A potential solution should be a part of sdwdate (or a separate component if you think it has multiple use cases).
ntpd does clock jump detection:
Problems we need to workaround so it becomes possible:
* On KVM Whonix at least, the hardware timer information is not updated in WS because kvm-clock and others are disabled.
* Use of a guest agent to pass that kind of information from the host is not an option because its unsafe.
* Fetching and comparing remote data with the perceived time in the WS poses scalability, performance and bootstrapping problems if the guest time is way off.
* The information about the current time is available to code in the GW where kvm-clock is available (via hwclock).
* Create a systemd service that runs constantly and queries the hwclock on GW. If it exceeds a threshold it would trigger syncing locally on the GW and send a simple packet pattern to the Whonix internal network.
* * knockd server  constantly monitors the internal network would trigger the iptables lockdown if it sees the magic knock sequence. Note that no ports needs to be open on WS.