There exist two ways how to ensure that the Linux kernel trusts the CPU
hardware random number generator. If the option is configured during kernel
compilation, e.g. the option CONFIG_RANDOM_TRUST_CPU is set to
Y, make sure that it is not overridden with the boot parameter.
There must not exist the boot parameter random.trust_cpu=off. If
the option is not compiled in, make sure that random.trust_cpu=on
is configured as a boot parameter.
To ensure that random.trust_cpu=on is added as a kernel command line
argument to newly installed kernels, add random.trust_cpu=on to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... random.trust_cpu=on ..."
Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="random.trust_cpu=on"