I wrote https://www.github.com/ioerror/tlsdate for systems where we wished to have relatively accurate (~1sec) clocks and as a simple trade off, we receive authenticated time. I suggest that rather than using ntp, you use tlsdate and use it over Tor. This should reduce the direct attack surface as it is written in a privilege separated manner. It will rarely touch the local network in an unprotected manner.
I wrote https://www.github.com/ioerror/tlsdate for systems where we wished to have relatively accurate (~1sec) clocks and as a simple trade off, we receive authenticated time. I suggest that rather than using ntp, you use tlsdate and use it over Tor. This should reduce the direct attack surface as it is written in a privilege separated manner. It will rarely touch the local network in an unprotected manner.