A couple of tweaks -

<section id="entropy-starvation">
<!-- stretch to buster -->
- <title>daemons fail to start or system appears to hang during boot</title>
+ <title>Daemons fail to start or system appears to hang during boot</title>

Other titles with initial lowercase are doing it because the first
word is a literal string.

<para>
Due to <systemitem role="package">systemd</systemitem> needing entropy
during boot and the kernel treating such calls as blocking when available
entropy is low, the system may hang for minutes to hours until the
randomness subsystem is sufficiently initialized (<literal>random: crng
init done</literal>). For <literal>amd64</literal> systems supporting the
- <literal>RDRAND</literal> instruction this issue is mediated by the
+ <literal>RDRAND</literal> instruction this issue is avoided by the
Debian kernel using this instruction by default
(<literal>CONFIG_RANDOM_TRUST_CPU</literal>).
</para>

I think the word this was going for was "remediated" (i.e. "cured")
rather than "mediated" (i.e. "indirectly caused"), but it's probably
best to use something simpler.

<para>
- Non-<literal>amd64</literal> systems and some type of virtual machines
+ Non-<literal>amd64</literal> systems and some types of virtual machines
need to provide a different source of entropy to continue fast booting.
<systemitem role="package">haveged</systemitem> has been chosen for this
within the Debian Installer project and may be a valid option if hardware

Multiple types of VMs (or if it's just one unidentified type, that's
"some type of virtual machine").

@@ -324,7 +324,7 @@ $ sudo update-initramfs -u
<para>
The simple MTA <systemitem role="package">ssmtp</systemitem>
has been dropped for &releasename;. This is due to it currently
- not validating TLS certs, see <ulink url="&url-bts;662960">bug
+ not validating TLS certs; see <ulink url="&url-bts;662960">bug
#662960</ulink>.
</para>
</listitem>

A piece of punctuation-pedantry I noticed in another section.