babb / tools for the frontier
build 2026.06.19 · --:--:-- UTC · rss
mascot mascot
babb.
Media | Tools | Technology
babb/ products/ outstack
System · 09 / 12Security + Power Bedrock

Outstack.

Security by physics, not by policy. An Alpine Linux derivative that unifies security and power management as expressions of resource control. A component that cannot be power-gated is a component that cannot be isolated during a security incident.

Outstack · statusRESEARCH
BaseAlpine Linux derivative · no fork
Targetsx86_64 · aarch64 · armv7 · RISC-V
Poweroutstack-powerd · five operating modes
CompanionTelux →
Overview article → Telux
§ 01Four tenetsdefault deny · isolation · verifiable · graceful
01

Default deny.

Nothing runs, nothing has power, nothing has access unless explicitly granted. The default state is off. Every capability must be earned.

nothing by default
02

Hierarchical isolation.

CPU, memory, network, and power form independent containment boundaries. Compromise one and the others hold. Physical power isolation cannot be bypassed by software.

CPU · memory · network · power
03

Verifiable state.

At any moment, the system can attest exactly what is running and what is consuming power. Power state is included in attestation reports. No hidden processes.

attestation · power-aware
04

Execution gating.

At exec() time, Outstack checks whether the current power mode permits the new process. In EMERGENCY mode, only CRITICAL-class processes execute. A scheduling primitive, not a firewall rule.

exec-time checks · 5 power modes
05

Power anomaly = security alert.

Unexpected power draw from a subsystem may indicate compromise. A compromised peripheral can be physically power-killed — not just software-disabled. Physics, not policy.

power monitoring · hardware kill
06

Aerospace heritage.

Outstack’s power model was inspired by RTG-powered spacecraft, where every milliwatt must be accounted across the mission lifetime. The same discipline for industrial tools, field devices, and eventually actual spacecraft.

RTG discipline · mission-grade
§ 02Architecturekernel · security layers · power modes

Security layers (boot to runtime)

BootTPM/eFuse root of trust · dm-verity kernel
Runtimedm-verity root · IMA/EVM · encrypted /var
MACAppArmor + Landlock self-sandboxing
Networknftables default-deny · WireGuard only
KernelKSPP hardened · no devmem/kexec

Five power modes

FULLExternal power / >80% · unrestricted
NORMAL60–80% · normal operation
CONSERVE20–60% · background limited
CRITICAL5–20% · critical tasks only
EMERGENCY<5% · survival mode
§ 03Where to find it

Outstack is in the design phase.

Alpine Linux derivative. Documented architecture. The companion project is Telux.

Overview article → · Telux → · Telux article →