| From: Christopher Browne via talk <talk@gtalug.org> | This sure seems to point at rdrand being a scary feature to consider using. I put the blame squarely on AMD. They've botched rdrand a couple of times. It's not really our job to wonder if instructions aren't implemented correctly. Imagine if FDIV didn't work? Whose problem would that be? | I imagine that it would be better to access /dev/urandom or /dev/random, | and have those facilities mix rdrand in somewhat, if possible. In this case, not really. Read the comments in the code (not the commit): <https://github.com/systemd/systemd/blob/master/src/basic/random-util.c> rdrand is suspect for another reason. We have no way knowing if rdrand has hidden structure. Such a compromise would amount to a backdoor into most crypto. But systemd folks say that their application of the output of rdrand doesn't need strong random numbers.