Following a conversation with Taylor, I ended up with the following implementation for the prekern [1] [2]. It uses a set of seeds that are hashed together in rounds, and it doesn't use an additional file.
It is based on the SHAKE256 hash function, which can produce a variable sized output. We use an area of 32 bytes, and regenerate it as many times as needed. The first time, it is generated with: area = SHAKE256(entropy-file, rdseed, rdtsc) When all of the bytes in the area have been consumed, it is regenerated this way: area = SHAKE256(area, rdseed, rdtsc) The SHAKE/Keccak code is from Taylor, I just added prng_* wrappers. rdseed and rdtsc each give a 8byte seed, and entropy-file gives a 512byte one. We don't checksum the latter, because we would need SHA1, which I am not implementing here. Feel free to tell me if there's something obviously wrong in all of this; I won't hide that PRNGs are not things I work on every day. [1] http://m00nbsd.net/garbage/prekern/prng.c [2] http://m00nbsd.net/garbage/prekern/prng.diff