commit 7d5f9cc2463ac2ff1cfa10ddee05c943e97882d3 Author: SysAdmin Date: Sat Apr 25 03:11:48 2026 +0100 chore(scaffold): initial SilverMetal program scaffold Cross-platform privacy-hardening program. Two-layer product: - SilverLABS Application Stack (cross-platform spine) - Platform Hardening Profiles (per-OS, tier-honest) Platforms: Linux (Debian/Kicksecure), Android (Pixel/Samsung/Moto/generic), Windows (LTSC IoT), macOS (profile), iOS (MDM profile). Each flavour has both a preflashed hardware SKU path and a self-apply "harden your existing device" path. Includes umbrella docs (README + threat-model, design-principles, platform-matrix, roadmap, trust-model), per-platform and per-stack- component README stubs, .gitignore, LICENSE. Linux v1 ships first; Stack v1 = Browser + VPN + Sync. Co-Authored-By: Claude Opus 4.7 (1M context) diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3a6602c --- /dev/null +++ b/.gitignore @@ -0,0 +1,67 @@ +# Build outputs +build/output/ +build/cache/ +*.iso +*.img +*.deb +*.rpm +*.exe +*.msi +*.dmg +*.pkg +*.apk +*.aab +*.ipa + +# Secrets / keys (real keys never live in this repo) +*.key +*.pem +*.p12 +*.pfx +*.gpg +secring.* +*-private* +*.kbx +trustdb.gpg + +# OS / editor cruft +.DS_Store +Thumbs.db +*~ +.idea/ +.vscode/ +*.swp +*.swo + +# Local config overrides +*.local +.env +.env.* +!.env.example + +# Toolchain caches +node_modules/ +__pycache__/ +*.pyc +.cache/ +.npm/ +target/ +obj/ +bin/ +dist/ +out/ + +# Live-build / debootstrap intermediates +chroot/ +binary/ +*.log +.build/ +config/local-* + +# Test artifacts +tests/output/ +*.cov +coverage/ + +# SBOM intermediates (final SBOMs are committed; intermediates are not) +sbom/work/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..10a119f --- /dev/null +++ b/LICENSE @@ -0,0 +1,25 @@ +SilverMetal — Cross-Platform Privacy Hardening Program +Copyright (c) 2026 SilverLABS + +This repository is a meta-project that integrates and configures multiple +upstream open-source components, each carrying its own license. Components +under this repository inherit the licenses of their upstream projects: + + - linux/ — see component subdirectories; primarily GPLv2/v3 (Debian / Kicksecure) + - android/ — primarily Apache 2.0 (AOSP / GrapheneOS / LineageOS) and GPLv2 (kernel) + - windows/ — installer scripts and configurations: see SPDX headers + - macos/ — configuration profiles and scripts: see SPDX headers + - ios/ — configuration profiles: see SPDX headers + - stack/ — see component subdirectories; primarily AGPLv3 / MPL 2.0 / Apache 2.0 + +Original SilverLABS-authored code in this repository (documentation, +configuration overlays, build scripts, and integration glue) not derived +from upstream components is licensed under the GNU Affero General Public +License v3 (AGPL-3.0-or-later) unless an SPDX header in a specific file +states otherwise. + +The full text of AGPL-3.0-or-later is available at: +https://www.gnu.org/licenses/agpl-3.0.txt + +For per-component license details, see the README.md or LICENSE file in +each subdirectory. diff --git a/README.md b/README.md new file mode 100644 index 0000000..3f2a89e --- /dev/null +++ b/README.md @@ -0,0 +1,74 @@ +# SilverMetal + +> **Privacy-hardened devices for users who want their privacy back — on whatever platform they have.** + +SilverMetal is SilverLABS' cross-platform privacy-hardening program. We don't believe in "one true OS" — we believe in meeting users on the platform they actually use, and giving them the strongest hardening that platform physically allows. Honestly labelled, no marketing fluff. + +## What you get + +Every SilverMetal device — whether you bought one preflashed or you're hardening your own — ships two layers: + +1. **The SilverLABS Stack** — a suite of cross-platform privacy apps that replace the cloud services your device normally talks to (Google, Apple, Microsoft): + - **SilverBrowser** — de-Googled, telemetry-free, fingerprint-resistant + - **SilverVPN** — always-on, no-logs, our own infrastructure + - **SilverSync** — private replacement for iCloud / Google Drive / OneDrive + - **SilverChat** — end-to-end encrypted messenger *(v1.1)* + - **SilverDuress** — duress password / panic-wipe *(v1.1)* + - **SilverKeys** — zero-knowledge password manager *(v1.1)* + +2. **A Platform Hardening Profile** — OS-level changes tailored to what your platform allows: + - On **Linux** we ship a full custom OS + - On **Android** we ship a custom ROM (or a profile, depending on your device) + - On **Windows** we ship an installer that transforms LTSC IoT into a hardened build + - On **macOS** and **iOS** we ship signed configuration profiles + setup scripts + +## Two ways to get SilverMetal + +### "I'm choosing a new device" +Buy a **preflashed SilverMetal SKU** — a Pixel with SilverMetal Droid, a Coreboot laptop with SilverMetal Linux, etc. We've done all the work; it arrives ready. + +### "I already own a device and want to harden it" +Download the **free SilverLABS Stack** + the **hardening profile / installer / ROM** for your existing platform. Apply it yourself. Same software, same hardening, no hardware lock-in. + +Every platform supports both modes. Nothing is premium-only; nothing is DIY-only. + +## Platform matrix + +| Platform | Hardening tier | What ships | Best for | +|---|---|---|---| +| **SilverMetal Linux** | A — full control | Custom Debian/Kicksecure-based ISO | Maximum privacy; users whose work is browser/office/dev/comms | +| **SilverMetal Droid (Pixel)** | B — verified boot ours | GrapheneOS-based ROM | "Secure phone" buyers, journalists, high-risk users | +| **SilverMetal Droid (Samsung / Motorola)** | C — varies | LineageOS/DivestOS-based ROM where supported, profile + stack elsewhere | Users with existing non-Pixel Android | +| **SilverMetal Droid (generic)** | D — app + profile only | Stack install + work-profile hardening | "I have an Android, harden it" | +| **SilverMetal Windows** | C — config layer | LTSC IoT installer + Stack + Group Policy hardening | Users locked into Windows-only software | +| **SilverMetal macOS** | C-D — config + Stack | Signed config profile + setup script + Stack | Mac-committed users | +| **SilverMetal iOS** | D — profile + curated apps | MDM profile + Stack from App Store | iPhone users wanting maximum-feasible hardening | + +For honest pros/cons of each, see [`docs/platform-matrix.md`](docs/platform-matrix.md). + +## Status + +| Component | Status | +|---|---| +| Documentation + roadmap | **In progress** (this scaffold) | +| SilverMetal Linux v1 | Planning → milestone 2 (build pipeline) | +| SilverLABS Stack v1 (Browser + VPN + Sync) | Planning | +| Other platforms | Planning, post-Linux v1 | + +See [`docs/roadmap.md`](docs/roadmap.md) for the milestone-driven plan. + +## Documentation + +- [`docs/threat-model.md`](docs/threat-model.md) — who we defend against, who we don't +- [`docs/design-principles.md`](docs/design-principles.md) — privacy-by-default, verifiability, honesty +- [`docs/platform-matrix.md`](docs/platform-matrix.md) — what each platform can and cannot deliver +- [`docs/roadmap.md`](docs/roadmap.md) — milestones, ship order, scope +- [`docs/trust-model.md`](docs/trust-model.md) — signing keys, reproducible builds, governance + +## License + +Components carry their own licenses (most are GPL/MIT/Apache-derived from upstream forks). See individual directories. + +## SilverLABS + +SilverMetal is built by [SilverLABS](https://silverlabs.uk) — privacy-first infrastructure and applications. diff --git a/android/README.md b/android/README.md new file mode 100644 index 0000000..419e511 --- /dev/null +++ b/android/README.md @@ -0,0 +1,45 @@ +# SilverMetal Droid + +**Status**: Phase 2 (planning, post-Linux v1) + +Android coverage across four tiers. See [`../docs/platform-matrix.md`](../docs/platform-matrix.md) for honest per-tier pros/cons. + +## Tiers + +### SilverMetal Droid Flagship — Pixel (Tier B) +GrapheneOS-fork on Pixel hardware. Verified boot we control, hardened kernel, app sandboxing enforced. Full SilverLABS Stack preinstalled. + +### SilverMetal Droid Galaxy — Samsung (Tier C) +LineageOS / DivestOS-fork on Samsung models with unlockable bootloaders. Stack overlay on locked-bootloader models. + +### SilverMetal Droid Moto — Motorola (Tier C) +DivestOS / LineageOS-fork on supported Motorola models. Stack overlay everywhere. + +### SilverMetal Droid Profile — generic (Tier D) +"Harden my existing Android" — full SilverLABS Stack + work-profile-based hardening config. Runs on any Android 13+ without bootloader changes. + +## Directory layout + +To be populated in Phase 2. Initial structure planned: + +``` +android/ +├── flagship/ # Pixel / GrapheneOS-fork build config +├── galaxy/ # Samsung ROM build configs +├── moto/ # Motorola ROM build configs +├── profile/ # Generic profile installer + work-profile config +└── shared/ # Common build infra, signing, OTA +``` + +## Verification gates (per-tier) + +- ROM tiers: verified boot rooted in our key (Pixel only); reproducible builds; OTA signed and rollback-tested +- Profile tier: Stack apps installed and functional; work-profile isolation verified +- All tiers: telemetry-leak test (no Google services contact unless explicitly opted in by user) + +## Upstream we depend on + +- **GrapheneOS** — Pixel flagship base +- **LineageOS** — Samsung / Motorola base +- **DivestOS** — additional hardening patches +- **AOSP** — root upstream diff --git a/docs/design-principles.md b/docs/design-principles.md new file mode 100644 index 0000000..3c47113 --- /dev/null +++ b/docs/design-principles.md @@ -0,0 +1,98 @@ +# Design Principles + +The non-negotiables behind every SilverMetal decision. When something is unclear, return to this list. + +## 1. Privacy by default, not as an option + +Every SilverMetal device ships with maximum privacy settings *out of the box*. The user does not have to know what to turn off. The advanced toggles allow loosening for specific needs; the defaults are tight. + +## 2. Honesty over marketing + +We never claim a hardening tier we cannot deliver. The Windows profile is labelled "config-layer hardening." The iOS profile is labelled "profile-layer only — weakest tier in the family." Where competitors claim "uncrackable," we describe the actual threat model and limitations. + +If we cannot defend against a class of adversary, we say so. See [`threat-model.md`](threat-model.md). + +## 3. Two buyer modes, every platform + +Every platform must serve both: +- The buyer choosing a new device — we sell a preflashed SilverMetal SKU +- The buyer hardening an existing device — we ship a free self-apply track (installer / ROM / profile + Stack) + +No platform is premium-only. No platform is DIY-only. + +## 4. Verifiable, not just open + +Open source is necessary but not sufficient. Every SilverMetal release ships with: +- **Reproducible builds** — two clean builds of the same commit produce identical artefacts +- **Signed releases** — our key, key ceremony documented, key offline +- **SBOM published** — every dependency, every version +- **Build attestation** — signed proof the published artefact came from the published source + +A user who doesn't trust us can verify what we ship. + +## 5. Minimum data architecture + +SilverLABS itself collects the minimum data required to operate. Specifically: + +- **Account numbers, not emails** — Mullvad-style anonymous identifiers +- **No analytics, no telemetry** — including in our own apps +- **No log retention** beyond what's operationally required (typically <24h, never longer than necessary for abuse mitigation) +- **Client-side encryption** for SilverSync content — server cannot read user data +- **Payment isolation** — payments processed via SilverDotPay (cryptocurrency option) or stripe-like processor with no link back to account number + +When a subpoena lands on us, the answer to most questions is "we don't have it." + +## 6. Self-hostable where it matters + +The SilverLABS Stack server components (SilverSync, SilverChat homeserver, SilverVPN nodes) are open-source and self-hostable. A user who doesn't trust SilverLABS infrastructure can run their own. The hosted offering is the convenient default, not the only option. + +## 7. The Stack is the spine, not the OS + +Most privacy value lives in *what apps you use*, not *what kernel you run*. The SilverLABS Application Stack (Browser, VPN, Sync, Chat, Duress, Keys) ships across every platform. OS-level hardening is the delivery vehicle; the Stack is the durable product. + +## 8. No telemetry, ever, in our own code + +SilverLABS does not add analytics, crash reporters that phone home, or "anonymous usage statistics" to anything we ship. Bug reports are user-initiated and explicit. This is non-negotiable for our brand. + +## 9. Sane interoperability + +We don't reinvent protocols where good ones exist: +- WireGuard for VPN, not a proprietary tunnel +- Matrix or Signal Protocol for messaging, not a proprietary protocol +- CardDAV / CalDAV / WebDAV for sync, not a proprietary API +- Standard formats (OpenPGP, age) for encryption + +A user who outgrows SilverLABS can take their data and protocols with them. + +## 10. Conservative cryptography + +- Argon2id for password hashing (KDF parameters tuned per-platform) +- AES-256-GCM or ChaCha20-Poly1305 for symmetric +- X25519 / Ed25519 for asymmetric +- TLS 1.3 minimum for transport +- Post-quantum readiness tracked but not yet defaulted (revisit when standards mature) + +We don't roll our own. + +## 11. Distrust the network + +Every SilverLABS app assumes the network is hostile: +- Encrypted DNS (DoT/DoH) by default +- Certificate pinning where deployable +- No plaintext fallbacks +- Kill-switch behaviour: if VPN drops, traffic stops, never leaks + +## 12. Distrust the platform + +Our Stack apps treat the host OS as semi-trusted, even when we ship the OS: +- Client-side encryption before disk write +- Memory hygiene (zero secrets after use, hardened_malloc where available) +- No reliance on platform keychains for our most sensitive secrets + +## 13. Update or die + +Unpatched software is the single largest privacy/security risk in practice. Every SilverMetal flavour must have working, signed, automatic updates with rollback. A SilverMetal device that cannot update is a SilverMetal device that has reached end-of-life. + +## 14. Boring is good + +We use proven components (Debian, GrapheneOS, WireGuard, Nextcloud, Matrix, Bitwarden) and add value at the integration and configuration layer. We are not a research project; we are a product. Novel cryptography, novel protocols, novel kernels are out of scope. diff --git a/docs/platform-matrix.md b/docs/platform-matrix.md new file mode 100644 index 0000000..2559a0f --- /dev/null +++ b/docs/platform-matrix.md @@ -0,0 +1,208 @@ +# Platform Matrix + +The honest per-platform capability and pros/cons table. This is what a buyer sees on each product page so they can choose based on their actual constraint. + +## Hardening tiers + +| Tier | What it means | +|---|---| +| **A — Fully controllable** | We own the kernel, boot chain, MAC framework, and update infrastructure | +| **B — Firmware-controllable** | We replace the OS stack but not every firmware blob | +| **C — Config-controllable** | Proprietary kernel; we harden at config + app layer | +| **D — Policy-controllable** | Closed platform; we ship profiles + curated apps + setup only | + +## Capability summary + +| Platform | Tier | Deliverable | Stack support | +|---|---|---|---| +| SilverMetal Linux | A | Custom Debian/Kicksecure-based ISO | Full, native | +| SilverMetal Droid (Pixel) | B | GrapheneOS-fork ROM | Full, native | +| SilverMetal Droid (Samsung) | C | LineageOS-fork ROM where bootloader unlocks; profile + Stack elsewhere | Full where ROM, Stack-only otherwise | +| SilverMetal Droid (Motorola) | C | DivestOS/LineageOS-fork ROM on supported models | Full where supported | +| SilverMetal Droid (generic) | D | "Harden any Android" — Stack + work-profile config | Stack + config only | +| SilverMetal Windows | C | LTSC IoT installer + hardening + Stack | Full (Stack apps run native) | +| SilverMetal macOS | C-D | Signed config profile + setup script + Stack | Full (Stack apps run native) | +| SilverMetal iOS | D | MDM profile + Stack from App Store | Full (Stack apps via App Store) | + +## Per-platform pros / cons + +### SilverMetal Linux (Tier A) +**Reference setup. The strongest possible SilverMetal device.** + +**Pros** +- Full kernel-level hardening (KSPP, linux-hardened, hardened_malloc) +- Verified boot we control end-to-end (Secure Boot with our shim/MOK, TPM2 PCR-bound LUKS2) +- AppArmor strict profiles for every networked surface +- Reproducible builds; we publish SBOMs and build attestations +- Zero upstream telemetry — every Microsoft/Google/Mozilla/Canonical phone-home removed +- Full SilverLABS Stack runs natively +- Update channel and signing keys are ours + +**Cons** +- Learning curve for users coming from Windows/Mac +- Some commercial software does not run natively (Adobe CC, MS Office native — though web/Office365 work, native MS Office does not) +- Some games, particularly anti-cheat-protected titles, will not run +- Hardware compatibility needs checking before purchase (Coreboot SKUs are best-supported) + +**Best for**: users whose work is browser + email + office docs + dev + comms; anyone who would otherwise install Linux themselves; the maximum-privacy buyer. + +--- + +### SilverMetal Droid — Pixel flagship (Tier B) +**The secure-phone flagship. GrapheneOS-tier engineering.** + +**Pros** +- Verified boot we control via Pixel's relockable bootloader +- Hardened Android kernel (GrapheneOS patches) +- App-level sandbox enforced; sandboxed Google Play *optional*, not required +- Per-app network/sensor/storage permissions +- Duress wipe (v1.1) +- Daily-driveable as a phone + +**Cons** +- Pixel hardware only (4a 5G and newer — others EOL) +- Some banking apps and corporate apps refuse to run on non-Play-Integrity devices (workaround: sandboxed Play, but breaks the airtight model) +- Not all carriers support all Pixel models cleanly + +**Best for**: the "secure phone" buyer, journalists, activists, anyone who would otherwise buy an Encrochat-style rebadged phone but wants real engineering. + +--- + +### SilverMetal Droid — Samsung (Tier C) +**For users on Samsung hardware. Variable depending on model and region.** + +**Pros** +- Wide hardware availability and price range +- LineageOS / DivestOS fork for unlocked-bootloader regions gives most of the benefit +- Knox security layer is genuinely capable on locked models +- Full SilverLABS Stack supported either way + +**Cons** +- Many Samsung models — especially US-carrier models — have permanently locked bootloaders; we cannot replace the OS +- Even on unlocked bootloader, we lose verified boot rooting back to our key +- Knox tripped flag is permanent; some Samsung features (Samsung Pay, Knox-protected work apps) may stop working + +**Best for**: existing Samsung owners; buyers wanting a non-Pixel Android with strong-enough hardening. + +--- + +### SilverMetal Droid — Motorola (Tier C) +**For users on Motorola hardware. Best Android option after Pixel for unlocked-bootloader hardening.** + +**Pros** +- Many Moto models support bootloader unlock cleanly +- DivestOS / LineageOS support is good for popular models +- More affordable than Pixel +- Full SilverLABS Stack supported + +**Cons** +- Verified boot weaker than Pixel — no relockable bootloader on most models +- Hardware longevity / update support varies by model +- Driver / firmware blob situation messier than Pixel + +**Best for**: budget-conscious buyer wanting custom-ROM-tier hardening without Pixel pricing. + +--- + +### SilverMetal Droid — Generic / "harden my existing Android" (Tier D) +**For users who already own an Android and won't / can't replace the ROM.** + +**Pros** +- Works on virtually any Android 13+ device +- Full SilverLABS Stack runs (Browser, VPN, Sync, etc.) +- Work-profile-based isolation contains tracking apps in a managed sandbox +- No bootloader unlock required; no warranty void + +**Cons** +- We do not control the OS — Google + your OEM still do +- Verified boot is your OEM's, not ours +- Telemetry from OS-level Google services cannot be fully blocked without a ROM swap +- Honest tier label: D, weakest Android tier + +**Best for**: existing Android owners who want privacy improvements without buying new hardware or unlocking their bootloader. + +--- + +### SilverMetal Windows (Tier C) +**For users locked into Windows-only software.** + +**Pros** +- Keeps full compatibility with Windows-native software, including Adobe CC, MS Office native, Windows-only line-of-business apps, anti-cheat-protected games +- Removes ~90% of Microsoft telemetry (Group Policy + hosts + service disabling, verified) +- Enforces BitLocker (TPM-bound), Defender ASR rules at maximum, AppLocker allow-listing +- LTSC IoT base = no Cortana, no Store, no Edge baked in, supportable for ~10 years +- Full SilverLABS Stack runs native +- Edge / Chrome replaced with SilverBrowser + +**Cons** +- We do not control the kernel, the boot chain, or Windows Update +- Microsoft can change things in updates we cannot prevent +- Some telemetry channels Microsoft does not expose for disabling +- Honest tier label: C, config-layer only — *we say this in marketing* +- Requires LTSC IoT licensing for the strongest variant; standard Win 11 Pro is supported but weaker + +**Best for**: business users and creatives who can't leave Windows but want every privacy dial turned to maximum. + +--- + +### SilverMetal macOS (Tier C-D) +**For Mac-committed users.** + +**Pros** +- Apple hardware quality is excellent; Secure Enclave + FileVault are genuinely strong when configured +- Lockdown Mode dramatically reduces remote-attack surface +- Apple's app sandboxing is robust at the kernel layer +- Full SilverLABS Stack runs native (universal binaries) +- Safari replaced with SilverBrowser by default +- Telemetry / Siri / analytics all disabled by our profile + +**Cons** +- We cannot modify macOS itself +- Apple still receives device-linked metadata we cannot fully stop (App Store auth, OS update checks, Apple ID) +- iCloud is required for some OS features; we scope it to absolute minimum +- Honest positioning: "hardened Mac," not "anonymous Mac" + +**Best for**: Mac-committed users (creative professionals, developers on Apple Silicon) who want maximum-feasible hardening on hardware they're keeping. + +--- + +### SilverMetal iOS (Tier D) +**For iPhone users.** + +**Pros** +- iOS sandbox + Secure Enclave + Lockdown Mode are genuinely strong against remote attack, in some respects stronger than any other consumer platform +- Full SilverLABS Stack available via App Store (Browser, VPN, Sync, Keys, Chat once approved) +- Hardware-key 2FA (YubiKey/Lightning) supported and recommended in our setup guide +- "Disposable Apple ID" guidance reduces account-graph exposure + +**Cons** +- The most restrictive platform — Apple ID is unavoidable for App Store +- Cannot replace many default services (Mail.app, FaceTime, iMessage) — only complement them +- App-level replacements only via App Store (no sideloading in most regions yet) +- Configuration profile + MDM applies; cannot modify iOS itself +- Honest tier label: D, weakest tier in the family — *we say this in marketing* + +**Best for**: users whose threat model is commercial surveillance (not state-actor targeting) and who need to stay on iPhone for personal/work reasons. + +## Decision flowchart + +``` +Does the user need maximum privacy and is software-flexible? + → SilverMetal Linux + +Does the user need a phone, primarily? + → Pixel? → SilverMetal Droid Flagship + → Samsung/Motorola with unlocked bootloader? → matching ROM tier + → iPhone or locked Android? → corresponding profile tier + +Does the user need Windows-only software? + → SilverMetal Windows + +Is the user Mac-committed? + → SilverMetal macOS + +Does the user already own a device they're keeping? + → The corresponding "profile" or "harden existing" tier +``` + +We do not push users between tiers. We tell them what each can deliver and let them choose. diff --git a/docs/roadmap.md b/docs/roadmap.md new file mode 100644 index 0000000..d55c5b3 --- /dev/null +++ b/docs/roadmap.md @@ -0,0 +1,124 @@ +# Roadmap + +Milestone-driven, no calendar dates (those slip; milestone gates don't). Each milestone has a definition of done. We don't move on until the previous milestone is met. + +## Phase 0 — Foundation (current) + +**Goal**: get the architecture, threat model, and product principles documented and reviewed before writing OS code. + +| # | Milestone | Done when | +|---|---|---| +| 0.1 | Repo scaffold | Directory tree + per-platform stubs + per-stack stubs in place | +| 0.2 | Umbrella docs | `README.md` + `docs/{threat-model,design-principles,platform-matrix,roadmap,trust-model}.md` complete and reviewed | +| 0.3 | Gitea repo created and pushed | `SilverLABS/SilverMetal` exists on `git.silverlabs.uk` with this scaffold | + +**Status**: in progress (this commit completes 0.1–0.3). + +--- + +## Phase 1 — SilverMetal Linux v1 (the MVP) + +**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other platforms. + +| # | Milestone | Done when | +|---|---|---| +| 1.1 | Kicksecure fork builds reproducibly | `live-build` produces identical SHA256 across two clean builds | +| 1.2 | Hardening overlay applied | KSPP audit passes; Lynis ≥ 90 in CI; AppArmor strict profiles loaded | +| 1.3 | hardened_malloc integrated as system allocator | Verified active for user sessions; no regressions | +| 1.4 | Telemetry-leak test green | tcpdump on fresh-install idle for 30 min — zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics endpoints | +| 1.5 | LUKS2 + TPM2 PCR-bound install via Calamares | End-to-end: install → reboot → TPM unlock → desktop. Tamper test correctly falls back to passphrase | +| 1.6 | SilverBrowser v1 integrated (ungoogled-chromium rebrand) | Default browser, no Google services, fingerprint defences validated | +| 1.7 | SilverVPN v1 integrated (WireGuard backbone) | Always-on default; kill-switch verified; account-number signup flow works | +| 1.8 | SilverSync v1 integrated (Nextcloud backbone, client-side encryption) | Contacts/calendar/files sync end-to-end; server cannot read content | +| 1.9 | Update server + signing ceremony complete | First signed update delivered through alpha channel; rollback verified | +| 1.10 | Public alpha ISO + SBOM + build attestation published | Download page live; reproducible-build instructions documented | +| 1.11 | External privacy-engineering review | One independent reviewer (Kicksecure / Whonix community) signs off on threat-model fidelity | +| 1.12 | Hardware SKU pilot batch | 10 preflashed Coreboot-supported laptops shipped and validated | + +**Exit criteria for Phase 1**: alpha is publicly downloadable, all verification gates green, hardware SKU available for purchase. + +--- + +## Phase 1.1 — Stack expansion + +**Goal**: complete the SilverLABS Application Stack so v1.1 ships with the full suite. + +| # | Milestone | Done when | +|---|---|---| +| 1.1.1 | SilverChat v1 (Matrix-based) | Homeserver running; iOS/Android/Linux/Windows/Mac clients functional; account-number onboarding | +| 1.1.2 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified | +| 1.1.3 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients | +| 1.1.4 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful | + +--- + +## Phase 2 — SilverMetal Droid + +**Goal**: ship Android coverage across all four tiers (Pixel flagship, Samsung, Motorola, generic profile). + +| # | Milestone | Done when | +|---|---|---| +| 2.1 | Pixel flagship ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key | +| 2.2 | Samsung tier (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay | +| 2.3 | Motorola tier (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay | +| 2.4 | Generic Android profile | "Harden my Android" installer: Stack apps + work-profile hardening config; works on Android 13+ | +| 2.5 | Android hardware SKU pilot | Pixel preflashed batch (10 units) + Moto preflashed batch (10 units) | + +--- + +## Phase 3 — SilverMetal Windows + +**Goal**: ship the Windows hardening installer for users locked into Windows. + +| # | Milestone | Done when | +|---|---|---| +| 3.1 | LTSC IoT base evaluated and licensed for our use | License path documented; base image acquired | +| 3.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts | +| 3.3 | Stack ports for Windows | SilverBrowser/VPN/Sync/etc. native Windows builds, signed with our cert | +| 3.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery | +| 3.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + SilverMetal hardening (10 units) | +| 3.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimal Microsoft contact, documented (we cannot reach zero on Windows; we publish what remains) | + +--- + +## Phase 4 — Apple platforms (macOS + iOS profiles) + +**Goal**: ship signed configuration profiles, setup scripts, curated app guidance, and Stack ports for Apple platforms. + +| # | Milestone | Done when | +|---|---|---| +| 4.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall | +| 4.2 | macOS setup script | Idempotent script applies non-MDM hardening (default app changes, etc.) | +| 4.3 | Stack ports for macOS | Universal binaries, notarised, signed with our Apple Developer cert | +| 4.4 | iOS MDM profile | Signed `.mobileconfig` for users with personal MDM (or via free Apple Configurator) | +| 4.5 | Stack ports for iOS | App Store releases (Browser may face Apple review constraints — fall back to webkit-based with our defaults) | +| 4.6 | Apple setup guide | Step-by-step published guide complementing the profiles | + +--- + +## Phase 5 — Hardening / immutability / Tor sibling + +**Goal**: post-MVP improvements; not blocking earlier phases. + +- Atomic / immutable Linux variant (ostree) +- dm-verity-protected `/` +- Tor-by-default sibling product (SilverMetal Onion or similar) +- ARM64 / Apple Silicon Linux variant +- Coreboot tooling improvements / additional reference hardware + +--- + +## Cross-cutting workstreams (always-on) + +These run in parallel with phases: + +- **Security advisories** — vulnerability response process from Phase 1.10 onward; signed advisories +- **External audits** — annual or per-major-release third-party security review +- **Documentation** — every phase's gate includes documentation update +- **Community / support** — issue tracker, support channels, response SLOs + +## Phase entry/exit philosophy + +- We do not start a phase until the previous one's exit criteria are met +- We *can* run cross-cutting workstreams in parallel +- A failing verification gate blocks the phase, full stop — no shipping with known regressions diff --git a/docs/threat-model.md b/docs/threat-model.md new file mode 100644 index 0000000..27e39b3 --- /dev/null +++ b/docs/threat-model.md @@ -0,0 +1,67 @@ +# Threat Model + +This document defines what SilverMetal defends against, what it does not, and how those choices flow through the rest of our design. We state this honestly so users can judge whether SilverMetal fits their situation. + +## Who we defend + +The primary user we design for is someone whose threat surface includes **one or more** of: + +- **Pervasive commercial surveillance** — telemetry, advertising graphs, data brokers, behavioural tracking +- **Targeted commercial spyware** — stalkerware, off-the-shelf monitoring tools, opportunistic malware +- **Capable adversaries with lawful access** — search warrants, border seizures, civil discovery +- **Capable adversaries without lawful access (within reason)** — sophisticated criminal operations, opportunistic state-actor campaigns, supply-chain compromise +- **Coercion / duress** — physical compromise of the user (border crossing, mugging, kidnap) + +We **do not** claim to defend against: + +- A **dedicated, well-resourced state actor** specifically targeting one user (this is essentially undefendable on commodity hardware; if that's your threat model, talk to a specialist directly) +- **Endpoint compromise the user invites** — installing arbitrary software, sharing passwords, social engineering +- **Hardware implants installed before the user takes possession** — we mitigate via reproducible builds and hardware verification but cannot eliminate + +## Adversary capabilities we assume + +| Capability | Assumed? | Mitigation | +|---|---|---| +| Network observation (ISP, transit, Wi-Fi sniffing) | Yes | TLS everywhere; SilverVPN default-on; encrypted DNS | +| Subpoena to an upstream service (Google, Apple, ISP) | Yes | We don't depend on those services for sync, comms, or identity | +| Subpoena to SilverLABS itself | Yes | Minimum-data architecture: account numbers not emails; client-side encryption; no log retention beyond what's operationally required | +| Physical seizure of device, powered off | Yes | LUKS2 + Argon2id, TPM2-bound, BitLocker enforced, FileVault enforced | +| Physical seizure of device, powered on / unlocked | Partial | Lockdown Mode (Apple), screen lock policies, SilverDuress (v1.1) | +| Coerced unlock at border / by adversary | Partial | SilverDuress (v1.1) provides duress password / panic-wipe; iOS limited to OS primitives | +| Sophisticated remote exploitation (NSO-class) | No (honest) | Lockdown Mode where available, hardened kernels where we control them, but commodity-platform exploit chains exist for every OS | +| Supply-chain compromise of upstream packages | Partial | Reproducible builds, signed packages, SBOM published; cannot fully eliminate | +| Hardware implant / interdiction | Partial | Coreboot on supported laptops, sealed packaging, TPM measured boot; not a solved problem | + +## What "hardened" means per platform + +We ship the strongest hardening each platform physically allows. This varies and we are honest about it: + +- **Linux**: full kernel-level hardening (KSPP, hardened_malloc, AppArmor strict, verified boot we control) +- **Android (Pixel)**: GrapheneOS-tier hardening (verified boot, hardened kernel, full app sandboxing) +- **Android (other)**: variable — see [`platform-matrix.md`](platform-matrix.md) +- **Windows**: configuration-layer hardening only — closed kernel, no developer-controlled verified boot, no extensible MAC framework. We turn every dial Microsoft exposes; we cannot turn dials they don't expose +- **macOS**: configuration-layer hardening + Lockdown Mode + FileVault enforcement; we cannot modify XNU +- **iOS**: profile-layer only; weakest tier in the family, labelled as such + +The buyer-facing pros/cons table in [`platform-matrix.md`](platform-matrix.md) makes this explicit so users choose with eyes open. + +## Trust roots + +A SilverMetal user trusts: + +1. **SilverLABS** — to ship what we say we ship. Mitigated by reproducible builds, published signing keys, open source clients, and SBOMs +2. **The platform vendor** of any closed platform (Microsoft / Apple) — we cannot escape this on Windows / macOS / iOS, and we say so +3. **Their hardware** — Coreboot SKUs reduce this; commodity hardware does not eliminate it +4. **Themselves** — to not negate the protections (installing arbitrary software, disabling SilverVPN, sharing devices) + +If you cannot trust SilverLABS, our open source code + reproducible builds let you verify what we ship matches what we publish. + +## Out-of-scope by design + +- **Anonymity** is not the default goal — that's a Tor / Whonix-class product. SilverMetal targets *privacy*, *integrity*, and *confidentiality*. A Tor-by-default sibling product may follow. +- **Disposable / amnesic-by-default** is not the v1 default — Linux v1 has an optional amnesic session mode, but the product assumes a persistent device. +- **Offline-only / air-gapped operation** is not a target — SilverSync and SilverVPN both depend on network connectivity, with graceful offline degradation. + +## Living document + +This threat model is updated when the product scope changes or when new attacker capabilities become broadly relevant. Version history lives in git; substantive changes are called out in release notes. diff --git a/docs/trust-model.md b/docs/trust-model.md new file mode 100644 index 0000000..17f85ed --- /dev/null +++ b/docs/trust-model.md @@ -0,0 +1,101 @@ +# Trust Model + +How users (and we) verify what SilverMetal ships. Trust is earned through verifiability, not asserted in marketing. + +## What a SilverMetal user trusts + +In rough order of decreasing necessity: + +1. **The hardware** — at minimum, the CPU and TPM. Coreboot-supported SKUs reduce firmware-level trust requirements. Commodity SKUs do not eliminate them. +2. **SilverLABS' release signing keys** — to verify a downloaded image is genuine. +3. **SilverLABS' build process** — to trust the published artefact came from the published source. Reproducible builds let users *verify* this rather than just trust it. +4. **The platform vendor** — for Windows / macOS / iOS, we cannot eliminate trust in Microsoft / Apple. We say so explicitly. +5. **SilverLABS' server infrastructure** — for hosted SilverVPN nodes, SilverSync, SilverChat. Self-hosting alternatives are documented. +6. **Themselves** — to not negate the protections. + +## Reproducible builds + +Every SilverMetal release artefact is built reproducibly: + +- Pinned toolchain versions +- Pinned dependency hashes +- Stripped of build-environment metadata (timestamps, paths, host info) +- CI re-builds from a clean checkout and verifies identical output + +The reproducibility procedure is published per-component. Anyone can: +1. Clone the repo at the release tag +2. Run the documented build command +3. Compare SHA256 of their artefact to the published one + +Mismatch = supply chain anomaly. Report channel: `security@silverlabs.uk`. + +## Signing keys + +| Key | Purpose | Storage | Rotation | +|---|---|---|---| +| **SilverMetal Release** | Signs ISO/ROM/installer artefacts | Offline (HSM, ceremony-only access) | Major-version | +| **SilverMetal Update Channel** | Signs OTA / apt updates | Online but isolated; sub-key model | Yearly or on compromise | +| **SilverMetal Code Signing — Linux** | Signs `.deb`, kernel modules | Offline | Major-version | +| **SilverMetal Code Signing — Windows** | Authenticode cert for `.exe`/`.msi` | HSM or signing service | Per-cert lifetime | +| **SilverMetal Code Signing — macOS/iOS** | Apple Developer ID cert | Apple-managed | Per-cert lifetime | +| **SilverMetal MOK (Linux Secure Boot)** | Our Machine Owner Key for Secure Boot | Offline | Major-version | +| **SilverMetal AVB (Android verified boot)** | Android verified-boot key | Offline | Per-device-generation | + +Key fingerprints are published in `shared/signing/KEYS.md` (to be populated at first key generation). + +### Key ceremony policy +- All offline keys generated in air-gapped environment +- Multi-party control where feasible (M-of-N for the most critical keys) +- Rotation procedure documented before keys are first used +- Compromise procedure documented before keys are first used + +## SBOM (Software Bill of Materials) + +Every release publishes a complete SBOM in CycloneDX format: + +- All packages with version, source, license, hash +- Build-time vs. runtime dependencies distinguished +- Reproducible-build attestation linked + +SBOMs live in the release-page's `sbom/` directory. + +## Vulnerability response + +| Severity | Triage | Fix | Disclosure | +|---|---|---|---| +| Critical (active exploitation) | < 24h | Out-of-band release | Coordinated, then public | +| High | < 72h | Next scheduled release | Coordinated, then public | +| Medium | < 2 weeks | Next scheduled release | With release notes | +| Low | Best-effort | Backlog | With release notes | + +Reports: `security@silverlabs.uk`, GPG key in `shared/signing/`. + +## What we publish (transparency) + +- **All source code** for our own components — open repos on `git.silverlabs.uk` +- **Threat model** — `docs/threat-model.md`, updated when scope changes +- **Reproducibility procedure** per-component +- **SBOMs** per release +- **Signing key fingerprints** and ceremony summaries +- **Security advisories** — signed, dated, public archive +- **Subpoena / law enforcement transparency report** — annual; we publish counts and what we had/didn't have +- **Audit reports** — third-party audits published in full when commissioned + +## What we do *not* publish (and why) + +- **Active investigation details** — until coordinated disclosure window closes +- **Per-user data** — we do not have most of it (minimum-data architecture); what we do have, we do not publish +- **Server-side credential material** — for obvious reasons + +## Governance + +- This is a SilverLABS project; final calls rest with SilverLABS leadership +- Security-critical decisions are documented (ADR-style) in `docs/decisions/` (to be created when first decision is needed) +- Community contributions accepted via standard PR review with security-sensitive changes requiring a second reviewer + +## Honest acknowledgements + +- We are a small organisation. We will not match the auditor count of a Fortune-500 vendor +- We use external upstream code (Kicksecure, GrapheneOS, Chromium, etc.) and inherit their trust assumptions +- We cannot defend against every adversary; see [`threat-model.md`](threat-model.md) for what we do and do not target +- Trust grows with track record; we expect to be audited and judged over time diff --git a/ios/README.md b/ios/README.md new file mode 100644 index 0000000..68bdf97 --- /dev/null +++ b/ios/README.md @@ -0,0 +1,53 @@ +# SilverMetal iOS + +**Status**: Phase 4 (planning, post-Windows v1) + +Tier D — profile-layer only. Weakest tier in the family; labelled as such. We cannot modify iOS; we ship MDM profiles, App Store apps, and a setup guide. + +## Scope (v1) + +- Signed `.mobileconfig` MDM-style profile that: + - Enforces device passcode policy + - Disables analytics uploads, Siri suggestions + - Restricts iCloud to absolute minimum (Find My, OS update only — sync-replaced services point at SilverSync) + - Enables Lockdown Mode guidance + - Default-app changes where iOS 18+ allows (Browser, Mail, etc.) +- Stack ports via App Store: + - SilverBrowser (subject to Apple WebKit constraints — fall back to a hardened-defaults wrapper if pure custom engine is forbidden) + - SilverVPN (NetworkExtension API) + - SilverSync (file/contact/calendar/photos providers) + - SilverChat (post-v1.1) + - SilverKeys (post-v1.1) +- Setup guide: + - Disposable Apple ID guidance + - Hardware-key 2FA (YubiKey via Lightning / NFC) + - Recommended app curation + - eSIM privacy guidance + +## Out of scope + +- Anything requiring jailbreak (we do not support, recommend, or distribute jailbreaks) +- Anything bypassing Apple's review for Stack apps +- Eliminating Apple ID — it is required for App Store and we say so + +## Directory layout + +To be populated in Phase 4: + +``` +ios/ +├── profile/ # .mobileconfig sources, signing +├── stack/ # iOS-specific Stack app builds (Xcode projects) +└── docs/ # setup guide, recommended apps, threat-tier disclaimer +``` + +## Verification gates + +- Profile signature verifies on iOS install +- Lockdown Mode guidance verified across iOS 17+ +- Stack apps pass App Store review and behave per spec +- Telemetry capture documents minimum-feasible Apple contact (we cannot reach zero) + +## Honest framing + +This is the weakest SilverMetal tier. iOS is the most restrictive consumer platform; users who pick this tier are typically users who *must* stay on iPhone. The product page must say so prominently. diff --git a/linux/README.md b/linux/README.md new file mode 100644 index 0000000..845fd0a --- /dev/null +++ b/linux/README.md @@ -0,0 +1,67 @@ +# SilverMetal Linux + +**Status**: Phase 1 (planning) → moving to milestone 1.1 (reproducible Kicksecure fork build) + +The reference SilverMetal flavour. Tier A — full kernel-level hardening, verified boot we control, Debian/Kicksecure-based. + +## Scope (v1) + +See [`../docs/roadmap.md`](../docs/roadmap.md) Phase 1. + +### Hardening must-haves +- Kicksecure base (Debian-derived, hardened upstream) +- linux-hardened kernel + KSPP sysctl/build flags +- Secure Boot with our shim/MOK +- TPM2 PCR-bound LUKS2 unlock (Argon2id), full-disk encryption mandatory +- AppArmor strict profiles for browsers, mail, viewers, networked daemons +- GrapheneOS hardened_malloc as system allocator +- bubblewrap + Flatpak primary; firejail for legacy `.deb` +- nftables default-deny inbound, encrypted DNS, SilverVPN always-on default +- Zero upstream telemetry — verified by integration test +- SilverBrowser default (ungoogled-chromium-rebranded v1) +- A/B updates with rollback, signed by our keys +- Optional amnesic session mode + +### Out of scope (v1) +- Atomic / immutable root (v1.1 — `ostree` experiment) +- dm-verity on `/` (v1.1) +- ARM64 / Apple Silicon (v2) +- Tor-by-default variant (sibling product later) + +## Directory layout + +``` +linux/ +├── build/ # live-build pipeline, reproducible-build config +├── kernel/ # config fragments, linux-hardened pinning +├── overlay/ # /etc + /usr/share/silvermetal + skel hardening overlay +├── packages/ +│ ├── include.list # what's installed +│ └── exclude.list # what's purged (snap, telemetry, etc.) +├── apparmor/ # custom strict profiles +├── nftables/ # default ruleset +├── installer/ # Calamares branding + hardened defaults +├── update-server/ # signing + repo hosting (infra-as-code) +└── tests/ + ├── lynis-baseline/ + ├── kspp-check/ + └── telemetry-leak/ +``` + +## Verification gates (must pass before public alpha) + +- Two clean builds from same commit → identical SHA256 +- `kconfig-hardened-check` passes +- Lynis hardening score ≥ 90 +- 30-min idle telemetry capture: zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics +- TPM tamper test: LUKS correctly falls back to passphrase +- AppArmor: every networked binary confined or documented +- Independent privacy-engineering review + +## Upstream we depend on + +- **Kicksecure** — fork base +- **linux-hardened** — kernel patchset +- **GrapheneOS hardened_malloc** — allocator +- **KSPP** — kernel config authority +- **secureblue** — reference for v1.1 immutable design diff --git a/macos/README.md b/macos/README.md new file mode 100644 index 0000000..c958027 --- /dev/null +++ b/macos/README.md @@ -0,0 +1,48 @@ +# SilverMetal macOS + +**Status**: Phase 4 (planning, post-Windows v1) + +Tier C-D — signed configuration profile + setup script + Stack ports. We cannot modify macOS; we configure everything Apple exposes. + +## Scope (v1) + +- Signed `.mobileconfig` profile that: + - Enforces FileVault + - Disables analytics, Siri uploads, advertising identifiers + - Configures application firewall + - Restricts iCloud to absolute minimum + - Enables Lockdown Mode (per-user opt-in guidance) +- Idempotent setup script for non-MDM hardening (default-app changes, Safari→SilverBrowser, etc.) +- Stack ports for macOS (universal binaries, notarised, signed) +- Setup guide for hardware-key 2FA, anti-forensics + +## Out of scope + +- Anything requiring kernel extension or system extension privileges beyond what Apple sanctions +- Anything that disables SIP / Gatekeeper (we keep both ON) +- Anything that requires bypassing Apple's signing chain + +## Directory layout + +To be populated in Phase 4: + +``` +macos/ +├── profile/ # .mobileconfig sources, signing +├── setup/ # idempotent setup script +├── stack-installer/ # native macOS Stack package builders (.pkg) +└── docs/ # setup guide, recommended apps +``` + +## Verification gates + +- Profile signature verifies under Apple's signing chain +- FileVault confirmed enabled post-install +- Stack apps install via signed `.pkg`, run sandboxed where supported +- Setup script idempotent (verified by re-run with no changes) + +## Upstream we depend on + +- **Apple macOS** — base, unmodified +- **macOS Privacy Guide / privacy.sexy** — reference for hardening configs +- **Lockdown Mode** — Apple-provided, documented and enabled diff --git a/shared/branding/README.md b/shared/branding/README.md new file mode 100644 index 0000000..482533e --- /dev/null +++ b/shared/branding/README.md @@ -0,0 +1,14 @@ +# Branding + +Logos, colour tokens, design system. To be populated when the brand identity is finalised. + +## Naming convention + +- Family brand: **SilverMetal** +- Per-platform: `SilverMetal Linux`, `SilverMetal Droid`, `SilverMetal Windows`, `SilverMetal macOS`, `SilverMetal iOS` +- Stack apps: `SilverBrowser`, `SilverVPN`, `SilverSync`, `SilverChat`, `SilverDuress`, `SilverKeys` +- Per-Android-tier suffix: `SilverMetal Droid Flagship` (Pixel), `Galaxy` (Samsung), `Moto` (Motorola), `Profile` (generic) + +## Visual identity + +To be defined. Consistent with the broader SilverLABS visual language (dark professional, cyan accent — see SilverLABS frontend prompt) but with its own distinguishable mark. diff --git a/shared/signing/README.md b/shared/signing/README.md new file mode 100644 index 0000000..7c55b40 --- /dev/null +++ b/shared/signing/README.md @@ -0,0 +1,23 @@ +# Signing + +Real signing keys never live in this repository. This directory holds: + +- **`KEYS.md`** (to be created) — public key fingerprints, key purposes, key ceremony summaries +- **Public keys** — `.asc` / `.pem` exports of public halves +- **Verification documentation** — how a third party reproduces our build and verifies our signatures + +## Key inventory + +See [`../../docs/trust-model.md`](../../docs/trust-model.md) for the complete trust model. + +| Key | Purpose | +|---|---| +| SilverMetal Release | Signs ISO/ROM/installer artefacts | +| SilverMetal Update Channel | Signs OTA / apt updates | +| SilverMetal MOK (Linux Secure Boot) | Our Machine Owner Key | +| SilverMetal AVB (Android verified boot) | Android verified-boot key | +| SilverMetal Code Signing — per-platform | OS-specific code-signing certs | + +## First key ceremony + +To occur at milestone 1.9 (update server + signing ceremony) per the roadmap. Procedure documented in advance and reviewed by SilverLABS leadership before execution. diff --git a/stack/README.md b/stack/README.md new file mode 100644 index 0000000..139d743 --- /dev/null +++ b/stack/README.md @@ -0,0 +1,51 @@ +# SilverLABS Application Stack + +The cross-platform spine of SilverMetal. These apps replace the cloud services your device normally talks to. Same brand, same account, same data on every platform. + +## Components + +| Component | Status | Purpose | +|---|---|---| +| [`browser/`](browser/) — **SilverBrowser** | v1 (Linux MVP) | De-Googled, telemetry-free browser | +| [`vpn/`](vpn/) — **SilverVPN** | v1 (Linux MVP) | Always-on, no-logs VPN with our infrastructure | +| [`sync/`](sync/) — **SilverSync** | v1 (Linux MVP) | Private replacement for iCloud/Google/OneDrive | +| [`chat/`](chat/) — **SilverChat** | v1.1 | E2EE messenger | +| [`duress/`](duress/) — **SilverDuress** | v1.1 | Duress password / panic-wipe / anti-coercion | +| [`keys/`](keys/) — **SilverKeys** | v1.1 | Zero-knowledge password + 2FA manager | +| [`shared/`](shared/) — common code | ongoing | Account SDK, crypto primitives, branding | + +## Account model + +Users get a **SilverLABS account number** (Mullvad-style — random, no email, no name). One account → all Stack apps. Payment is processed separately (SilverDotPay / cryptocurrency option) with no link back to the account number. + +## Cross-platform build philosophy + +Each app is built natively per platform — no Electron sprawl where avoidable: + +- **Linux**: native `.deb` + Flatpak +- **Android**: native APK / AAB +- **Windows**: native MSI / EXE (signed) +- **macOS**: universal binary `.pkg` (notarised) +- **iOS**: App Store + +Where a single codebase (e.g., Tauri / Rust core) lets us hit multiple platforms with a thin native UI shell, we use it. We avoid Electron unless the cost of native is unjustifiable. + +## v1 ship order + +1. **SilverBrowser** — ungoogled-chromium-derived, our defaults, our update channel +2. **SilverVPN** — WireGuard-based, our exit nodes, account-number signup +3. **SilverSync** — Nextcloud-backed (server side), client-side encryption, native clients + +These three ship with SilverMetal Linux v1. + +v1.1 adds Chat, Duress, Keys. + +## Server side + +The Stack server components live in separate repositories under `SilverLABS/`: +- `silver-vpn-infra` — WireGuard exit-node infrastructure (Terraform / Ansible) +- `silver-sync-server` — Nextcloud + Radicale + Baïkal stack +- `silver-chat-homeserver` — Matrix Synapse / Dendrite +- `silver-account` — account-number issuance + auth gateway + +Self-hostable counterparts are documented for users who don't want to use SilverLABS infrastructure. diff --git a/stack/browser/README.md b/stack/browser/README.md new file mode 100644 index 0000000..1f481e1 --- /dev/null +++ b/stack/browser/README.md @@ -0,0 +1,43 @@ +# SilverBrowser + +**Status**: v1 (Linux MVP) — planning + +A de-Googled, telemetry-free, fingerprint-resistant browser. Ships as the default on every SilverMetal platform. + +## v1 approach + +Rebrand of **ungoogled-chromium** with our defaults baked in: +- All Google-services calls stripped (already done by ungoogled-chromium upstream) +- Update channel pointed at our infrastructure +- DNS-over-HTTPS to our resolver default +- WebRTC IP leak prevention enabled +- Strict referrer policy +- Aggressive third-party cookie + tracker blocking via uBlock Origin preinstalled and pinned +- Search engine: privacy-respecting default (DuckDuckGo / Brave Search), Google removed +- No telemetry, no auto-update phone-home, no field trials +- New-tab page = blank or SilverLABS-branded local page (no remote fetch) + +## v2 direction (post-MVP) + +Evaluate forking Mullvad Browser instead, or maintaining our own Firefox / Gecko fork. Decision criteria: +- Maintenance burden vs. feature gap +- Anti-fingerprinting rigour (Mullvad/Tor leads here) +- Compatibility with mainstream sites users need + +## What this is **not** + +- Not a Tor browser — that's a separate use case +- Not a "dark web browser" — that framing is wrong; this is a daily-driver browser with privacy defaults +- Not a Brave fork — Brave's BAT/Rewards model is incompatible with our principles + +## Per-platform builds + +- **Linux**: `.deb` + Flatpak +- **Android**: APK based on Bromite-successor patches (Cromite or similar) +- **Windows**: MSI, signed +- **macOS**: notarised `.pkg` +- **iOS**: webkit-shell with our defaults — Apple does not permit non-WebKit engines on iOS today + +## Repository + +Build configs and patch sets land here. Upstream is tracked as a submodule or pinned tarball. diff --git a/stack/chat/README.md b/stack/chat/README.md new file mode 100644 index 0000000..111df77 --- /dev/null +++ b/stack/chat/README.md @@ -0,0 +1,32 @@ +# SilverChat + +**Status**: v1.1 (planning) + +End-to-end encrypted messenger. Ships post-MVP. + +## Approach (tentative — to be finalised before v1.1) + +Two candidate paths: + +1. **Matrix-based** — Synapse or Dendrite homeserver, custom client per platform. Pros: federated, mature, large existing ecosystem. Cons: metadata leakage in federation, complex protocol. +2. **Signal-protocol-based** — fork the Signal codebase, run own server. Pros: gold-standard cryptography, simpler client. Cons: forking the Signal protocol is socially fraught; less feature-rich than Matrix. + +Decision documented in `docs/decisions/` once made. + +## Non-negotiables + +- Account-number-based identity (not phone, not email) +- E2EE by default, no opt-out +- Self-hostable server +- No telemetry from client +- Forward secrecy +- Backup keys remain on user devices + +## Per-platform clients + +To be defined post-decision. Likely Tauri-based or per-platform-native depending on protocol choice. + +## Out of scope (for now) + +- Voice/video calling — v1.2+ +- Group sizes >100 — Matrix supports, but we may cap at 100 for v1.1 simplicity diff --git a/stack/duress/README.md b/stack/duress/README.md new file mode 100644 index 0000000..186d390 --- /dev/null +++ b/stack/duress/README.md @@ -0,0 +1,37 @@ +# SilverDuress + +**Status**: v1.1 (planning) + +Duress password / panic-wipe / anti-coercion. The "I am being forced to unlock this device" feature. + +## What it does + +- **Duress password**: an alternate password that, when entered, *appears to unlock normally* but actually triggers a configured action +- **Panic-wipe**: secure erasure of encrypted volumes / keys +- **Decoy unlock**: opens a clean profile / sandbox containing decoy data +- **Silent alert**: optional outbound signal to trusted contact / SilverLABS service that duress was activated + +User configures which behaviours apply. + +## Per-platform implementation + +| Platform | Mechanism | Strength | +|---|---|---| +| **Linux** | PAM module — duress passphrase wipes LUKS keys / drops to decoy profile | Strong | +| **Android (Pixel ROM)** | Inherited from GrapheneOS duress PIN | Strong | +| **Android (other)** | Best-effort: app-level duress action when SilverLABS Stack apps are unlocked with duress credential | Moderate | +| **Windows** | Group Policy + scheduled task triggered by duress credential entry; BitLocker key destruction | Moderate (closed kernel limits us) | +| **macOS** | Configuration profile + login script; FileVault key destruction on duress | Moderate | +| **iOS** | OS-provided erase-after-failed-attempts (Apple primitive); Stack-app-level duress where feasible | Limited (we cannot run code at unlock) | + +The per-platform table is shown to users in the SilverDuress setup UI so they understand what's possible on their device. + +## Non-goals + +- Not a "tracking your stolen phone" feature — different product, different threat model +- Not a "remote wipe" service — that requires constant network and trust in the wipe operator. We may offer it later, but v1.1 is local-only. + +## Risks we acknowledge + +- A sufficiently sophisticated adversary may forensically recover from a partial wipe — we use cryptographic erasure (destroy the key, not the data) which is robust against this +- A coerced user may be unable to remember to use the duress password — we document this clearly in the setup UI; this is a fundamental limitation, not a SilverMetal-specific one diff --git a/stack/keys/README.md b/stack/keys/README.md new file mode 100644 index 0000000..bf22e80 --- /dev/null +++ b/stack/keys/README.md @@ -0,0 +1,41 @@ +# SilverKeys + +**Status**: v1.1 (planning) + +Zero-knowledge password + 2FA + key manager. Synced via SilverSync. + +## Approach (tentative — to be finalised) + +Most likely **fork Bitwarden** (server + clients are open source, mature, well-audited) and: +- Replace the account model with our SilverLABS account number +- Replace the server with one running on SilverSync infrastructure +- Strip telemetry / phone-home in clients +- Re-skin to SilverMetal branding + +Alternative: lightweight KeePassXC-derived client with our own sync layer. Simpler but less feature-rich. + +## Non-negotiables + +- Zero-knowledge: server cannot read vault content +- Argon2id KDF for master password +- Multi-device sync via SilverSync +- TOTP / WebAuthn / hardware-key (YubiKey) support +- Open source clients +- No telemetry + +## Per-platform clients + +- **Linux**: native (Tauri / Rust) or web-app +- **Android**: Bitwarden-fork rebranded +- **Windows**: Bitwarden-fork rebranded +- **macOS**: Bitwarden-fork rebranded +- **iOS**: Bitwarden-fork rebranded +- **Browser extension**: SilverBrowser-bundled by default; available for non-SilverBrowser too + +## Migration + +Bitwarden vault import works out-of-the-box with the fork. Documented procedures for migration from: +- 1Password +- LastPass +- Chrome / Safari / Firefox saved passwords +- KeePassXC diff --git a/stack/shared/README.md b/stack/shared/README.md new file mode 100644 index 0000000..2208d34 --- /dev/null +++ b/stack/shared/README.md @@ -0,0 +1,20 @@ +# Stack — Shared + +Common code shared across SilverLABS Stack components: + +- **Account SDK** — SilverLABS account-number issuance, auth, session management +- **Crypto primitives** — vetted wrappers for Argon2id, AES-GCM, ChaCha20-Poly1305, X25519, Ed25519 +- **Branding tokens** — fonts, logos, colours, design tokens +- **Update client** — common update-check + signature-verify code reused by all Stack apps + +To be populated as each Stack component reaches a point where shared code makes sense (typically v1 → v1.1 transition). + +## Language / runtime choice + +Default to **Rust** for shared crypto and account SDK code, with bindings/bridges per platform language: +- Kotlin / Java for Android +- Swift / Obj-C for Apple platforms +- C# for Windows native integration where required +- TypeScript bindings for browser extensions / web UI + +Rust gives memory safety, performance, and a single source of truth for the security-critical parts. diff --git a/stack/sync/README.md b/stack/sync/README.md new file mode 100644 index 0000000..986bd97 --- /dev/null +++ b/stack/sync/README.md @@ -0,0 +1,52 @@ +# SilverSync + +**Status**: v1 (Linux MVP) — planning + +A private replacement for iCloud / Google Drive / OneDrive. Contacts, calendar, files, photos, notes — synced across all your SilverMetal devices, encrypted client-side, zero-knowledge to the server. + +## v1 scope + +- **Contacts** — CardDAV +- **Calendar** — CalDAV +- **Files** — WebDAV with client-side encryption (E2EE) +- **Photos** — file-based, with client-side encryption + +v1.1 adds Notes, Tasks. + +## Server side + +Lives in `SilverLABS/silver-sync-server` (separate repo). Stack: +- **Nextcloud** for files / photos (with E2EE app) +- **Radicale** or **Baïkal** for CardDAV / CalDAV +- Behind SilverVPN by default for transport-layer privacy +- Self-hostable — the same stack runs on a user's home server + +## Client-side encryption + +- Files: each file encrypted with a per-file content key; content keys wrapped with a user-derived master key (Argon2id from passphrase + account number) +- Server stores only ciphertext + opaque metadata +- Server cannot read filenames in their entirety (filename encryption mode in Nextcloud E2EE) +- Master key never leaves the device + +## Per-platform clients + +- **Linux**: GNOME / Plasma evolution, native CardDAV/CalDAV via existing tooling; Nextcloud client for files +- **Android**: DAVx⁵ (CardDAV/CalDAV) + Nextcloud Android client (rebranded) +- **Windows**: Nextcloud Windows client (rebranded) + Outlook integration +- **macOS**: Nextcloud macOS client (rebranded) + native Calendar/Contacts integration +- **iOS**: Nextcloud iOS app (rebranded) + iOS native CardDAV/CalDAV providers + +## What this is not + +- Not a "free Google replacement for everyone" — server costs are real, paid tier funds them +- Not a CDN — files sync between user's devices, not at internet scale +- Not a backup product — this is sync; backup is a separate concern (offer integration with restic/borg later) + +## Migration + +Documented procedures for users coming from: +- iCloud → SilverSync +- Google → SilverSync +- OneDrive → SilverSync + +These guides are critical for onboarding and live in `docs/` of this directory once the client ships. diff --git a/stack/vpn/README.md b/stack/vpn/README.md new file mode 100644 index 0000000..96d8f66 --- /dev/null +++ b/stack/vpn/README.md @@ -0,0 +1,40 @@ +# SilverVPN + +**Status**: v1 (Linux MVP) — planning + +Always-on VPN with no logs, run on SilverLABS infrastructure. Mullvad-style account-number signup (no email, no name). + +## v1 approach + +- **Protocol**: WireGuard. Period. (Battle-tested, tiny attack surface, performant.) +- **Account**: random 16-digit account number; no email, no PII +- **Payment**: separate channel (SilverDotPay / crypto / payment processor) with no link back to account number +- **Exit nodes**: SilverLABS-operated initially; geographically diverse +- **Kill-switch**: enforced at firewall layer (nftables on Linux, NetworkExtension content filters on Apple) +- **DNS**: encrypted DNS through tunnel; no DNS leaks +- **Per-device keys**: each device gets its own WireGuard key; revoke per-device + +## Server-side + +Lives in `SilverLABS/silver-vpn-infra` (separate repo). This repo holds the **client** code only. + +## What we do not do + +- We do not log connection metadata beyond what is operationally required (typically just real-time peer state, not retained) +- We do not bundle ad-blocking — that's the browser's job, not the VPN's +- We do not bundle tracker-blocking heuristics in the VPN — that risks false positives that break sites +- We do not run a "free tier" with a different infrastructure — paid users and free users (if any) get the same server quality + +## Per-platform clients + +- **Linux**: GTK + native daemon (`silvervpn-daemon` running as systemd service) +- **Android**: VpnService-based, native UI +- **Windows**: WireGuard tunnel service + tray UI (signed) +- **macOS**: NetworkExtension, signed and notarised +- **iOS**: NetworkExtension via App Store + +## Verification + +- Kill-switch test: disconnect upstream, verify zero packets leak +- DNS-leak test: capture DNS during tunnel-up; all queries must traverse the tunnel +- Reconnect test: WAN flap, verify reconnect without temporary leak diff --git a/windows/README.md b/windows/README.md new file mode 100644 index 0000000..8c7f773 --- /dev/null +++ b/windows/README.md @@ -0,0 +1,51 @@ +# SilverMetal Windows + +**Status**: Phase 3 (planning, post-Linux v1) + +Tier C — config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes. + +## Scope (v1) + +LTSC IoT-based installer that transforms a vanilla Windows install into a SilverMetal-hardened build: + +- Windows 11 IoT Enterprise LTSC base (no Cortana, no Store, no Edge baked in, ~10-year support) +- Group Policy hardening (telemetry off, services disabled, sane defaults) +- Defender ASR rules at maximum +- AppLocker allow-list mode +- BitLocker enforced (TPM-bound) +- Telemetry blocked at hosts file + service + GP layers +- Edge / Chrome replaced with SilverBrowser default +- Full SilverLABS Stack preinstalled (native Windows builds) + +## Out of scope + +- Anything requiring kernel modifications +- Anything requiring developer-controlled verified boot +- Bypassing Microsoft Update (we ship updates via the same channel; we cannot replace it) + +## Directory layout + +To be populated in Phase 3. Initial structure planned: + +``` +windows/ +├── installer/ # PowerShell / WiX-based installer +├── policies/ # Group Policy templates, ADMX +├── applocker/ # AppLocker rules +├── debloat/ # Removal scripts (Edge, Cortana residue, telemetry) +├── stack-installer/ # Native SilverLABS Stack package builders +└── tests/ # Telemetry-leak test, hardening-baseline test +``` + +## Verification gates + +- Telemetry-leak test on hardened install — minimum-feasible Microsoft contact, *documented in full* (we cannot reach zero on Windows; we publish what remains) +- BitLocker enabled with TPM binding verified +- AppLocker allow-list functional and documented +- Stack apps install and function + +## Upstream we depend on + +- **Windows 11 IoT Enterprise LTSC** — base OS (licensed) +- **AtlasOS / ReviOS / privacy.sexy** — reference for hardening configs +- **Chris Titus Tech / O&O ShutUp10** — reference for telemetry blocking