[Cryptography] Another PRNG question

[Sandy Harris]

I'm thinking about initialisation of Linux random(4).; The main thing
is to initialise the input pool, typically 4K bits, with random data.
It might also be a good idea to initialise the output pools, which I
think are currently a pair of 512-bit ChaCha contexts.

This needs to be done early, reasonably cheaply & reasonably well. It
does not require perfectly random data; 4K moderately random bits will
be enough to make the thing reasonably secure.

Quite a few machines today have one or more cheap sources of random
bits. Many CPUs have an instruction that gives random bits, some
machines have a real hardware RNG of one sort or another, and VMs have
an emulated hardware RNG driven by /dev/urandom on the host. All are
reasonably cheap & any might be enough on its own.

I'm thinking of going a bit further. If you have two of those sources,
get 128 bits from each, mix them using the 128-bit finite field
multiplication from the authenticator of the AES-GCM stream cipher
(which at least comes close to making every output bit depend on every
input) and use the result as 128 bits of initialisation data. Provided
neither source is downright horrible, this should give near perfect
initialisation, reasonably cheaply.

What if you have only one source? Just use it directly, since that may
be enough? Multiply pairs of its outputs together? Use it to key a
pseudo-RNG, then multiply PRNG + source pairs?

If a PRNG, which one? Maybe ChaCha since that is already in the
driver? Or since we only need 4K bits, just use the key schedule from
an AES candidate cipher such as Serpent which expands a 256-bit key to
32 128-bit round keys, total 4K bits. Or something else?