From 28a499e556a883165c9aeb93fcb1247c4e2b342e Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Mon, 16 Mar 2026 17:30:03 +0000
Subject: util/nvmutil: fix unveil usage

arandom probably isn't available on super old obsd right??????

rather, unveil isn't. on systems that have arandom

yet we should not unveil something that may not
exist on modern systems

just don't unveil arandom, and don't check arandom
if unveil is enabled

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 util/nvmutil/nvmutil.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index 851eb0fb..1f91de0a 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -756,6 +756,8 @@ main(int argc, char *argv[])
 		err(errno, "pledge, unveil");
 	if (unveil("/dev/urandom", "r") == -1)
 		err(errno, "unveil: /dev/urandom");
+	if (unveil("/dev/random", "r") == -1)
+		err(errno, "unveil: /dev/random");
 #else
 	if (pledge("stdio flock rpath wpath cpath", NULL) == -1)
 		err(errno, "pledge");
@@ -1415,8 +1417,10 @@ read_urandom(void)
 	if (fd < 0) {
 
 		fd = open("/dev/urandom", O_RDONLY | O_NONBLOCK);
+#ifndef NVMUTIL_UNVEIL
 		if (fd < 0) /* older openbsd */
 			fd = open("/dev/arandom", O_RDONLY | O_NONBLOCK);
+#endif
 		if (fd < 0) /* super old unix (could block) */
 			fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
 
-- 
cgit v1.2.1