Cryptographic pseudo-random number generators (CPRNGs) are an important building block for secure software. To this end, Apple provides a trusted software CPRNG running in the iOS, iPadOS, macOS, tvOS, watchOS and visionOS kernels. Itâs responsible for aggregating raw entropy from the system and providing secure random numbers to consumers in both the kernel and user space.
Entropy sources
The kernel CPRNG is seeded from multiple entropy sources during boot and over the lifetime of the device. These include (contingent on availability):
- The Secure Enclave hardware TRNG
- Timing-based jitter collected during boot
- Entropy collected from hardware interrupts
- A seed file used to persist entropy across boots
- Intel random instructions â for example, RDSEED and RDRAND (only on an Intel-based Mac)
The kernel CPRNG
The kernel CPRNG is a Fortuna-derived design targeting a 256-bit security level. It provides high-quality random numbers to user-space consumers using the following APIs:
- The
getentropy(2) system call - The random device (/dev/random)
The kernel CPRNG accepts user-supplied entropy through writes to the random device.
See also Hardware security overview Secure Enclave Kernel Integrity Protection Securely extending the kernel in macOS
Thanks for your feedback.