> question and XOR the output of RDRAND with the randomness from the other entropy sources before returning it.
How is that easy ? No, predicting or detecting that the returned value of your assembly instruction will later be xor'ed by some other value, in all it's machine code variants that different versions of gcc will produce, is not easy.
It is theoretically possible if you have access to the CPU design and can modify it, but even then it is very non-trivial, if even doable in the general case.
There are several free CPUs around you can instantiate on an FPGA and boot linux on - if someone makes a proof-of-concept rdrand() on one of these that can detect the future bit operations on the value(even when it's moved to another register or to/from main memory) and cancel out that bit operation - then I'll believe it's possible.
Until then, I'm more(more compared to not at all is still very little) worried that:
* the chip (whose part number google knows nothing about) in my dsl modem have a backdoor and being able to mirror all its traffic
* that the baseband chip in my HTC has the same ability - in addition to the know ability of being able to report its gps location without informing me
* that the NSA probably still can read my gmail mail
* that my raspberry pi SoC can contain an unknown component that dumps it's memory out the ethernet card
* that the latest iPhone perhaps complies nicely with the 3GPP TS 33.108 spec.
Did you read the article? They explained why an implementation of RDRAND as "XOR together the contents of all registers and return it" would result in removing nearly all of the entropy in the state vector. And it proposed a simple solution: modify the code so that the hardware entropy is mixed in earlier in the process (in which case it WOULD require the prodigious feats you are talking about).
How is that easy ? No, predicting or detecting that the returned value of your assembly instruction will later be xor'ed by some other value, in all it's machine code variants that different versions of gcc will produce, is not easy.
It is theoretically possible if you have access to the CPU design and can modify it, but even then it is very non-trivial, if even doable in the general case.
There are several free CPUs around you can instantiate on an FPGA and boot linux on - if someone makes a proof-of-concept rdrand() on one of these that can detect the future bit operations on the value(even when it's moved to another register or to/from main memory) and cancel out that bit operation - then I'll believe it's possible.
Until then, I'm more(more compared to not at all is still very little) worried that:
* the chip (whose part number google knows nothing about) in my dsl modem have a backdoor and being able to mirror all its traffic
* that the baseband chip in my HTC has the same ability - in addition to the know ability of being able to report its gps location without informing me
* that the NSA probably still can read my gmail mail
* that my raspberry pi SoC can contain an unknown component that dumps it's memory out the ethernet card
* that the latest iPhone perhaps complies nicely with the 3GPP TS 33.108 spec.