GETRANDOM(2) System Calls Manual GETRANDOM(2)

getrandom
random number generation from system entropy

Standard C Library (libc, -lc)

#include <sys/random.h>

ssize_t
getrandom(void *buf, size_t buflen, unsigned int flags);

The getrandom function fills buf with up to buflen independent uniform random bytes derived from the system's entropy pool.

The function may block until the system has full entropy, meaning that the system has observed enough noise from physical processes that an adversary cannot predict what state it is in:

The flags argument may be:

Block until the system entropy pool has full entropy; then generate arbitrarily much data. Recommended.

If interrupted by a signal, may fail with EINTR or return a short read. If successful, guaranteed to return at least 256 bytes even if interrupted.

Do not block; instead fill buf with output derived from whatever is in the system entropy pool so far. Equivalent to reading from /dev/urandom; see rnd(4).

If interrupted by a signal, may fail with EINTR or return a short read. If successful, guaranteed to return at least 256 bytes even if interrupted.

Despite the name, this is secure as long as you only do it after at least one successful call without GRND_INSECURE, such as getrandom(..., 0) or getrandom(..., GRND_RANDOM), or after reading at least one byte from /dev/random.

WARNING: If you use GRND_INSECURE before the system has full entropy. the output may enable an adversary to search the possible states of the entropy pool by brute force, and thereby reduce its entropy to zero. Thus, incautious use of GRND_INSECURE can ruin the security of the whole system.

Block until the system entropy pool has full entropy; then generate a small amount of data. Equivalent to reading from /dev/random; see rnd(4). This is provided mainly for source compatibility with Linux; there is essentially no reason to ever use it.

The flag GNRD_NONBLOCK may also be included with bitwise-OR, in which case if getrandom() would have blocked without GRND_NONBLOCK, it returns EAGAIN instead.

Adding GRND_NONBLOCK to GRND_INSECURE has no effect; the combination GRND_INSECURE|GRND_NONBLOCK is equivalent to GRND_INSECURE, since GRND_INSECURE never blocks. The combination GRND_INSECURE|GRND_RANDOM is nonsensical and fails with EINVAL.

If successful, getrandom() returns the number of bytes stored in buf. Otherwise, getrandom() returns -1 and sets errno.

Recommended usage. Generate a key for cryptography: 
	uint8_t secretkey[32];

	if (getrandom(secretkey, sizeof secretkey, 0) == -1)
		err(EXIT_FAILURE, "getrandom");
	crypto_secretbox_xsalsa20poly1305(..., secretkey);

Other idioms for illustration:

(No examples of GRND_RANDOM because it is not useful.)

[]
The GRND_NONBLOCK flag was specified, and the system entropy pool does not have full entropy.
[]
The GRND_NONBLOCK flag was not specified, the system entropy pool does not have full entropy, and the process was interrupted by a signal while waiting.
[]
flags contains an unrecognized flag or a nonsensical combination of flags.
[]
buf points outside the allocated address space.

rnd(4)

The getrandom system call first appeared in Linux 3.17, and was added to NetBSD 10.0.

The NetBSD implementation of getrandom and this man page were written by Taylor R Campbell <riastradh@NetBSD.org>.

There is no way to multiplex waiting for getrandom() with other I/O in select(2), poll(2), or kqueue(2). Instead, you can wait for a read from /dev/random; see rnd(4).

GRND_RANDOM is a little silly.

January 13, 2020 NetBSD 9.0_STABLE