"The issue is "Trusting Trust",
I have suggested that if you really wanted to do this you'd have to start with a processor IS of your own design (built of parts too simple to hide a processor in), hand assemble an open source assembler, then have built the tool (open source) tool chain from there.
Which just sounds exhausting
Because it is. :-(
Doing a security, anti virus or encryption company properly starts with where it's legally based, since it's clear that many governments no longer seem to accept that strong AV/Security/Encryption benefits the 99.75%* of the population much more than the 0.0025% of potential terrorists.
*MI5 stated a few years ago they had 1500 potential terrorist suspects they were watching, in a country of 60 million people IE 0.0025%. It's unknown how many (if any) did attempt to commit a terrorist act.