Is it OK to use `getentropy(2)` result directly (on macOS and others)

[briansmith]

The current man page for getentropy(2) says:

However, it should be noted that getentropy() is primarily intended for use in the construction and
seeding of userspace PRNGs like arc4random(3) or CC_crypto(3). Clients who simply require random data
should use arc4random(3), CCRandomGenerateBytes() from CC_crypto(3), or SecRandomCopyBytes() from the
Security framework instead of getentropy() or random(4)

It seems like we're going against Apple's advice. In theory I guess it could be the case that getentropy(2) might in some cases return non-uniform or otherwise "raw" results instead of the output of a CSPRNG, or at least Apple reserves the right to do so in the future, regardless of what the current implementation.

This makes me think that we shouldn't use it in getrandom.

I also wonder about the same issue on the other targets for which we use getentropy. OpenBSD's man page says basically the same thing as Apple's, but with fewer words. IDK about emscripten or vita.

[newpavlov]

This crate is also "primarily" intended for seed generation.

My reading of the quote is that getentropy is relatively slow, both because of additional requirements on entropy quality and the 256 byte restriction which may result in additional syscalls. For this reasons, users should not use it to generate megabytes of random data or use it as a primary RNG source for a simulation.

Potential problems with entropy quality is a serious enough problem to warrant an explicit note about it (e.g. see the seed CSR in RISC-V) and I don't think we should base our decisions on such far fetched guesses.