Pour moi, les éléments techniques éprouvé depuis plus de 20 ans sur les TI-68k, que je connais bien, et les TI-Z80, que je connais moins mais qui utilisent les mêmes concepts, sont une excellente base. Décrivons-les en anglais:
(not talking about how stupid exam makers ruin the fun and damage students' usefulness in the real world), there could be a near-1:1 adaptation of TI-Z80 / TI-68k concepts to NumWorks calculators with exam mode:
- the core firmware is signed by NumWorks, and validated by official boot code (itself dealt with by SoC manufacturer boot code) by chunks or after all blocks of said firmware have been written to Flash. TI calculators do the latter. Official apps are part of this firmware, and when exam mode is enabled, functionality is restricted however the exam regulators dictate;
- if NumWorks wants to make official addons not part of the main firmware, signed with an official key, stored in Flash memory, and possibly restricted / disabled with exam mode is enabled - so be it. TI made a number of those.
- select FlashApps signed by NumWorks could remain permanently
present in Flash memory, even in exam mode, but be functionally entirely
hidden when exam mode is enabled. There's precedent of hiding FlashApps on the TI-68k series, though it was made by third parties and for startup performance / memory consumption reasons: ExtendeD's FlapHide.
- unsigned stuff (~ TI-68k / TI-Z80 assembly programs) would obviously not be taken into account in exam mode either, so it doesn't even need to remain in RAM, it might as well be relegated to another area of the Flash memory (on the TI-Z80 and TI-68k series, "archive memory", which have real, if simple, reasonably general-purpose filesystems).
TI's certificate scheme supports key IDs: the "freeware" signing/validation key pairs were e.g. 0101 (92+), 0103 (89), 0108 (V200), 0109 (89T), 0104 (83+) and 010A (84+), though I'm not aware of FlashApps signed only for the V200 or 89T. As such, distinguishing official signed apps, community signed apps, and even user-specific FlashApps (after installation of a calculator-specific developer certificate - TI had that over two decades ago) is trivial: just write the key ID in the FlashApp's metadata, and upon reboot, parse said metadata, and act upon it.
On the TI-Z80 and TI-68k series, both official FlashApps and third-party FlashApps which are not user-specific use the "freeware" keys, but technically, that doesn't have to be the case.
The TI-eZ80 series, which is the closest competitor to the (current) NumWorks calculator series, does no longer have (normal) community FlashApps, but TI keeps using the signing infrastructure for the base OS and official FlashApps. Assembly programs were originally a fully supported feature, which TI removed later, but of course, the functionality can be restored by exploits for ACE (/ RCE, certainly) vulnerabilities.
Frankly, during exam mode, the difference between
content is tiny, but it would do wonders for usability by end users, and making a secure implementation of parsing code for simple app metadata shouldn't be too hard...
Of course, there's always the problem of stupid exam regulators and proctors not wanting to enable the stupid exam mode, and this can't be solved through technical means...
BTW: TI-68k FlashApps integrate with the base OS's cooperative multi-tasking which has support for startup phases. There may be some clues to take from this infrastructure as well.