diff mbox

[v9] Add getentropy, getrandom, <sys/random.h> [BZ #17252]

Message ID 680d0bed-b164-b809-d672-e0278fe08d7e@redhat.com
State New
Headers show

Commit Message

Florian Weimer Dec. 6, 2016, 12:55 p.m. UTC
On 12/02/2016 05:47 PM, Torvald Riegel wrote:
> On Wed, 2016-11-30 at 17:15 +0100, Florian Weimer wrote:
>> On 11/30/2016 02:33 PM, Florian Weimer wrote:
>>> This iteration of the patch implements both getrandom and getentropy at
>>> the same time.  getrandom is a cancellation point, has short reads, can
>>> return EINTR etc., but getentropy is the more uniform interface.  I
>>> added a retry loop in the getentropy implementation, to avoid exposing
>>> an implicit magic number in the kernel implementation (the maximum size
>>> of a single read; it differs between Solaris/OpenBSD/Linux).
>>>
>>> (You get to decide which function is Mulready and which one is Lang.)
>>>
>>> getentropy definitely needs interposition protection because it is
>>> frequently redefined.  We'll need to rebuild a distribution to see if
>>> the current approach is sufficient.  For consistency, I also added
>>> interposition protection for getrandom.
>>>
>>> In addition, I had to make a few fixes so that the ABI is stable across
>>> supported kernel headers, and had to tweak the stub implementations, too.
>>
>> I received a request off-list to align the getentropy behavior more
>> closely to the OpenBSD and Solaris behavior.  I think this makes sense
>> (I had not realized before they were so closely aligned), so I've added
>> the 256-byte check to the glibc version which is performed by the other
>> implementation in the attached version of the patch.
>
> This basically looks good to me (though I'm no expert on the actual
> syscall etc.).

Thanks.

Zack, would you comment as well, please?

> I think it could be improved though how the manual explains the pools
> for getrandom: first saying that one is blocking the other is
> nonblocking, and then saying that the nonblocking one can actually cause
> blocking too is surprising.  Do you need to call them the blocking and
> the nonblocking source?  Maybe other names could be used?

The alternative names are very implementation-dependent.  I switched 
them in the attached patch.  The terminology should match that in the 
getrandom manual page.

> Also, can you document all allowed error codes in the manual?

Not really.  This is a GNU manual, not a Linux manual.  Other kernels 
will return different error codes.  We might even revisit this issue and 
add file-based emulation, which would introduce additional error codes 
on Linux.

With the current implementation, you might get EPERM/EACCES on Linux if 
a seccomp filter or Linux security module intervenes.

> If you
> cannot, it would be good to at least give an indication why we can't, or
> where the user can figure out what errors to expect.

This applies to all kernel-centric functionality in the manual, so I 
don't see a reason to spell this out explicitly for getrandom/getentropy.

> Last thing: You seem to return EIO for two different conditions in
> getentropy, but only document one of them.

I added a note.

Thanks,
Florian

Comments

Zack Weinberg Dec. 6, 2016, 1:41 p.m. UTC | #1
On 12/06/2016 07:55 AM, Florian Weimer wrote:
> On 12/02/2016 05:47 PM, Torvald Riegel wrote:
>> On Wed, 2016-11-30 at 17:15 +0100, Florian Weimer wrote:
>>> On 11/30/2016 02:33 PM, Florian Weimer wrote:
>>>> This iteration of the patch implements both getrandom and getentropy at
>>>> the same time.
>>
>> This basically looks good to me (though I'm no expert on the actual
>> syscall etc.).
> 
> Thanks.
> 
> Zack, would you comment as well, please?

The 256-byte limit is unfortunate but I see why we want it.

I think you should remove this assertion:

+      /* The Linux implementation never returns zero if the length
+         argument is not zero, and does not perform a short read for
+         sizes <= 256.  */
+      assert (bytes == length);

it strikes me as Knowing Too Much about the kernel interface.

My only other remaining concern is the name mangling, and unfortunately
we really do have to resolve that before this can be committed, because
we'll be stuck with whatever decision we make here forever.

I still don't really understand what problems you are trying to solve by
mangling names, I still think that ad-hoc addition of mangled names with
forcible redirection in the headers is unlikely to be the *correct* fix
to whatever the problems actually are, and most importantly of all, I
still don't understand why you are convinced *these particular symbols*
need "interposition protection".  You said

> getentropy definitely needs interposition protection because it is
> frequently redefined.  We'll need to rebuild a distribution to see if
> the current approach is sufficient.  For consistency, I also added
> interposition protection for getrandom.

and this makes absolutely no sense at all to me.  Is it not the case
that people are defining getentropy and/or getrandom *because* libc
doesn't?  Won't their build systems notice (via AC_REPLACE_FUNCS or
equivalent) that libc is now defining them, and stop?

A concrete example of a real program or combination of programs, that
will break if we don't do this, would be really helpful to me.  Not a
demo, please, something that already exists in the wild.

zw
Florian Weimer Dec. 6, 2016, 2:03 p.m. UTC | #2
On 12/06/2016 02:41 PM, Zack Weinberg wrote:
> On 12/06/2016 07:55 AM, Florian Weimer wrote:
>> On 12/02/2016 05:47 PM, Torvald Riegel wrote:
>>> On Wed, 2016-11-30 at 17:15 +0100, Florian Weimer wrote:
>>>> On 11/30/2016 02:33 PM, Florian Weimer wrote:
>>>>> This iteration of the patch implements both getrandom and getentropy at
>>>>> the same time.
>>>
>>> This basically looks good to me (though I'm no expert on the actual
>>> syscall etc.).
>>
>> Thanks.
>>
>> Zack, would you comment as well, please?
>
> The 256-byte limit is unfortunate but I see why we want it.
>
> I think you should remove this assertion:
>
> +      /* The Linux implementation never returns zero if the length
> +         argument is not zero, and does not perform a short read for
> +         sizes <= 256.  */
> +      assert (bytes == length);
>
> it strikes me as Knowing Too Much about the kernel interface.

Based on Ted Ts'o's comments, I think it's part of the userspace ABI, 
but we can still leave it out.  We need a way to deal with a return 
value of 0 from the system call (another “can't happen” case, from which 
we can't really recover locally), and returning EIO is probably fine there.

> My only other remaining concern is the name mangling, and unfortunately
> we really do have to resolve that before this can be committed, because
> we'll be stuck with whatever decision we make here forever.
>
> I still don't really understand what problems you are trying to solve by
> mangling names, I still think that ad-hoc addition of mangled names with
> forcible redirection in the headers is unlikely to be the *correct* fix
> to whatever the problems actually are, and most importantly of all, I
> still don't understand why you are convinced *these particular symbols*
> need "interposition protection".

They are special because interposition of a function which does 
something else will not always cause observable behavior differences. 
If an application redefines fread so that nothing is actually read from 
the stream, then this is pretty obvious.  If getrandom or getentropy 
stop overwriting their argument buffers, then that's not going to cause 
immediate breakage.

> You said
>
>> getentropy definitely needs interposition protection because it is
>> frequently redefined.  We'll need to rebuild a distribution to see if
>> the current approach is sufficient.  For consistency, I also added
>> interposition protection for getrandom.
>
> and this makes absolutely no sense at all to me.  Is it not the case
> that people are defining getentropy and/or getrandom *because* libc
> doesn't?

No, there is code out there which checks for the availability of 
getrandom (in syscall form) and uses it to implement its own version of 
getentropy.

 > Won't their build systems notice (via AC_REPLACE_FUNCS or
> equivalent) that libc is now defining them, and stop?

I don't think so.  This doesn't happen universally.

> A concrete example of a real program or combination of programs, that
> will break if we don't do this, would be really helpful to me.  Not a
> demo, please, something that already exists in the wild.

Here's an example, I think:

<http://sources.debian.net/src/getdns/1.1.0~a2-1/src/compat/getentropy_linux.c/?hl=107#L107>

Thanks,
Florian
Joseph Myers Dec. 6, 2016, 4:42 p.m. UTC | #3
On Tue, 6 Dec 2016, Zack Weinberg wrote:

> I still don't really understand what problems you are trying to solve by
> mangling names, I still think that ad-hoc addition of mangled names with
> forcible redirection in the headers is unlikely to be the *correct* fix
> to whatever the problems actually are, and most importantly of all, I
> still don't understand why you are convinced *these particular symbols*
> need "interposition protection".  You said

As I understand it, the issue is: a program (or a badly behaved shared 
library) defines its own getentropy function (without a configure check, 
or with one that doesn't detect glibc's function).  When linked with new 
glibc, it gets a dynamic symbol export for getentropy.  It uses a shared 
library which has a working configure check for getentropy, and when that 
shared library is linked with new glibc it has an undefined reference to 
getentropy.  When the newly linked program is run with the newly built 
glibc, the program's definition of getentropy is used by the shared 
library, but has semantics different from expected, resulting in a 
security problem with the library in that combination.

Now, until we're sure of the right way to address such issues in general 
in glibc I suspect distribution-wide checks (that programs don't export 
symbols that override libc symbols used by shared libraries used, directly 
or indirectly, by those programs, other than a few common cases such as 
malloc - and that shared libraries don't interpose libc symbols, 
similarly) might be a better way to reduce the risk of such issues.  But 
because of dlopen it's hard to know what symbol exports from a program 
might end up being relevant to shared objects it uses.
Zack Weinberg Dec. 6, 2016, 4:51 p.m. UTC | #4
On 12/06/2016 11:42 AM, Joseph Myers wrote:
> On Tue, 6 Dec 2016, Zack Weinberg wrote:
> 
>> I still don't really understand what problems you are trying to solve by
>> mangling names, I still think that ad-hoc addition of mangled names with
>> forcible redirection in the headers is unlikely to be the *correct* fix
>> to whatever the problems actually are, and most importantly of all, I
>> still don't understand why you are convinced *these particular symbols*
>> need "interposition protection".  You said
> 
> As I understand it, the issue is: a program (or a badly behaved shared 
> library) defines its own getentropy function (without a configure check, 
> or with one that doesn't detect glibc's function).  When linked with new 
> glibc, it gets a dynamic symbol export for getentropy.  It uses a shared 
> library which has a working configure check for getentropy, and when that 
> shared library is linked with new glibc it has an undefined reference to 
> getentropy.  When the newly linked program is run with the newly built 
> glibc, the program's definition of getentropy is used by the shared 
> library, but has semantics different from expected, resulting in a 
> security problem with the library in that combination.
> 
> Now, until we're sure of the right way to address such issues in general 
> in glibc I suspect distribution-wide checks (that programs don't export 
> symbols that override libc symbols used by shared libraries used, directly 
> or indirectly, by those programs, other than a few common cases such as 
> malloc - and that shared libraries don't interpose libc symbols, 
> similarly) might be a better way to reduce the risk of such issues.  But 
> because of dlopen it's hard to know what symbol exports from a program 
> might end up being relevant to shared objects it uses.

On the assumption that this _is_ the issue, I am going to write a script
that scans the Debian archive for existing binaries containing
definitions (exported or not) of getentropy and/or getrandom, and will
report what it tells me -- this will probably take a couple days to
cycle all the way through.

zw
Joseph Myers Dec. 6, 2016, 4:55 p.m. UTC | #5
On Tue, 6 Dec 2016, Zack Weinberg wrote:

> On the assumption that this _is_ the issue, I am going to write a script
> that scans the Debian archive for existing binaries containing
> definitions (exported or not) of getentropy and/or getrandom, and will
> report what it tells me -- this will probably take a couple days to
> cycle all the way through.

You can't generally tell for a stripped executable whether there's a 
getentropy function in there - only if it's unstripped, or linked with 
-rdynamic, or linked with glibc that defines getentropy and so exports it 
in the dynamic symbol table for that reason.  You could scan shared 
libraries for bogus exports, but I don't see how you could test for 
executables that would cause a problem when linked with new glibc without 
doing a full archive rebuild with patched glibc.
Florian Weimer Dec. 6, 2016, 4:59 p.m. UTC | #6
On 12/06/2016 05:55 PM, Joseph Myers wrote:
> On Tue, 6 Dec 2016, Zack Weinberg wrote:
>
>> On the assumption that this _is_ the issue, I am going to write a script
>> that scans the Debian archive for existing binaries containing
>> definitions (exported or not) of getentropy and/or getrandom, and will
>> report what it tells me -- this will probably take a couple days to
>> cycle all the way through.
>
> You can't generally tell for a stripped executable whether there's a
> getentropy function in there - only if it's unstripped, or linked with
> -rdynamic, or linked with glibc that defines getentropy and so exports it
> in the dynamic symbol table for that reason.  You could scan shared
> libraries for bogus exports, but I don't see how you could test for
> executables that would cause a problem when linked with new glibc without
> doing a full archive rebuild with patched glibc.

Agreed.  Another complication is that there are cases where you get 
getentropy only if HAVE_GETRANDOM is defined.

What do you suggest we should do if we detect unintended interposition 
(assuming we decide to use the version without redirection first)?

Thanks,
Florian
Joseph Myers Dec. 6, 2016, 5:01 p.m. UTC | #7
On Tue, 6 Dec 2016, Florian Weimer wrote:

> What do you suggest we should do if we detect unintended interposition
> (assuming we decide to use the version without redirection first)?

In the first instance I'd suggest changing the programs with the problem 
getrandom / getentropy definitions (to, probably, use glibc's version when 
available).
Zack Weinberg Dec. 6, 2016, 5:11 p.m. UTC | #8
On 12/06/2016 09:03 AM, Florian Weimer wrote:
> On 12/06/2016 02:41 PM, Zack Weinberg wrote:
>>
>> My only other remaining concern is the name mangling, and unfortunately
>> we really do have to resolve that before this can be committed, because
>> we'll be stuck with whatever decision we make here forever.
>>
>> I still don't really understand what problems you are trying to solve by
>> mangling names, I still think that ad-hoc addition of mangled names with
>> forcible redirection in the headers is unlikely to be the *correct* fix
>> to whatever the problems actually are, and most importantly of all, I
>> still don't understand why you are convinced *these particular symbols*
>> need "interposition protection".
> 
> They are special because interposition of a function which does
> something else will not always cause observable behavior differences. If
> an application redefines fread so that nothing is actually read from the
> stream, then this is pretty obvious.  If getrandom or getentropy stop
> overwriting their argument buffers, then that's not going to cause
> immediate breakage.

I'll accept this as a reason why getrandom and getentropy may need some
kind of special treatment that we don't necessarily apply to other new
symbols.

>> A concrete example of a real program or combination of programs, that
>> will break if we don't do this, would be really helpful to me.  Not a
>> demo, please, something that already exists in the wild.
> 
> Here's an example, I think:
> 
> <http://sources.debian.net/src/getdns/1.1.0~a2-1/src/compat/getentropy_linux.c/?hl=107#L107>

It appears to me that this is not an example of a "real program or
combination of programs that _will break_ if we don't do this" because:

* It defines getentropy() with the same signature and substantially the
same semantics as libc is going to.

* Its configure script does, in fact, check for getentropy before adding
getentropy_linux.c to the build.

* It's a library, and it has a version script, so even if it does define
getentropy internally, programs built normally will not see that
definition.  (I remind you that I don't care about static linkage.)

zw
Zack Weinberg Dec. 6, 2016, 5:14 p.m. UTC | #9
On 12/06/2016 11:55 AM, Joseph Myers wrote:
> On Tue, 6 Dec 2016, Zack Weinberg wrote:
> 
>> On the assumption that this _is_ the issue, I am going to write a script
>> that scans the Debian archive for existing binaries containing
>> definitions (exported or not) of getentropy and/or getrandom, and will
>> report what it tells me -- this will probably take a couple days to
>> cycle all the way through.
> 
> You can't generally tell for a stripped executable whether there's a 
> getentropy function in there - only if it's unstripped, or linked with 
> -rdynamic, or linked with glibc that defines getentropy and so exports it 
> in the dynamic symbol table for that reason.  You could scan shared 
> libraries for bogus exports, but I don't see how you could test for 
> executables that would cause a problem when linked with new glibc without 
> doing a full archive rebuild with patched glibc.

Oh bother.  Well, forget that idea - I don't have access to sufficient
CPU grunt to do an archive rebuild.

zw
Zack Weinberg Dec. 6, 2016, 6:42 p.m. UTC | #10
On 12/06/2016 12:11 PM, Zack Weinberg wrote:
> On 12/06/2016 09:03 AM, Florian Weimer wrote:
>> On 12/06/2016 02:41 PM, Zack Weinberg wrote:
>>>
>>> My only other remaining concern is the name mangling, and unfortunately
>>> we really do have to resolve that before this can be committed, because
>>> we'll be stuck with whatever decision we make here forever.
>>>
>>> I still don't really understand what problems you are trying to solve by
>>> mangling names, I still think that ad-hoc addition of mangled names with
>>> forcible redirection in the headers is unlikely to be the *correct* fix
>>> to whatever the problems actually are, and most importantly of all, I
>>> still don't understand why you are convinced *these particular symbols*
>>> need "interposition protection".
>>
>> They are special because interposition of a function which does
>> something else will not always cause observable behavior differences. If
>> an application redefines fread so that nothing is actually read from the
>> stream, then this is pretty obvious.  If getrandom or getentropy stop
>> overwriting their argument buffers, then that's not going to cause
>> immediate breakage.
> 
> I'll accept this as a reason why getrandom and getentropy may need some
> kind of special treatment that we don't necessarily apply to other new
> symbols.

I should probably explain why I think the mangled names may be an
actively *bad* idea; I wouldn't be making so much of a fuss over it
otherwise.

The most direct reason is that it interferes with code that seeks
*intentionally* to interpose symbols.  There are good reasons to
intercept calls to the system RNG: for instance, a test harness might
want to sub in a broken implementation to confirm that the error
handling works, another kind of test harness might want to fix the
random seed for reproducibility, and if we ever need to stop using the
kernel's RNG in a hurry, LD_PRELOAD will be the fastest way to go about
it.  There *probably* isn't any existing code *for Linux* that
intentionally interposes functions that currently don't exist in glibc,
but there could be such code for one of the BSDs and maybe someone is
just waiting for us to pick up getentropy/getrandom before they port it.

A more abstract reason is that, as discussed elsewhere, I think the
problem (to the extent I do understand it) would be better addressed
with an across-the-board change to linker semantics, and if we're going
to do that, it doesn't make sense to put in stopgaps that we will then
be stuck with forever (even if just as compatibility aliases).

Having said that, if someone does do an archive rebuild and finds a
concrete case where existing code _will_ generate a bad unintentional
interposition of either getentropy or getrandom, then the security
implications would swing me in favor of going ahead and doing the
REDIRECTs, since it is the only solution we've got at the moment and we
do want these functions in 2.25.  I'll accept any executable or
_dynamic_ library that winds up defining either getentropy or getrandom
as a public symbol with either an incompatible function signature or
incompatible primary semantics.  I'm not going to insist on there being
a known situation where that would actually cause some second module to
get the wrong definition, since it would be basically impossible to
prove that that _couldn't_ happen.

(The getdns case doesn't convince me because the symbol isn't exported
and it appears to be a _compatible_ definition.)

zw
Florian Weimer Dec. 7, 2016, 10:52 a.m. UTC | #11
On 12/06/2016 06:01 PM, Joseph Myers wrote:
> On Tue, 6 Dec 2016, Florian Weimer wrote:
>
>> What do you suggest we should do if we detect unintended interposition
>> (assuming we decide to use the version without redirection first)?
>
> In the first instance I'd suggest changing the programs with the problem
> getrandom / getentropy definitions (to, probably, use glibc's version when
> available).

We can do that for things in the distribution, true, but I still think 
it's annoying that if an application defines a getentropy symbol, 
cryptographic libraries such as OpenSSL could begin to behave in a 
slightly different way.

I can drop the mangling for now if that's the general consensus, but I 
don't like how I'm pressured into making a change which I consider 
unnecessarily risky.

Florian
Florian Weimer Dec. 7, 2016, 11:18 a.m. UTC | #12
On 12/06/2016 07:42 PM, Zack Weinberg wrote:

> I should probably explain why I think the mangled names may be an
> actively *bad* idea; I wouldn't be making so much of a fuss over it
> otherwise.

Thanks.

> The most direct reason is that it interferes with code that seeks
> *intentionally* to interpose symbols.  There are good reasons to
> intercept calls to the system RNG: for instance, a test harness might
> want to sub in a broken implementation to confirm that the error
> handling works, another kind of test harness might want to fix the
> random seed for reproducibility, and if we ever need to stop using the
> kernel's RNG in a hurry, LD_PRELOAD will be the fastest way to go about
> it.  There *probably* isn't any existing code *for Linux* that
> intentionally interposes functions that currently don't exist in glibc,
> but there could be such code for one of the BSDs and maybe someone is
> just waiting for us to pick up getentropy/getrandom before they port it.

I see your point, but with the original patch with mangling, you had to 
interpose __libc_getrandom and getrandom.  With the current patch (if we 
remove mangling), you still have to interpose getrandom and getentropy. 
If we add arc4random, you will have to interpose that as well.  And so on.

What I'm trying to say is that its far from obvious was you need to 
interpose to get the desired effect, and that with or without name 
mangling, some work is required to obtain the relevant set of symbols.

> A more abstract reason is that, as discussed elsewhere, I think the
> problem (to the extent I do understand it) would be better addressed
> with an across-the-board change to linker semantics, and if we're going
> to do that, it doesn't make sense to put in stopgaps that we will then
> be stuck with forever (even if just as compatibility aliases).

I already explained why we cannot fix this in the linker.  We need to 
put *something* in the header, too.  At that point, we can just use name 
mangling, which is supported by the toolchain, today.

> Having said that, if someone does do an archive rebuild and finds a
> concrete case where existing code _will_ generate a bad unintentional
> interposition of either getentropy or getrandom, then the security
> implications would swing me in favor of going ahead and doing the
> REDIRECTs, since it is the only solution we've got at the moment and we
> do want these functions in 2.25.

If we put this in soon (without mangling), I can probably finish a test 
mass rebuild of Fedora before the 2.25 release.  This should give us 
some data.

Thanks,
Florian
Zack Weinberg Dec. 7, 2016, 2:46 p.m. UTC | #13
On Wed, Dec 7, 2016 at 6:18 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 12/06/2016 07:42 PM, Zack Weinberg wrote:
>> The most direct reason is that it interferes with code that seeks
>> *intentionally* to interpose symbols.  There are good reasons to
>> intercept calls to the system RNG [...]
>
> I see your point, but with the original patch with mangling, you had to
> interpose __libc_getrandom and getrandom.  With the current patch (if we
> remove mangling), you still have to interpose getrandom and getentropy. If
> we add arc4random, you will have to interpose that as well.  And so on.

So I guess the hypothetical software I'm thinking of comes from the
BSD universe and already knows about getrandom, getentropy,
arc4random, and all the other public RNG APIs (OpenBSD now implements
everything from rand() on up with an auto-seeded CSPRNG) but not the
__libc_* names.  As you say, though, some porting work is going to be
required regardless, and finding out about the additional symbols is
not that much of a speedbump.

>> A more abstract reason is that, as discussed elsewhere, I think the
>> problem (to the extent I do understand it) would be better addressed
>> with an across-the-board change to linker semantics, and if we're going
>> to do that, it doesn't make sense to put in stopgaps that we will then
>> be stuck with forever (even if just as compatibility aliases).
>
> I already explained why we cannot fix this in the linker.  We need to put
> *something* in the header, too.  At that point, we can just use name
> mangling, which is supported by the toolchain, today.

Let's push this part of the conversation back into the other thread -
I'll respond to your last message there later today.

>> Having said that, if someone does do an archive rebuild and finds a
>> concrete case where existing code _will_ generate a bad unintentional
>> interposition of either getentropy or getrandom, then the security
>> implications would swing me in favor of going ahead and doing the
>> REDIRECTs, since it is the only solution we've got at the moment and we
>> do want these functions in 2.25.
>
> If we put this in soon (without mangling), I can probably finish a test mass
> rebuild of Fedora before the 2.25 release.  This should give us some data.

That sounds like a plan to me.  Once the patch lands, I can try to
find someone who can do a Debian archive rebuild too.

zw
diff mbox

Patch

Add getentropy, getrandom, <sys/random.h> [BZ #17252]

2016-12-06  Florian Weimer  <fweimer@redhat.com>

	[BZ #17252]
	Add getentropy, getrandom.
	* stdlib/sys/random.h: New file.
	(headers): Add it.
	* stdlib/Makefile (routines): Add getentropy, getrandom.
	(tests): Add tst-getrandom.
	* stdlib/Versions (GLIBC_2.25): Add getrandom, __libc_getrandom,
	getentropy, __libc_getentropy.
	* stdlib/getentropy.c: New file.
	* stdlib/getrandom.c: Likewise.
	* stdlib/tst-getrandom.c: Likewise.
	* sysdeps/unix/sysv/linux/getentropy.c: Likewise.
	* sysdeps/unix/sysv/linux/getrandom.c: Likewise.
	* manual/crypt.texi (Unpredictable Bytes): New section.
	* manual/math.texi (Pseudo-Random Numbers): Add cross-reference.
	* sysdeps/arm/nacl/libc.abilist: Add __libc_getentropy,
	__libc_getrandom, getrandom, getentropy.
	* sysdeps/unix/sysv/linux/aarch64/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/alpha/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/arm/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/hppa/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/i386/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/ia64/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/microblaze/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/nios2/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist:
	Likewise.
	* sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist:
	Likewise.
	* sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist: Likewise.
	* sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/sh/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/x86_64/64/libc.abilist: Likewise.
	* sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist: Likewise.

diff --git a/NEWS b/NEWS
index c2e973d..7f317fc 100644
--- a/NEWS
+++ b/NEWS
@@ -83,6 +83,9 @@  Version 2.25
   affect the ABI of other libraries that use this type in their interfaces,
   if they are compiled or used with those options.
 
+* The getentropy and getrandom functions, and the <sys/random.h> header file
+  have been added.
+
 * The buffer size for byte-oriented stdio streams is now limited to 8192
   bytes by default.  Previously, on Linux, the default buffer size on most
   file systems was 4096 bytes (and thus remains unchanged), except on
diff --git a/manual/crypt.texi b/manual/crypt.texi
index 9f44740..4ab512b 100644
--- a/manual/crypt.texi
+++ b/manual/crypt.texi
@@ -45,6 +45,7 @@  encrypted authentication use normal DES.
 * getpass::                     Prompting the user for a password.
 * crypt::                       A one-way function for passwords.
 * DES Encryption::              Routines for DES encryption.
+* Unpredictable Bytes::         Randomness for cryptography purposes.
 @end menu
 
 @node Legal Problems
@@ -428,3 +429,114 @@  each byte.
 The @code{ecb_crypt}, @code{cbc_crypt}, and @code{des_setparity}
 functions and their accompanying macros are all defined in the header
 @file{rpc/des_crypt.h}.
+
+@node Unpredictable Bytes
+@section Generating Unpredictable Bytes
+
+Some cryptographic applications (such as session key generation) need
+unpredictable bytes.
+
+In general, application code should use a deterministic random bit
+generator, which could call the @code{getentropy} function described
+below internally to obtain randomness to seed the generator.  The
+@code{getrandom} function is intended for low-level applications which
+need additional control over the blocking behavior.
+
+@comment sys/random.h
+@comment GNU
+@deftypefun int getentropy (void *@var{buffer}, size_t @var{length})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+
+This function writes @var{length} bytes of random data to the array
+starting at @var{buffer}, which must be at most 256 bytes long.  The
+function returns zero on success.  On failure, it returns @code{-1} and
+@code{errno} is updated accordingly.
+
+The @code{getentropy} function is declared in the header file
+@file{sys/random.h}.  It is derived from OpenBSD.
+
+The @code{getentropy} function is not a cancellation point.  A call to
+@code{getentropy} can block if the system has just booted and the kernel
+entropy pool has not yet been initialized.  In this case, the function
+will keep blocking even if a signal arrives, and return only after the
+entropy pool has been initialized.
+
+The @code{getentropy} function can fail with several errors, some of
+which are listed below.
+
+@table @code
+@item ENOSYS
+The kernel does not implement the required system call.
+
+@item EFAULT
+The combination of @var{buffer} and @var{length} arguments specifies
+an invalid memory range.
+
+@item EIO
+More than 256 bytes of randomness have been requested, or the buffer
+could not be overwritten with random data for an unspecified reason.
+
+@end table
+
+@end deftypefun
+
+@comment sys/random.h
+@comment GNU
+@deftypefun ssize_t getrandom (void *@var{buffer}, size_t @var{length}, unsigned int @var{flags})
+@safety{@mtsafe{}@assafe{}@acsafe{}}
+
+This function writes @var{length} bytes of random data to the array
+starting at @var{buffer}.  On success, this function returns the number
+of bytes which have been written to the buffer (which can be less than
+@var{length}).  On error, @code{-1} is returned, and @code{errno} is
+updated accordingly.
+
+The @code{getrandom} function is declared in the header file
+@file{sys/random.h}.  It is a GNU extension.
+
+The following flags are defined for the @var{flags} argument:
+
+@table @code
+@item GRND_RANDOM
+Use the @file{/dev/random} (blocking) pool instead of the
+@file{/dev/urandom} (non-blocking) pool to obtain randomness.  If the
+@code{GRND_RANDOM} flag is specified, the @code{getrandom} function can
+block even after the randomness source has been initialized.
+
+@item GRND_NONBLOCK
+Instead of blocking, return to the caller immediately if no data is
+available.
+@end table
+
+The @code{getrandom} function is a cancellation point.
+
+Obtaining randomness from the @file{/dev/urandom} pool (i.e., a call
+without the @code{GRND_RANDOM} flag) can block if the system has just
+booted and the pool has not yet been initialized.
+
+The @code{getrandom} function can fail with several errors, some of
+which are listed below.  In addition, the function may not fill the
+buffer completely and return a value less than @var{length}.
+
+@table @code
+@item ENOSYS
+The kernel does not implement the @code{getrandom} system call.
+
+@item EAGAIN
+No random data was available and @code{GRND_NONBLOCK} was specified in
+@var{flags}.
+
+@item EFAULT
+The combination of @var{buffer} and @var{length} arguments specifies
+an invalid memory range.
+
+@item EINTR
+The system call was interrupted.  During the system boot process, before
+the kernel randomness pool is initialized, this can happen even if
+@var{flags} is zero.
+
+@item EINVAL
+The @var{flags} argument contains an invalid combination of flags.
+@end table
+
+@end deftypefun
diff --git a/manual/math.texi b/manual/math.texi
index 5ad8732..9b699f1 100644
--- a/manual/math.texi
+++ b/manual/math.texi
@@ -1443,7 +1443,8 @@  is convenient when you are debugging a program, but it is unhelpful if
 you want the program to behave unpredictably.  If you want a different
 pseudo-random series each time your program runs, you must specify a
 different seed each time.  For ordinary purposes, basing the seed on the
-current time works well.
+current time works well.  For random numbers in cryptography,
+@pxref{Unpredictable Bytes}.
 
 You can obtain repeatable sequences of numbers on a particular machine type
 by specifying the same initial seed value for the random number
diff --git a/stdlib/Makefile b/stdlib/Makefile
index 3cce9d9..d651263 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -28,7 +28,7 @@  headers	:= stdlib.h bits/stdlib.h bits/stdlib-ldbl.h bits/stdlib-float.h      \
 	   errno.h sys/errno.h bits/errno.h				      \
 	   ucontext.h sys/ucontext.h					      \
 	   alloca.h fmtmsg.h						      \
-	   bits/stdlib-bsearch.h
+	   bits/stdlib-bsearch.h sys/random.h
 
 routines	:=							      \
 	atof atoi atol atoll						      \
@@ -45,7 +45,7 @@  routines	:=							      \
 	srand48 seed48 lcong48						      \
 	drand48_r erand48_r lrand48_r nrand48_r mrand48_r jrand48_r	      \
 	srand48_r seed48_r lcong48_r					      \
-	drand48-iter							      \
+	drand48-iter getrandom getentropy				      \
 	strfromf strfromd strfroml					      \
 	strtol strtoul strtoll strtoull					      \
 	strtol_l strtoul_l strtoll_l strtoull_l				      \
@@ -79,7 +79,8 @@  tests		:= tst-strtol tst-strtod testmb testrand testsort testdiv   \
 		   tst-setcontext3 tst-tls-atexit-nodelete		    \
 		   tst-strtol-locale tst-strtod-nan-locale tst-strfmon_l    \
 		   tst-quick_exit tst-thread-quick_exit tst-width	    \
-		   tst-width-stdint tst-strfrom tst-strfrom-locale
+		   tst-width-stdint tst-strfrom tst-strfrom-locale \
+		   tst-getrandom
 tests-static	:= tst-secure-getenv
 ifeq ($(have-cxx-thread_local),yes)
 CFLAGS-tst-quick_exit.o = -std=c++11
diff --git a/stdlib/Versions b/stdlib/Versions
index 54416b7..5f02bc2 100644
--- a/stdlib/Versions
+++ b/stdlib/Versions
@@ -115,6 +115,7 @@  libc {
   GLIBC_2.25 {
     # s*
     strfromd; strfromf; strfroml;
+    getrandom; __libc_getrandom; getentropy; __libc_getentropy;
   }
   GLIBC_PRIVATE {
     # functions which have an additional interface since they are
diff --git a/stdlib/getentropy.c b/stdlib/getentropy.c
new file mode 100644
index 0000000..dcd2e75
--- /dev/null
+++ b/stdlib/getentropy.c
@@ -0,0 +1,37 @@ 
+/* Stub for getentropy.
+   Copyright (C) 2016 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* Do not alias getentropy to __libc_getentropy.  */
+#define getentropy getentropy_noalias
+#include <sys/random.h>
+#undef getentropy
+
+#include <errno.h>
+
+/* Write LENGTH bytes of randomness starting at BUFFER.  Return 0 on
+   success and -1 on failure.  */
+ssize_t
+__libc_getentropy (void *buffer, size_t length)
+{
+  __set_errno (ENOSYS);
+  return -1;
+}
+
+stub_warning (__libc_getentropy)
+
+weak_alias (__libc_getentropy, getentropy)
diff --git a/stdlib/getrandom.c b/stdlib/getrandom.c
new file mode 100644
index 0000000..d9a1a99
--- /dev/null
+++ b/stdlib/getrandom.c
@@ -0,0 +1,37 @@ 
+/* Stub for getrandom.
+   Copyright (C) 2016 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* Do not alias getrandom to __libc_getrandom.  */
+#define getrandom getrandom_noalias
+#include <sys/random.h>
+#undef getrandom
+
+#include <errno.h>
+
+/* Write LENGTH bytes of randomness starting at BUFFER.  Return the
+   number of bytes written, or -1 on error.  */
+ssize_t
+__libc_getrandom (void *buffer, size_t length, unsigned int flags)
+{
+  __set_errno (ENOSYS);
+  return -1;
+}
+
+stub_warning (__libc_getrandom)
+
+weak_alias (__libc_getrandom, getrandom)
diff --git a/stdlib/sys/random.h b/stdlib/sys/random.h
new file mode 100644
index 0000000..c2fbeb5
--- /dev/null
+++ b/stdlib/sys/random.h
@@ -0,0 +1,61 @@ 
+/* Interfaces for obtaining random bytes.
+   Copyright (C) 2016 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#ifndef _SYS_RANDOM_H
+#define _SYS_RANDOM_H 1
+
+#include <features.h>
+#include <sys/types.h>
+
+/* Flags for use with getrandom.  */
+#define GRND_NONBLOCK 0x01
+#define GRND_RANDOM 0x02
+
+__BEGIN_DECLS
+
+#ifdef __REDIRECT
+/* For GNU compilers: Redirect getrandom to __libc_getrandom, to
+   protect against accidental interposition.  (Application code should
+   still use the getrandom symbol.)  */
+
+/* Write LENGTH bytes of randomness starting at BUFFER.  Return the
+   number of bytes written, or -1 on error.  */
+ssize_t __libc_getrandom (void *__buffer, size_t __length,
+                          unsigned int __flags) __wur;
+extern ssize_t __REDIRECT (getrandom,
+                           (void *__buffer, size_t __length,
+                            unsigned int __flags),
+                           __libc_getrandom);
+
+/* Write LENGTH bytes of randomness starting at BUFFER.  Return 0 on
+   success or -1 on error.  */
+int __libc_getentropy (void *__buffer, size_t __length) __wur;
+extern int __REDIRECT (getentropy, (void *__buffer, size_t __length),
+                       __libc_getentropy);
+
+#else
+/* Non-GNU compilers do not receive protection against accidental
+   interposition.  */
+ssize_t getrandom (void *__buffer, size_t __length, unsigned int __flags)
+  __wur;
+int getentropy (void *__buffer, size_t __length) __wur;
+#endif /* __REDIRECT */
+
+__END_DECLS
+
+#endif /* _SYS_RANDOM_H */
diff --git a/stdlib/tst-getrandom.c b/stdlib/tst-getrandom.c
new file mode 100644
index 0000000..1e992c2
--- /dev/null
+++ b/stdlib/tst-getrandom.c
@@ -0,0 +1,246 @@ 
+/* Tests for the getentropy, getrandom functions.
+   Copyright (C) 2016 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/random.h>
+
+/* Set to true if any errors are encountered.  */
+static bool errors;
+
+/* Test getrandom with a single buffer length.  NB: The passed-in
+   buffer must have room for four extra bytes after the specified
+   length, which are used to test that getrandom leaves those bytes
+   unchanged.  */
+static void
+test_length (char *buffer, size_t length, unsigned int flags)
+{
+  memset (buffer, 0, length);
+  strcpy (buffer + length, "123");
+  ssize_t ret = getrandom (buffer, length, flags);
+  if (ret < 0)
+    {
+      /* EAGAIN is an expected error with GRND_RANDOM and
+         GRND_NONBLOCK.  */
+      if ((flags & GRND_RANDOM)
+          && (flags & GRND_NONBLOCK)
+          && errno == EAGAIN)
+        return;
+      printf ("error: getrandom (%zu, 0x%x): %m\n", length, flags);
+      errors = true;
+      return;
+    }
+ if (ret != length)
+    {
+      if (flags & GRND_RANDOM)
+        {
+          if (ret == 0 || ret > length)
+            {
+              printf ("error: getrandom (%zu, 0x%x) returned %zd\n",
+                      length, flags, ret);
+              errors = true;
+            }
+        }
+      else
+        {
+          printf ("error: getrandom (%zu, 0x%x) returned %zd\n",
+                  length, flags, ret);
+          errors = true;
+        }
+    }
+  if (length >= 7)
+    {
+      /* One spurious test failure in 2**56 is sufficiently
+         unlikely.  */
+      int non_null = 0;
+      for (int i = 0; i < length; ++i)
+        non_null += buffer[i] != 0;
+      if (non_null == 0)
+        {
+          printf ("error: getrandom (%zu, 0x%x) returned all-zero bytes\n",
+                  length, flags);
+          errors = true;
+        }
+    }
+  if (memcmp (buffer + length, "123", 4) != 0)
+    {
+      printf ("error: getrandom (%zu, 0x%x) wrote spurious bytes\n",
+              length, flags);
+      errors = true;
+    }
+}
+
+/* Call getrandom repeatedly to fill the buffer.  */
+static bool
+getrandom_full (char *buffer, size_t length, unsigned int flags)
+{
+  char *end = buffer + length;
+  while (buffer < end)
+    {
+      ssize_t ret = getrandom (buffer, end - buffer, flags);
+      if (ret < 0)
+        {
+          printf ("error: getrandom (%zu, 0x%x): %m\n", length, flags);
+          errors = true;
+          return false;
+        }
+      buffer += ret;
+    }
+
+  return true;
+}
+
+static void
+test_flags (unsigned int flags)
+{
+  /* Test various lengths, but only for !GRND_RANDOM, to conserve
+     entropy.  */
+  {
+    enum { max_length = 300 };
+    char buffer[max_length + 4];
+    if (flags & GRND_RANDOM)
+      test_length (buffer, 0, flags);
+    else
+      {
+        for (int length = 0; length <= 9; ++length)
+          test_length (buffer, length, flags);
+        test_length (buffer, 16, flags);
+        test_length (buffer, max_length, flags);
+      }
+  }
+
+  /* Test that getrandom returns different data.  */
+  if (!(flags & GRND_NONBLOCK))
+    {
+      char buffer1[8];
+      memset (buffer1, 0, sizeof (buffer1));
+
+      char buffer2[8];
+      memset (buffer2, 0, sizeof (buffer2));
+
+      if (getrandom_full (buffer1, sizeof (buffer1), flags)
+          && getrandom_full (buffer2, sizeof (buffer2), flags))
+        {
+          /* The probability that these two 8-byte buffers are equal
+             is very small (assuming that two subsequent calls to
+             getrandom result are independent, uniformly distributed
+             random variables).  */
+          if (memcmp (buffer1, buffer2, sizeof (buffer1)) == 0)
+            {
+              printf ("error: getrandom returns constant value\n");
+              errors = true;
+            }
+        }
+    }
+}
+
+static void
+test_getentropy (void)
+{
+  char buf[16];
+  memset (buf, '@', sizeof (buf));
+  if (getentropy (buf, 0) != 0)
+    {
+      printf ("error: getentropy zero length: %m\n");
+      errors = true;
+      return;
+    }
+  for (size_t i = 0; i < sizeof (buf); ++i)
+    if (buf[i] != '@')
+      {
+        printf ("error: getentropy modified zero-length buffer\n");
+        errors = true;
+        return;
+      }
+
+  if (getentropy (buf, sizeof (buf)) != 0)
+    {
+      printf ("error: getentropy buf: %m\n");
+      errors = true;
+      return;
+    }
+
+  char buf2[256];
+  _Static_assert (sizeof (buf) < sizeof (buf2), "buf and buf2 compatible");
+  memset (buf2, '@', sizeof (buf2));
+  if (getentropy (buf2, sizeof (buf)) != 0)
+    {
+      printf ("error: getentropy buf2: %m\n");
+      errors = true;
+      return;
+    }
+
+  /* The probability that these two buffers are equal is very
+     small. */
+  if (memcmp (buf, buf2, sizeof (buf) == 0))
+    {
+      printf ("error: getentropy appears to return constant bytes\n");
+      errors = true;
+      return;
+    }
+
+  for (size_t i = sizeof (buf); i < sizeof (buf2); ++i)
+    if (buf2[i] != '@')
+      {
+        printf ("error: getentropy wrote beyond the end of the buffer\n");
+        errors = true;
+        return;
+      }
+
+  char buf3[257];
+  if (getentropy (buf3, sizeof (buf3)) == 0)
+    {
+      printf ("error: getentropy successful for 257 byte buffer\n");
+      errors = true;
+      return;
+    }
+  if (errno != EIO)
+    {
+      printf ("error: getentropy wrong error for 257 byte buffer: %m\n");
+      errors = true;
+      return;
+    }
+}
+
+static int
+do_test (void)
+{
+  /* Check if getrandom is not supported by this system.  */
+  if (getrandom (NULL, 0, 0) == -1 && errno == ENOSYS)
+    return 77;
+
+  for (int use_random = 0; use_random < 2; ++use_random)
+    for (int use_nonblock = 0; use_nonblock < 2; ++use_nonblock)
+      {
+        unsigned int flags = 0;
+        if (use_random)
+          flags |= GRND_RANDOM;
+        if (use_nonblock)
+          flags |= GRND_NONBLOCK;
+        test_flags (flags);
+      }
+
+  test_getentropy ();
+
+  return errors;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/sysdeps/arm/nacl/libc.abilist b/sysdeps/arm/nacl/libc.abilist
index 807e43d..c7c2136 100644
--- a/sysdeps/arm/nacl/libc.abilist
+++ b/sysdeps/arm/nacl/libc.abilist
@@ -1843,6 +1843,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 gnu_dev_major F
 GLIBC_2.25 gnu_dev_makedev F
 GLIBC_2.25 gnu_dev_minor F
diff --git a/sysdeps/unix/sysv/linux/aarch64/libc.abilist b/sysdeps/unix/sysv/linux/aarch64/libc.abilist
index 77accdf..cd39db0 100644
--- a/sysdeps/unix/sysv/linux/aarch64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/aarch64/libc.abilist
@@ -2090,6 +2090,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/alpha/libc.abilist b/sysdeps/unix/sysv/linux/alpha/libc.abilist
index 659b7fc..712949b 100644
--- a/sysdeps/unix/sysv/linux/alpha/libc.abilist
+++ b/sysdeps/unix/sysv/linux/alpha/libc.abilist
@@ -2001,6 +2001,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/arm/libc.abilist b/sysdeps/unix/sysv/linux/arm/libc.abilist
index 8bc979a..c63274e 100644
--- a/sysdeps/unix/sysv/linux/arm/libc.abilist
+++ b/sysdeps/unix/sysv/linux/arm/libc.abilist
@@ -91,6 +91,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/getentropy.c b/sysdeps/unix/sysv/linux/getentropy.c
new file mode 100644
index 0000000..995d1de
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/getentropy.c
@@ -0,0 +1,83 @@ 
+/* Implementation of getentropy based on the getrandom system call.
+   Copyright (C) 2016 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* Do not alias getentropy to __libc_getentropy.  */
+#define getentropy getentropy_noalias
+#include <sys/random.h>
+#undef getentropy
+
+#include <assert.h>
+#include <errno.h>
+#include <unistd.h>
+
+#ifdef __NR_getrandom
+/* Write LENGTH bytes of randomness starting at BUFFER.  Return 0 on
+   success and -1 on failure.  */
+int
+__libc_getentropy (void *buffer, size_t length)
+{
+  /* The interface is documented to return EIO for buffer lengths
+     longer than 256 bytes.  */
+  if (length > 256)
+    {
+      __set_errno (EIO);
+      return -1;
+    }
+
+  /* Try to fill the buffer completely.  Even with the 256 byte limit
+     above, we might still receive an EINTR error (when blocking
+     during boot).  */
+  void *end = buffer + length;
+  while (buffer < end)
+    {
+      /* NB: No cancellation point.  */
+      ssize_t bytes = INLINE_SYSCALL_CALL (getrandom, buffer, end - buffer, 0);
+      if (bytes < 0)
+        {
+          if (errno == EINTR)
+            /* Try again if interrupted by a signal.  */
+            continue;
+          else
+            return -1;
+        }
+      /* The Linux implementation never returns zero if the length
+         argument is not zero, and does not perform a short read for
+         sizes <= 256.  */
+      assert (bytes == length);
+      if (bytes == 0)
+        {
+          /* No more bytes available.  This should not happen under
+             normal circumstances.  */
+          __set_errno (EIO);
+          return -1;
+        }
+      /* Try again in case of a short read.  */
+      buffer += bytes;
+    }
+  return 0;
+}
+#else
+int
+__libc_getentropy (void *buffer, size_t length)
+{
+  __set_errno (ENOSYS);
+  return -1;
+}
+#endif
+
+weak_alias (__libc_getentropy, getentropy)
diff --git a/sysdeps/unix/sysv/linux/getrandom.c b/sysdeps/unix/sysv/linux/getrandom.c
new file mode 100644
index 0000000..422769d
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/getrandom.c
@@ -0,0 +1,49 @@ 
+/* Implementation of the getrandom system call.
+   Copyright (C) 2016 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+/* Do not alias getrandom to __libc_getrandom.  */
+#define getrandom getrandom_noalias
+#include <sys/random.h>
+#undef getrandom
+
+#include <errno.h>
+#include <unistd.h>
+#include <sysdep-cancel.h>
+
+#ifdef __NR_getrandom
+/* Write LENGTH bytes of randomness starting at BUFFER.  Return 0 on
+   success and -1 on failure.  */
+ssize_t
+__libc_getrandom (void *buffer, size_t length, unsigned int flags)
+{
+  return SYSCALL_CANCEL (getrandom, buffer, length, flags);
+}
+#else
+/* Always provide a definition, even if the kernel headers lack the
+   system call number. */
+ssize_t
+__libc_getrandom (void *buffer, size_t length, unsigned int flags)
+{
+  /* Ideally, we would add a cancellation point here, but we currently
+     cannot do so inside libc.  */
+  __set_errno (ENOSYS);
+  return -1;
+}
+#endif
+
+weak_alias (__libc_getrandom, getrandom)
diff --git a/sysdeps/unix/sysv/linux/hppa/libc.abilist b/sysdeps/unix/sysv/linux/hppa/libc.abilist
index 299b705..d45e4d5 100644
--- a/sysdeps/unix/sysv/linux/hppa/libc.abilist
+++ b/sysdeps/unix/sysv/linux/hppa/libc.abilist
@@ -1855,6 +1855,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/i386/libc.abilist b/sysdeps/unix/sysv/linux/i386/libc.abilist
index f00345f..04818c3 100644
--- a/sysdeps/unix/sysv/linux/i386/libc.abilist
+++ b/sysdeps/unix/sysv/linux/i386/libc.abilist
@@ -2013,6 +2013,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/ia64/libc.abilist b/sysdeps/unix/sysv/linux/ia64/libc.abilist
index e5fcf88..12db57b 100644
--- a/sysdeps/unix/sysv/linux/ia64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/ia64/libc.abilist
@@ -1877,6 +1877,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist b/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
index 8f382f6..a3fe5e1 100644
--- a/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
+++ b/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
@@ -92,6 +92,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist b/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
index 320b7fe..f703e23 100644
--- a/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
+++ b/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
@@ -1969,6 +1969,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/microblaze/libc.abilist b/sysdeps/unix/sysv/linux/microblaze/libc.abilist
index 21b1426..6acc482 100644
--- a/sysdeps/unix/sysv/linux/microblaze/libc.abilist
+++ b/sysdeps/unix/sysv/linux/microblaze/libc.abilist
@@ -2090,6 +2090,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
index 5c4b596..decc26e 100644
--- a/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
+++ b/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
@@ -1944,6 +1944,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist
index 001fa6c..5ee4325 100644
--- a/sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist
+++ b/sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist
@@ -1942,6 +1942,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
index 2d87001..021089e 100644
--- a/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
+++ b/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
@@ -1940,6 +1940,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
index aa1ee66..411f848 100644
--- a/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
@@ -1935,6 +1935,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/nios2/libc.abilist b/sysdeps/unix/sysv/linux/nios2/libc.abilist
index 2471d68..0ba05cb 100644
--- a/sysdeps/unix/sysv/linux/nios2/libc.abilist
+++ b/sysdeps/unix/sysv/linux/nios2/libc.abilist
@@ -2131,6 +2131,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
index 4ba3146..97ad1c9 100644
--- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
+++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
@@ -1973,6 +1973,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
index 0557c16..2020e94 100644
--- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
+++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
@@ -1978,6 +1978,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist
index 821384e..fb06f41 100644
--- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist
+++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist
@@ -2178,6 +2178,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist
index c40a3f1..51461cf 100644
--- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist
@@ -92,6 +92,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
index 5b39a60..184f876 100644
--- a/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
+++ b/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
@@ -1973,6 +1973,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
index a9db32f..f8929cf 100644
--- a/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
@@ -1874,6 +1874,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/sh/libc.abilist b/sysdeps/unix/sysv/linux/sh/libc.abilist
index 294af0a..85f2379 100644
--- a/sysdeps/unix/sysv/linux/sh/libc.abilist
+++ b/sysdeps/unix/sysv/linux/sh/libc.abilist
@@ -1859,6 +1859,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
index 32747bd..9cbe518 100644
--- a/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
+++ b/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
@@ -1965,6 +1965,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
index b0ac4d4..d4b4206 100644
--- a/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
@@ -1903,6 +1903,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist b/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist
index 4d92d81..cd338a0 100644
--- a/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist
+++ b/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist
@@ -2097,6 +2097,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist b/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist
index a68aef7..e5b1eb8 100644
--- a/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist
@@ -2097,6 +2097,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist b/sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist
index 4d92d81..cd338a0 100644
--- a/sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist
+++ b/sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist
@@ -2097,6 +2097,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
index b8623fc..cc23be7 100644
--- a/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
+++ b/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
@@ -1854,6 +1854,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F
diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist
index a61d874..4776c56 100644
--- a/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist
+++ b/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist
@@ -2097,6 +2097,10 @@  GLIBC_2.23 fts64_set F
 GLIBC_2.24 GLIBC_2.24 A
 GLIBC_2.24 quick_exit F
 GLIBC_2.25 GLIBC_2.25 A
+GLIBC_2.25 __libc_getentropy F
+GLIBC_2.25 __libc_getrandom F
+GLIBC_2.25 getentropy F
+GLIBC_2.25 getrandom F
 GLIBC_2.25 strfromd F
 GLIBC_2.25 strfromf F
 GLIBC_2.25 strfroml F