Make guard nodes stable across reboot

Tor uses entry guards [1] to make some deanonymization attacks harder. We currently don’t have this in Tails, because it would allow location tracking of Tails users by observing which guard nodes are used, which would be a severe regression and render the MAC randomization feature useless.

See [2] for thoughts on the location tracking problem and an attempt to find a compromise between protecting against location tracking and deanonymization attacks.

[1] https://www.torproject.org/docs/faq#EntryGuards
[2] https://tails.boum.org/blueprint/persistent_Tor_state/

Blueprint: https://tails.boum.org/blueprint/persistent_Tor_state/

Parent Task: #5462

Related issues

Related to #11884

Original created by @segfault on 11732 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information