Funnily enough, the kernel does trust RDRAND (for fetching a single-integer "random enough" value[1]). That's why WireGuard had a DoS bug on those chips until they patched around it to use the proper CSPRNG after a few failed attempts.

[1]: https://elixir.bootlin.com/linux/v5.4.5/source/drivers/char/...