On Tue, Jul 05, 2022 at 09:01:21PM +0200, Jason A. Donenfeld wrote: > Later the thinking evolved. With a properly designed RNG, using RDRAND > values alone won't harm anything, even if the outputs are malicious. I personally think it's totally fine to remove nordrand. However, the reason why it was there was that there were some rather extreme tin-foil-hatters who believed that if (the completely unavailable to the public for auditing) RDRAND implementation *were* malicious *and* the microcode had access to the register file and/or the instruction pipeline, then in theory, a malicious CPU could subvert how the RDRAND is mixed into the getrandom output to force a particular output. Personally, I've always considered it to be insane, since a much easier way to compromise a CPU would be to drop a Minix system hidden into the CPU running a web server that had massive security bugs in it that were only discovered years later. And if you don't trust the CPU manufacture to that extent, you should probably simply not use CPU's from that manufacturer. :-) - Ted
