From 5da2a27bf064d6efefd0d0ba8041e85c4941d3a2 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Mon, 2 Dec 2019 16:43:00 +0000
Subject: [PATCH 1/2] Distrust the CPU for initial entropy

---
 etc/default/grub.d/40_distrust_cpu.cfg | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 etc/default/grub.d/40_distrust_cpu.cfg

diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg
new file mode 100644
index 0000000..4d001c2
--- /dev/null
+++ b/etc/default/grub.d/40_distrust_cpu.cfg
@@ -0,0 +1,9 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Distrust the CPU for initial entropy as it is not possible to audit
+## and may have unknown backdoors.
+##
+## https://en.wikipedia.org/wiki/RDRAND#Reception
+## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566/
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"

From 8d63da3cef6e114deaa6943ea9a633d6620a974b Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Mon, 2 Dec 2019 16:46:12 +0000
Subject: [PATCH 2/2] Update control

---
 debian/control | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/control b/debian/control
index c19f08a..ccdc21c 100644
--- a/debian/control
+++ b/debian/control
@@ -102,6 +102,9 @@ Description: enhances misc security settings
  .
   * Load jitterentropy_rng kernel module.
   /usr/lib/modules-load.d/30_security-misc.conf
+ .
+  * Distrusts the CPU for initial entropy at boot as it is
+  not possible to audit and may be backdoored. /etc/default/grub.d/40_distrust_cpu.cfg
  .
  Uncommon network protocols are blacklisted:
  These are rarely used and may have unknown vulnerabilities.