There are a couple changes to the schematic worth pointing out.

One is that a second self-biased inverter stage has been added. In breadboard testing, one stage wasn't enough, but a third inverter didn't do anything helpful, so the design is going to go with two inverters. The test circuit produced a chaotic square wave with a variable frequency in the hundreds of kHz. Orthrus will sample this once every millisecond to refill the entropy pool for key generation. One difficulty there is that the entropy pool is only designed (at the moment) to be 32 bytes, meaning that there will really only be 256 bits of entropy. But in the final result, there's only 128 bits of key and 160 bits of nonce, or a total of 336 bits. That means that you could attempt to brute-force those 256 bits instead of the final 336 bits, but that also means you'd have to either go through the entire key generation to get one keyset to try, or you'd have to find a weakness to exploit in the key generation process (which is tantamount to finding a weakness in AES).

The second change in the schematic is that the RNG pin has been moved from PB0 to PD0. This is because PB0 is the !SS pin, which is part of the SPI system. Unfortunately, it's a part that we must somehow either kill or ignore. In slave mode, !SS enables the SPI receiver and so on. In master mode, if !SS is an output, it does nothing at all (other than just being an output). If it's an input, however, it is effectively a sort of transfer abort signal which, unfortunately, can't be turned off. We could use PB0 as one of the !CS lines for one of the cards, but I've decided to just make in NC. In initialization, it will be set as an output and that will keep it from causing trouble.