short term base firmware:

- custom OpenWRT build with LXC support, eglibc

long term base kernel/firmware:

- hardened OpenWRT (uclibc?) or minimalist hardened debian
- < 128MB kernel+rootfs 
- NanoBSD-style dual partition upgrade procedure
  - read-only rootfs
  - fixed size writable /var and /etc
  - possibly a small overlayfs
- automatic fetching and application of signed security updates
- bundle helpful services, but do not enable them by default

guest os userspace:

- debian 7 (wheezy)
- with as many security build flags enabled as possible
- manage with blueprint?