SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(scaffold): initial SilverMetal program scaffold

Browse Source 
Cross-platform privacy-hardening program. Two-layer product:
- SilverLABS Application Stack (cross-platform spine)
- Platform Hardening Profiles (per-OS, tier-honest)

Platforms: Linux (Debian/Kicksecure), Android (Pixel/Samsung/Moto/generic),
Windows (LTSC IoT), macOS (profile), iOS (MDM profile). Each flavour has
both a preflashed hardware SKU path and a self-apply "harden your existing
device" path.

Includes umbrella docs (README + threat-model, design-principles,
platform-matrix, roadmap, trust-model), per-platform and per-stack-
component README stubs, .gitignore, LICENSE.

Linux v1 ships first; Stack v1 = Browser + VPN + Sync.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
SysAdmin
2026-04-25 03:11:48 +01:00
commit 7d5f9cc246
23 changed files with 1381 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
docs/roadmap.md Normal file
View File

@@ -0,0 +1,124 @@
# Roadmap
Milestone-driven, no calendar dates (those slip; milestone gates don't). Each milestone has a definition of done. We don't move on until the previous milestone is met.
## Phase 0 — Foundation (current)
**Goal**: get the architecture, threat model, and product principles documented and reviewed before writing OS code.
| # | Milestone | Done when |
|---|---|---|
| 0.1 | Repo scaffold | Directory tree + per-platform stubs + per-stack stubs in place |
| 0.2 | Umbrella docs | `README.md` + `docs/{threat-model,design-principles,platform-matrix,roadmap,trust-model}.md` complete and reviewed |
| 0.3 | Gitea repo created and pushed | `SilverLABS/SilverMetal` exists on `git.silverlabs.uk` with this scaffold |
**Status**: in progress (this commit completes 0.10.3).
---
## Phase 1 — SilverMetal Linux v1 (the MVP)
**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other platforms.
| # | Milestone | Done when |
|---|---|---|
| 1.1 | Kicksecure fork builds reproducibly | `live-build` produces identical SHA256 across two clean builds |
| 1.2 | Hardening overlay applied | KSPP audit passes; Lynis ≥ 90 in CI; AppArmor strict profiles loaded |
| 1.3 | hardened_malloc integrated as system allocator | Verified active for user sessions; no regressions |
| 1.4 | Telemetry-leak test green | tcpdump on fresh-install idle for 30 min — zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics endpoints |
| 1.5 | LUKS2 + TPM2 PCR-bound install via Calamares | End-to-end: install → reboot → TPM unlock → desktop. Tamper test correctly falls back to passphrase |
| 1.6 | SilverBrowser v1 integrated (ungoogled-chromium rebrand) | Default browser, no Google services, fingerprint defences validated |
| 1.7 | SilverVPN v1 integrated (WireGuard backbone) | Always-on default; kill-switch verified; account-number signup flow works |
| 1.8 | SilverSync v1 integrated (Nextcloud backbone, client-side encryption) | Contacts/calendar/files sync end-to-end; server cannot read content |
| 1.9 | Update server + signing ceremony complete | First signed update delivered through alpha channel; rollback verified |
| 1.10 | Public alpha ISO + SBOM + build attestation published | Download page live; reproducible-build instructions documented |
| 1.11 | External privacy-engineering review | One independent reviewer (Kicksecure / Whonix community) signs off on threat-model fidelity |
| 1.12 | Hardware SKU pilot batch | 10 preflashed Coreboot-supported laptops shipped and validated |
**Exit criteria for Phase 1**: alpha is publicly downloadable, all verification gates green, hardware SKU available for purchase.
---
## Phase 1.1 — Stack expansion
**Goal**: complete the SilverLABS Application Stack so v1.1 ships with the full suite.
| # | Milestone | Done when |
|---|---|---|
| 1.1.1 | SilverChat v1 (Matrix-based) | Homeserver running; iOS/Android/Linux/Windows/Mac clients functional; account-number onboarding |
| 1.1.2 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified |
| 1.1.3 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients |
| 1.1.4 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful |
---
## Phase 2 — SilverMetal Droid
**Goal**: ship Android coverage across all four tiers (Pixel flagship, Samsung, Motorola, generic profile).
| # | Milestone | Done when |
|---|---|---|
| 2.1 | Pixel flagship ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key |
| 2.2 | Samsung tier (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay |
| 2.3 | Motorola tier (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay |
| 2.4 | Generic Android profile | "Harden my Android" installer: Stack apps + work-profile hardening config; works on Android 13+ |
| 2.5 | Android hardware SKU pilot | Pixel preflashed batch (10 units) + Moto preflashed batch (10 units) |
---
## Phase 3 — SilverMetal Windows
**Goal**: ship the Windows hardening installer for users locked into Windows.
| # | Milestone | Done when |
|---|---|---|
| 3.1 | LTSC IoT base evaluated and licensed for our use | License path documented; base image acquired |
| 3.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts |
| 3.3 | Stack ports for Windows | SilverBrowser/VPN/Sync/etc. native Windows builds, signed with our cert |
| 3.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery |
| 3.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + SilverMetal hardening (10 units) |
| 3.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimal Microsoft contact, documented (we cannot reach zero on Windows; we publish what remains) |
---
## Phase 4 — Apple platforms (macOS + iOS profiles)
**Goal**: ship signed configuration profiles, setup scripts, curated app guidance, and Stack ports for Apple platforms.
| # | Milestone | Done when |
|---|---|---|
| 4.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall |
| 4.2 | macOS setup script | Idempotent script applies non-MDM hardening (default app changes, etc.) |
| 4.3 | Stack ports for macOS | Universal binaries, notarised, signed with our Apple Developer cert |
| 4.4 | iOS MDM profile | Signed `.mobileconfig` for users with personal MDM (or via free Apple Configurator) |
| 4.5 | Stack ports for iOS | App Store releases (Browser may face Apple review constraints — fall back to webkit-based with our defaults) |
| 4.6 | Apple setup guide | Step-by-step published guide complementing the profiles |
---
## Phase 5 — Hardening / immutability / Tor sibling
**Goal**: post-MVP improvements; not blocking earlier phases.
- Atomic / immutable Linux variant (ostree)
- dm-verity-protected `/`
- Tor-by-default sibling product (SilverMetal Onion or similar)
- ARM64 / Apple Silicon Linux variant
- Coreboot tooling improvements / additional reference hardware
---
## Cross-cutting workstreams (always-on)
These run in parallel with phases:
- **Security advisories** — vulnerability response process from Phase 1.10 onward; signed advisories
- **External audits** — annual or per-major-release third-party security review
- **Documentation** — every phase's gate includes documentation update
- **Community / support** — issue tracker, support channels, response SLOs
## Phase entry/exit philosophy
- We do not start a phase until the previous one's exit criteria are met
- We *can* run cross-cutting workstreams in parallel
- A failing verification gate blocks the phase, full stop — no shipping with known regressions