Intel's RdRand Instruction

Intel announced in 2011 that its next generation of computer chips, Ivy Bridge will have a new instruction RdRand which will quickly generate random numbers right on the processor chip. Are these random numbers suitable for use in various cryptographic protocols? As usual, the devil is in the details.  From what I've been able to glean from various Intel publications, the output of the RdRand is generated in several phases.

1. A Hardware Entropy Source (ES) generates random bits using a specially designed circuit.
2. The Online Health Tests  (OHT) or entropy validation module determines whether the ES is functioning properly and  rejects ES samples which don't meet certain (undocumented) criteria.
3.The Conditioner takes pairs of 256-bit entropy samples which have passed the OHTs and reduces them to a single 256-bit conditioned entropy sample using AES-CBC-MAC.
4. A deterministic random bit generator (DRBG) which is periodically reseeded from the Conditioner.  It deterministically generates up to 511 128-bit samples from one 256-bit conditioned sample using the CTR_DRBG  pseudo-random generator and AES.
5. Each 128-bit DRGB sample is split into two 64-bit samples for the RdRand instruction.

Many cryptographic protocols are defined using a random bit string as input.  The output of the RdRand is not actually random - a single 256-bit input from the Conditioner will deterministically generate as many as 511 128-bit samples using the CTR-DRBG algorithm.    We don't know exactly how many 64-bit RdRand outputs will be generated by one 256-bit sample output by the Conditioner, but Intel guarantees at it will be at most 2*511=1022.  We should be careful when using two 64 bit samples from two different 128- bit blocks generated by a single reseeding of the DRBG because they will not be completely independent.    But if we select at most one out of every 1022 sequential 64-bit samples generated by RnRand, the selected samples will be from different Conditioner outputs. 

The Online Health Tests (OHTs) may also affect the randomness of the RdRand output. If I understand the documentation, there's a 65,536 bit sliding window which is used for the OHT.  What happens when an entropy sample fails the OHT?  I haven't been able to find a complete description of the OHT so I don't really know. 

was prepared by Cryptography Research, Inc (CRI). under contract from Intel. 
Intel provided CRI with detailed documentation on the RNG, as well as access to its principal developers. The paper describes the system architecture, a theoretical analysis of entropy source.  CRI did not have access to Ivy Bridge parts, but Intel provided them with testing data from pre-production chips which they analyzed.

In July 2012, Intel announced a new instruction RDSEED which is intended to be used for cryptography purposes:  see
  The Difference Between RDRAND and RDSEED.  RDSEED is intended to be compliant with NIST SP 800-90B (draft):  Recommendation for the Entropy. Sources Used for Random Bit. Generation and NIST SP 800-90C (draft):  Recommendation for Random Bit Generator (RBG) Constructions.