Sun Jan 21 11:26:44 EST 2018

Trusted code, an exercise

I will need to run some applications that are considered critical.  An
example is a thermostat.

The separation primitives for these will be host-based: I no longer
trust same-host privilige separation after the spectre madness, and it
seems that accepting this now and dealing with it at a design level is
the only sane solution.  This means:

- Sensor, controller, actuator all run on dedicated hosts (network or
  usb connected).

- Communication is packet switched with broadcast option

- Communication is encrypted + authenticated (E+A)

  It is assumed the medium is not trusted, but the end-point hardware
  is (i.e. key storage is considered safe).  Physical access
  compromise is considered to be an independent problem.

- Attack surface is untrusted physical network.  None of these hosts
  will "pull" information from non-trusted internet systems.  All
  input comes from trusted nodes, e.g. hardware terminals, and is E+A.

- Debug access is through SSH, extending the attack surface to 

To do this on a small microcontroller requires a bit of effort.  I
cannot point straight at reusable code.  So maybe for the time being,
roll my own, then replace it with something better later.