SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(naming): adopt OS / Enhanced product-line framing + align with existing repos

Browse Source 
Two product lines, named to make scope obvious to buyers:
- 🔒 SilverMetal OS — we ship the operating system or ROM
  (Linux, Pixel, Samsung-unlocked, Motorola-unlocked)
- 🛡️ SilverMetal Enhanced — we harden the OS the device already runs
  (Windows, macOS, iOS, generic Android)

Repo alignment:
- SilverVPN already exists as a SilverLABS product (server + MAUI client +
  Linux client + tunnel service). stack/vpn/ is now an integration pointer
  rather than a re-scaffold; per-platform READMEs reference it.
- SilverApple is deprecated; SilverMetal Enhanced — iOS supersedes it.
  Migration step added as roadmap milestone 3I.1.
- SilverDROID name clash explicitly noted as unrelated (it's the SilverSHELL
  AppStore Android client, not an Android ROM).
- SilverChat may overlap with SilverVPN.Client.Chat; alignment decision
  added as roadmap milestone 1.1.1.

Roadmap restructured: phases now track the OS/Enhanced split.
Platform matrix re-sectioned and decision flowchart updated.
README rewritten around the two-product-line framing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
SysAdmin
2026-04-25 03:30:45 +01:00
parent 7d5f9cc246
commit 0a0075ce66
10 changed files with 316 additions and 224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
docs/platform-matrix.md
View File

@@ -2,8 +2,17 @@
The honest per-platform capability and pros/cons table. This is what a buyer sees on each product page so they can choose based on their actual constraint.
## The two product lines
| Line | What it means | When you'd buy it |
|---|---|---|
| **🔒 SilverMetal OS** | We ship the OS or ROM | You're choosing a device with privacy as a priority, or you're willing to replace your existing OS |
| **🛡️ SilverMetal Enhanced** | We harden the OS your device already runs | You can't or don't want to replace your OS — corporate device, iPhone, or you're staying on Windows |
## Hardening tiers
Independent of product line, each platform has a tier reflecting how deep our hardening can physically reach:
| Tier | What it means |
|---|---|
| **A — Fully controllable** | We own the kernel, boot chain, MAC framework, and update infrastructure |
@@ -13,20 +22,27 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
## Capability summary
| Platform | Tier | Deliverable | Stack support |
### SilverMetal OS (we ship the OS/ROM)
| Platform | Tier | Deliverable | Stack |
|---|---|---|---|
| SilverMetal Linux | A | Custom Debian/Kicksecure-based ISO | Full, native |
| SilverMetal Droid (Pixel) | B | GrapheneOS-fork ROM | Full, native |
| SilverMetal Droid (Samsung) | C | LineageOS-fork ROM where bootloader unlocks; profile + Stack elsewhere | Full where ROM, Stack-only otherwise |
| SilverMetal Droid (Motorola) | C | DivestOS/LineageOS-fork ROM on supported models | Full where supported |
| SilverMetal Droid (generic) | D | "Harden any Android" — Stack + work-profile config | Stack + config only |
| SilverMetal Windows | C | LTSC IoT installer + hardening + Stack | Full (Stack apps run native) |
| SilverMetal macOS | C-D | Signed config profile + setup script + Stack | Full (Stack apps run native) |
| SilverMetal iOS | D | MDM profile + Stack from App Store | Full (Stack apps via App Store) |
| **OS — Linux** | A | Custom Debian/Kicksecure-based ISO | Full, native |
| **OS — Pixel** | B | GrapheneOS-fork ROM | Full, native |
| **OS — Samsung** | C | LineageOS-fork ROM (unlocked-bootloader models) | Full, native |
| **OS — Motorola** | C | DivestOS/LineageOS-fork ROM (supported models) | Full, native |
### SilverMetal Enhanced (we harden the OS in place)
| Platform | Tier | Deliverable | Stack |
|---|---|---|---|
| **Enhanced — Windows** | C | LTSC IoT installer + hardening + Stack | Full (Stack apps run native) |
| **Enhanced — macOS** | C-D | Signed config profile + setup script + Stack | Full (Stack apps run native) |
| **Enhanced — iOS** | D | MDM profile + Stack from App Store | Full (Stack apps via App Store) |
| **Enhanced — Android** | D | "Harden your existing Android" — Stack + work-profile config | Stack + config only |
## Per-platform pros / cons
### SilverMetal Linux (Tier A)
### 🔒 SilverMetal OS — Linux (Tier A)
**Reference setup. The strongest possible SilverMetal device.**
**Pros**
@@ -44,11 +60,11 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
- Some games, particularly anti-cheat-protected titles, will not run
- Hardware compatibility needs checking before purchase (Coreboot SKUs are best-supported)
**Best for**: users whose work is browser + email + office docs + dev + comms; anyone who would otherwise install Linux themselves; the maximum-privacy buyer.
**Best for**: maximum-privacy buyer; anyone whose work is browser + email + office docs + dev + comms.
---
### SilverMetal Droid — Pixel flagship (Tier B)
### 🔒 SilverMetal OS — Pixel (Tier B)
**The secure-phone flagship. GrapheneOS-tier engineering.**
**Pros**
@@ -64,30 +80,29 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
- Some banking apps and corporate apps refuse to run on non-Play-Integrity devices (workaround: sandboxed Play, but breaks the airtight model)
- Not all carriers support all Pixel models cleanly
**Best for**: the "secure phone" buyer, journalists, activists, anyone who would otherwise buy an Encrochat-style rebadged phone but wants real engineering.
**Best for**: the "secure phone" buyer; journalists, activists; anyone who would otherwise buy an Encrochat-style rebadged phone but wants real engineering.
---
### SilverMetal Droid — Samsung (Tier C)
**For users on Samsung hardware. Variable depending on model and region.**
### 🔒 SilverMetal OS — Samsung (Tier C)
**For users on Samsung hardware with unlockable bootloader.**
**Pros**
- Wide hardware availability and price range
- LineageOS / DivestOS fork for unlocked-bootloader regions gives most of the benefit
- Knox security layer is genuinely capable on locked models
- Full SilverLABS Stack supported either way
- LineageOS / DivestOS fork on unlocked-bootloader regions delivers most of the benefit
- Knox security layer is genuinely capable (when bootloader is unlocked, Knox is tripped — accept this trade)
**Cons**
- Many Samsung models — especially US-carrier models — have permanently locked bootloaders; we cannot replace the OS
- Many Samsung models — especially US-carrier models — have permanently locked bootloaders; SilverMetal OS — Samsung is not available on those (use Enhanced — Android instead)
- Even on unlocked bootloader, we lose verified boot rooting back to our key
- Knox tripped flag is permanent; some Samsung features (Samsung Pay, Knox-protected work apps) may stop working
- Knox tripped flag is permanent; some Samsung features (Samsung Pay, Knox-protected work apps) stop working
**Best for**: existing Samsung owners; buyers wanting a non-Pixel Android with strong-enough hardening.
**Best for**: Samsung owners who want real ROM-level hardening and accept the Knox trade-off.
---
### SilverMetal Droid — Motorola (Tier C)
**For users on Motorola hardware. Best Android option after Pixel for unlocked-bootloader hardening.**
### 🔒 SilverMetal OS — Motorola (Tier C)
**For users on Motorola hardware. Best ROM option after Pixel for unlocked-bootloader hardening.**
**Pros**
- Many Moto models support bootloader unlock cleanly
@@ -104,26 +119,7 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
---
### SilverMetal Droid — Generic / "harden my existing Android" (Tier D)
**For users who already own an Android and won't / can't replace the ROM.**
**Pros**
- Works on virtually any Android 13+ device
- Full SilverLABS Stack runs (Browser, VPN, Sync, etc.)
- Work-profile-based isolation contains tracking apps in a managed sandbox
- No bootloader unlock required; no warranty void
**Cons**
- We do not control the OS — Google + your OEM still do
- Verified boot is your OEM's, not ours
- Telemetry from OS-level Google services cannot be fully blocked without a ROM swap
- Honest tier label: D, weakest Android tier
**Best for**: existing Android owners who want privacy improvements without buying new hardware or unlocking their bootloader.
---
### SilverMetal Windows (Tier C)
### 🛡️ SilverMetal Enhanced — Windows (Tier C)
**For users locked into Windows-only software.**
**Pros**
@@ -145,7 +141,7 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
---
### SilverMetal macOS (Tier C-D)
### 🛡️ SilverMetal Enhanced — macOS (Tier C-D)
**For Mac-committed users.**
**Pros**
@@ -166,7 +162,7 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
---
### SilverMetal iOS (Tier D)
### 🛡️ SilverMetal Enhanced — iOS (Tier D)
**For iPhone users.**
**Pros**
@@ -182,27 +178,46 @@ The honest per-platform capability and pros/cons table. This is what a buyer see
- Configuration profile + MDM applies; cannot modify iOS itself
- Honest tier label: D, weakest tier in the family — *we say this in marketing*
**Best for**: users whose threat model is commercial surveillance (not state-actor targeting) and who need to stay on iPhone for personal/work reasons.
**Best for**: users whose threat model is commercial surveillance (not state-actor targeting) and who need to stay on iPhone.
---
### 🛡️ SilverMetal Enhanced — Android (Tier D)
**For users who already own an Android (any vendor) and won't / can't replace the ROM.**
**Pros**
- Works on virtually any Android 13+ device — Samsung locked-bootloader models, OEMs we don't have ROMs for, hand-me-down phones
- Full SilverLABS Stack runs (Browser, VPN, Sync, etc.)
- Work-profile-based isolation contains tracking apps in a managed sandbox
- No bootloader unlock required; no warranty void
**Cons**
- We do not control the OS — Google + your OEM still do
- Verified boot is your OEM's, not ours
- Telemetry from OS-level Google services cannot be fully blocked without a ROM swap
- Honest tier label: D, weakest Android tier — *we say this in marketing*
**Best for**: existing Android owners who want privacy improvements without buying new hardware or unlocking their bootloader.
## Decision flowchart
```
Does the user need maximum privacy and is software-flexible?
→ SilverMetal Linux
Are you choosing a new device, or hardening one you already own?
Does the user need a phone, primarily?
→ Pixel? → SilverMetal Droid Flagship
→ Samsung/Motorola with unlocked bootloader? → matching ROM tier
→ iPhone or locked Android? → corresponding profile tier
CHOOSING NEW
Need maximum privacy and software-flexible? → 🔒 SilverMetal OS — Linux
Need a phone, primarily?
Pixel ok? → 🔒 SilverMetal OS — Pixel
Samsung (unlocked bootloader region)? → 🔒 SilverMetal OS — Samsung
Motorola (supported model)? → 🔒 SilverMetal OS — Motorola
Want iPhone? → 🛡️ SilverMetal Enhanced — iOS
Does the user need Windows-only software?
SilverMetal Windows
Is the user Mac-committed?
→ SilverMetal macOS
Does the user already own a device they're keeping?
→ The corresponding "profile" or "harden existing" tier
ALREADY OWN A DEVICE
Windows machine you keep? → 🛡️ SilverMetal Enhanced — Windows
Mac you keep? → 🛡️ SilverMetal Enhanced — macOS
iPhone you keep? → 🛡️ SilverMetal Enhanced — iOS
Android you keep (any model)? → 🛡️ SilverMetal Enhanced — Android
Linux laptop you'd convert? → 🔒 SilverMetal OS — Linux (re-install)
```
We do not push users between tiers. We tell them what each can deliver and let them choose.

95
docs/roadmap.md
View File

@@ -2,6 +2,8 @@
Milestone-driven, no calendar dates (those slip; milestone gates don't). Each milestone has a definition of done. We don't move on until the previous milestone is met.
The two product lines (**SilverMetal OS** and **SilverMetal Enhanced**) share the same roadmap because they share the SilverLABS Application Stack and the same supporting infrastructure. They diverge in delivery format only.
## Phase 0 — Foundation (current)
**Goal**: get the architecture, threat model, and product principles documented and reviewed before writing OS code.
@@ -11,14 +13,15 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
| 0.1 | Repo scaffold | Directory tree + per-platform stubs + per-stack stubs in place |
| 0.2 | Umbrella docs | `README.md` + `docs/{threat-model,design-principles,platform-matrix,roadmap,trust-model}.md` complete and reviewed |
| 0.3 | Gitea repo created and pushed | `SilverLABS/SilverMetal` exists on `git.silverlabs.uk` with this scaffold |
| 0.4 | Naming framework + repo alignment locked | OS / Enhanced naming applied; SilverApple deprecation noted; SilverVPN integration scope defined |
**Status**: in progress (this commit completes 0.10.3).
**Status**: complete.
---
## Phase 1 — SilverMetal Linux v1 (the MVP)
## Phase 1 — SilverMetal OS — Linux v1 (the MVP)
**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other platforms.
**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other flavours.
| # | Milestone | Done when |
|---|---|---|
@@ -28,7 +31,7 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
| 1.4 | Telemetry-leak test green | tcpdump on fresh-install idle for 30 min — zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics endpoints |
| 1.5 | LUKS2 + TPM2 PCR-bound install via Calamares | End-to-end: install → reboot → TPM unlock → desktop. Tamper test correctly falls back to passphrase |
| 1.6 | SilverBrowser v1 integrated (ungoogled-chromium rebrand) | Default browser, no Google services, fingerprint defences validated |
| 1.7 | SilverVPN v1 integrated (WireGuard backbone) | Always-on default; kill-switch verified; account-number signup flow works |
| 1.7 | SilverVPN integrated into image | Existing `SilverLABS/SilverVPN` Linux client + tunnel service preinstalled, always-on default; kill-switch verified |
| 1.8 | SilverSync v1 integrated (Nextcloud backbone, client-side encryption) | Contacts/calendar/files sync end-to-end; server cannot read content |
| 1.9 | Update server + signing ceremony complete | First signed update delivered through alpha channel; rollback verified |
| 1.10 | Public alpha ISO + SBOM + build attestation published | Download page live; reproducible-build instructions documented |
@@ -45,64 +48,74 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
| # | Milestone | Done when |
|---|---|---|
| 1.1.1 | SilverChat v1 (Matrix-based) | Homeserver running; iOS/Android/Linux/Windows/Mac clients functional; account-number onboarding |
| 1.1.2 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified |
| 1.1.3 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients |
| 1.1.4 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful |
| 1.1.1 | SilverChat v1 — alignment review | Decide whether to pull `SilverVPN.Client.Chat` in, fork it, or scope SilverChat as a separate effort. Outcome documented in `docs/decisions/` |
| 1.1.2 | SilverChat v1 client + homeserver | Cross-platform clients functional; account-number onboarding |
| 1.1.3 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified |
| 1.1.4 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients |
| 1.1.5 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful |
---
## Phase 2 — SilverMetal Droid
## Phase 2 — SilverMetal OS — Droid (Pixel + Samsung + Motorola)
**Goal**: ship Android coverage across all four tiers (Pixel flagship, Samsung, Motorola, generic profile).
**Goal**: ship the three ROM-level Android tiers.
| # | Milestone | Done when |
|---|---|---|
| 2.1 | Pixel flagship ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key |
| 2.2 | Samsung tier (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay |
| 2.3 | Motorola tier (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay |
| 2.4 | Generic Android profile | "Harden my Android" installer: Stack apps + work-profile hardening config; works on Android 13+ |
| 2.5 | Android hardware SKU pilot | Pixel preflashed batch (10 units) + Moto preflashed batch (10 units) |
| 2.1 | OS — Pixel ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key |
| 2.2 | OS — Samsung (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay |
| 2.3 | OS — Motorola (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay |
| 2.4 | Pixel preflashed pilot | 10 preflashed units shipped |
| 2.5 | Motorola preflashed pilot | 10 preflashed units shipped |
---
## Phase 3 — SilverMetal Windows
## Phase 3 — SilverMetal Enhanced (the four hardening packages)
**Goal**: ship the Windows hardening installer for users locked into Windows.
**Goal**: ship Enhanced packages for Windows, macOS, iOS, and generic Android.
The four Enhanced flavours can be developed largely in parallel since they share the SilverLABS Stack and don't depend on each other.
### 3W — Enhanced — Windows
| # | Milestone | Done when |
|---|---|---|
| 3.1 | LTSC IoT base evaluated and licensed for our use | License path documented; base image acquired |
| 3.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts |
| 3.3 | Stack ports for Windows | SilverBrowser/VPN/Sync/etc. native Windows builds, signed with our cert |
| 3.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery |
| 3.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + SilverMetal hardening (10 units) |
| 3.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimal Microsoft contact, documented (we cannot reach zero on Windows; we publish what remains) |
---
## Phase 4 — Apple platforms (macOS + iOS profiles)
**Goal**: ship signed configuration profiles, setup scripts, curated app guidance, and Stack ports for Apple platforms.
| 3W.1 | LTSC IoT base licensed and acquired | License path documented |
| 3W.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts |
| 3W.3 | Stack ports for Windows | SilverBrowser/Sync/etc. native Windows builds, signed with our cert. SilverVPN MAUI Windows client integrated |
| 3W.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery |
| 3W.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + Enhanced (10 units) |
| 3W.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimum-feasible Microsoft contact, documented |
### 3M — Enhanced — macOS
| # | Milestone | Done when |
|---|---|---|
| 4.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall |
| 4.2 | macOS setup script | Idempotent script applies non-MDM hardening (default app changes, etc.) |
| 4.3 | Stack ports for macOS | Universal binaries, notarised, signed with our Apple Developer cert |
| 4.4 | iOS MDM profile | Signed `.mobileconfig` for users with personal MDM (or via free Apple Configurator) |
| 4.5 | Stack ports for iOS | App Store releases (Browser may face Apple review constraints — fall back to webkit-based with our defaults) |
| 4.6 | Apple setup guide | Step-by-step published guide complementing the profiles |
| 3M.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall |
| 3M.2 | macOS setup script | Idempotent script applies non-MDM hardening |
| 3M.3 | Stack ports for macOS | Universal binaries, notarised, signed |
### 3I — Enhanced — iOS (supersedes SilverApple)
| # | Milestone | Done when |
|---|---|---|
| 3I.1 | Migrate / fold any usable assets from `SilverLABS/SilverApple` | Inventory of SilverApple done; reusable parts moved into `ios/`; SilverApple repo archived |
| 3I.2 | iOS MDM profile | Signed `.mobileconfig` for personal MDM or Apple Configurator |
| 3I.3 | Stack ports for iOS | App Store releases (Browser may face Apple WebKit constraints — fall back if needed) |
| 3I.4 | Apple setup guide | Step-by-step published guide complementing the profiles |
### 3A — Enhanced — Android (generic)
| # | Milestone | Done when |
|---|---|---|
| 3A.1 | Generic Android profile installer | "Harden my Android" — Stack apps + work-profile hardening config |
| 3A.2 | Compatibility test matrix | Runs cleanly on Android 13+ across Samsung locked, OnePlus, Xiaomi, OEMs we don't have ROMs for |
---
## Phase 5 — Hardening / immutability / Tor sibling
## Phase 4 — Hardening / immutability / Tor sibling
**Goal**: post-MVP improvements; not blocking earlier phases.
- Atomic / immutable Linux variant (ostree)
- dm-verity-protected `/`
- Tor-by-default sibling product (SilverMetal Onion or similar)
- Tor-by-default sibling product
- ARM64 / Apple Silicon Linux variant
- Coreboot tooling improvements / additional reference hardware
@@ -110,15 +123,13 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
## Cross-cutting workstreams (always-on)
These run in parallel with phases:
- **Security advisories** — vulnerability response process from Phase 1.10 onward; signed advisories
- **External audits** — annual or per-major-release third-party security review
- **Security advisories** — vulnerability response process from Phase 1.10 onward
- **External audits** — annual or per-major-release third-party review
- **Documentation** — every phase's gate includes documentation update
- **Community / support** — issue tracker, support channels, response SLOs
## Phase entry/exit philosophy
- We do not start a phase until the previous one's exit criteria are met
- We *can* run cross-cutting workstreams in parallel
- Cross-cutting workstreams run in parallel
- A failing verification gate blocks the phase, full stop — no shipping with known regressions