking behavior regardless of how low the current estimate gets. This is because you only need a certain number of bits of entropy once, and can create a virtually unlimited amount of cryptographically secure pseudorandom data once you have it. The entropy estimate going down does not change this fact.
##Answering your exact question
Now, is it possible to change this initial threshold for the non-blocking pool (if you don't want to learn all the nitty-gritty, skip to the end of this answer)? I suspected it was not, but I wasn't sure, so I went to consult to the most authoritative documentation available, the source. The getrandom() syscall is defined in the kernel randomness driver. Note that this is specific to Linux kernel 4.14 (major changes to the randomness driver were made in 4.8). Comments added by me for clarification.
getrandom()
SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int, flags) { int ret; // If the flags value is invalid, return an error. if (flags & ~(GRND_NONBLOCK|GRND_RANDOM)) return -EINVAL; // Cap the requested size at the maximum value. if (count > INT_MAX) count = INT_MAX; // If the blocking pool is selected, read from it and return. if (flags & GRND_RANDOM) return _random_read(flags & GRND_NONBLOCK, buf, count); // At this point, we know the non-blocking pool was selected. // Is the CRNG ready? if (!crng_ready()) { // If we don't want to block, return a "try later" error. if (flags & GRND_NONBLOCK) return -EAGAIN; // Otherwise, wait for random bytes to be available. ret = wait_for_random_bytes(); if (unlikely(ret)) return ret; } // Finally, read from the non-blocking pool and return. return urandom_read(NULL, buf, count, NULL); } OK, so most of this is pretty self-evident, but what are the functions crng_ready() and wait_for_random_bytes() for? The latter is defined in the same file.
wait_for_random_bytes()
int wait_for_random_bytes(void) { // If crng_ready() returns true (which is likely), return 0. if (likely(crng_ready())) return 0; // Otherwise, wait until it does return true before returning. return wait_event_interruptible(crng_init_wait, crng_ready()); } EXPORT_SYMBOL(wait_for_random_bytes); So now we know in the definition of getrandom() that, if the non-blocking pool is selected, it will check if crng_ready() returns true. If it does not return true, then we will wait, sleeping until it does. What does crng_ready() do? It turns out it's defined as a simple macro.
crng_ready()
// If the crng_init variable is > 0 (which is likely), evaluate true. #define crng_ready() (likely(crng_init > 0)) The variable starts out as zero, but what matters is where exactly it is set to 1. It turns out this is done in the crng_fast_load() function, defined here.
crng_fast_load()
static int crng_fast_load(const char *cp, size_t len) { unsigned long flags; char *p; // Enter the atomic section. if (!spin_trylock_irqsave(&primary_crng.lock, flags)) return 0; // If crng_ready() is already true, leave the atomic section and return. if (crng_ready()) { spin_unlock_irqrestore(&primary_crng.lock, flags); return 0; } // Mix in the value pointed to by cp with the CRNG state. p = (unsigned char *) &primary_crng.state[4]; while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) { p[crng_init_cnt % CHACHA20_KEY_SIZE] ^= *cp; // Increment a few integers, including crng_init_cnt. cp++; crng_init_cnt++; len--; } // Leave the atomic section. spin_unlock_irqrestore(&primary_crng.lock, flags); // If crng_init_cnt is >= CRNG_INIT_CNT_THRESH, set crng_init to 1. if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) { invalidate_batched_entropy(); crng_init = 1; wake_up_interruptible(&crng_init_wait); pr_notice("random: fast init done\n"); } return 1; } From this, we see that crng_init_cnt is incremented for each byte which crng_fast_load() takes in. The function is called early at boot in various entropy-gathering functions to add as much possible data to the pool early on. We're almost there! Last thing to do is fine out what the value of CRNG_INIT_CNT_THRESH, defined here.
CRNG_INIT_CNT_THRESH and CHACHA20_KEY_SIZE
#define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE) So it's double CHACHA20_KEY_SIZE. This one is defined in a header file, crypto/chacha20.h.
#define CHACHA20_KEY_SIZE 32 So CRNG_INIT_CNT_THRESH is 64. And there's your answer!
##Recap
Let's see where this all leads to:
CHACHA20_KEY_SIZEis hardcoded at 32.CRNG_INIT_CNT_THRESHis doubleCHACHA20_KEY_SIZE, so it is 64.crng_init_cntis incremented for every byte of early randomness gathered.- When at least 64 bytes of randomness are gathered,
crng_initis set to 1. - When
crng_initis 1,crng_ready()evaluates true. - When
crng_ready()evaluates true,getrandom()resumes and returns.
The amount of early entropy required before getrandom() resumes and returns is not in fact 128 bits. It is already hardcoded at 64 bytes (256 bits), exactly the amount you wanted.