A potential solution should be a part of sdwdate (or a separate component if you think it has multiple use cases).
ntpd does clock jump detection:
Problems we need to workaround so it becomes possible:
- On KVM Whonix at least, the hardware timer information is not updated in WS because kvm-clock and others are disabled.
- Use of a guest agent to pass that kind of information from the host is not an option because its unsafe.
- Fetching and comparing remote data with the perceived time in the WS poses scalability, performance and bootstrapping problems if the guest time is way off.
- The information about the current time is available to code in the GW where kvm-clock is available (via hwclock).
- Create a systemd service that runs constantly and queries the hwclock on GW. If the drift between system time and hwclock exceeds a threshold it would trigger syncing locally on the GW and send a simple packet pattern to the Whonix internal network.
- knockd server  constantly monitors the internal network would trigger the iptables lockdown if it sees the magic knock sequence. Note that no ports needs to be open on WS.