I don't see any problem with an INTEL on-cpu-die random number generator based on Johnson noise. What level of concern would someone have to have to NOT trust that?
If it's even remotely an issue there are dedicated hardware sources in various form-factors like PCIE or USB. They're pricey but at least you can vet what your getting if that matters so much.
Are there any real-world accounts of people getting pwned because of a bad pseudo rng?
A thermal noise-generator is fine from a physics perspective. I think that people maybe can't verify what's actually on the die.
How much do we trust what we're told about the circuit? Does its interface talk to that noise-source all the time? Or is there a cutaway inside that maybe jumps to a seeded PRNG in response to a special memory-write? Would you know if it did?
I'm not saying that RDRAND is backdoored. I've got no reason to assume that it is. But it would also be very hard to prove that it -isn't-. If I was doing something where I actually cared about the quality of my entropy, I might not want to just take Intel at their word.
If it's even remotely an issue there are dedicated hardware sources in various form-factors like PCIE or USB. They're pricey but at least you can vet what your getting if that matters so much.
Are there any real-world accounts of people getting pwned because of a bad pseudo rng?