Actually they should "just use getrandom." Reasons: 1) urandom doesn't block if it's not initialized (that can happen on the embedded devices after the boot) and getrandom does that only then and never again. 2) it provides resilience against file descriptor exhaustion attacks.

Documented in: https://lwn.net/Articles/605828/