"My other question is: what's the security implications of cpu? You get to do processes on the remote box, but then they also get to have filesystem access on yours. "
If you don't entirely trust the cpu server, you *should* export a name space from your terminal, limit the processes on the cpu server to just that name space, be careful what's in that space, including how you've set permissions, and which user is doing the export. That way, your terminal (which is under your control, allowing for SMI, BIOS, UEFI, bugs ...) acts as the reference monitor to your files. It's also easy to make a 9P filter that ensures read-only access on an arbitrary 9P connection, so that even if permissions are wrong, permanent damage is prevented. It's just a few dozen lines, much of that boilerplate. I say "terminal" above, but it applies to any device or your own servers that connect to the untrusted server. Ordinarily, the cpu server has access to files and devices at /mnt/term, but you control that access at the terminal. On the cpu server itself, however, for the cpu server to access your files directly from the file server, when you first mount /srv/boot to form the root of a name space on the cpu server, you normally give the server implicit permission to speak for you to the file server in all subsequent transactions from that mount point, because it is multiplexing the requests of many users on that same connnection, and you trust that it won't (say) deviously or carelessly allow another user's process to access a fid that you've Tauth'd and Tattach'd, giving full access as you to all your files, perhaps long after you've disconnected.
