Why might RDRAND not be safe to use when the rest of the system is?
In Linux, the RDRAND instruction is used, but taken with a grain of salt, in that it is used as only one of several sources of entropy for a CSPRNG. It is used in this way over concerns that the instruction can be backdoored by the NSA.
One of my teammates criticizes this, and argues that if the RDRAND instruction is compromised, then the entire system is compromised and cannot be used for secure communications. Therefore, if you do trust that the system can be used for secure communications, you can trust RDRAND and just use it by itself.
Is this correct, or is there something I'm missing? What situations exist in which you would want to be suspicious of RDRAND but place faith in the CPU's other general use instructions?
(Note that this concerns a bare metal project, in which OS-level random syscalls are not available, and we can reasonably assume that the RDRAND instruction exists. Part of the goal is to have the binary and codebase be as small as possible, so being able to just use RDRAND would save us from including a CSPRNG in the source code, and the instruction uses fewer bytes than a subroutine call would.)
