From 6f63121a00dbf16a55668249b6f986b2db113226 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 25 Feb 2026 22:46:43 +0100
Subject: [PATCH] Change the default from /dev/urandom to /dev/random

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/dev-random.txt       | 7 +++++++
 include/mbedtls/mbedtls_config.h | 6 +++---
 include/mbedtls/platform.h       | 2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/ChangeLog.d/dev-random.txt b/ChangeLog.d/dev-random.txt
index b27e95e552..eff1352354 100644
--- a/ChangeLog.d/dev-random.txt
+++ b/ChangeLog.d/dev-random.txt
@@ -2,3 +2,10 @@ Features
    * The device for reading entropy on platforms without a dedicated system
      call can now be configured with MBEDTLS_PLATFORM_DEV_RANDOM or
      mbedtls_platform_dev_random.
+
+Security
+   * The default device for reading entropy on platforms without a dedicated
+     system call is now /dev/random instead of /dev/urandom. This is safer
+     on Linux in case the application runs early after the kernel boots,
+     but may block needlessly on Linux <= 5.6. Reported by supers1ngular
+     (BayLibre).
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 50b87351a3..9ebf376a96 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -4176,14 +4176,14 @@
  *   if it is used early after the kernel boots, especially on embedded
  *   devices without an interactive user.
  *
- * Thus you should change the value to `/dev/random` if your application
+ * Thus you should change the value to `/dev/urandom` if your application
  * may be used on a device running Linux without a dedicated hardware
- * entropy source early after boot.
+ * entropy source, and doesn't run early during or after boot.
  *
  * This is the default value of ::mbedtls_platform_dev_random, which
  * can be changed at run time.
  */
-//#define MBEDTLS_PLATFORM_DEV_RANDOM "/dev/urandom"
+//#define MBEDTLS_PLATFORM_DEV_RANDOM "/dev/random"
 
 /** \def MBEDTLS_CHECK_RETURN
  *
diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h
index 3ef72074c4..82dd305e00 100644
--- a/include/mbedtls/platform.h
+++ b/include/mbedtls/platform.h
@@ -395,7 +395,7 @@ int mbedtls_platform_set_exit(void (*exit_func)(int status));
 #endif
 
 #if !defined(MBEDTLS_PLATFORM_DEV_RANDOM)
-#define MBEDTLS_PLATFORM_DEV_RANDOM "/dev/urandom"
+#define MBEDTLS_PLATFORM_DEV_RANDOM "/dev/random"
 #endif
 
 #if defined(MBEDTLS_PLATFORM_HAVE_DEV_RANDOM)