chore(scaffold): initial SilverMetal program scaffold
Cross-platform privacy-hardening program. Two-layer product: - SilverLABS Application Stack (cross-platform spine) - Platform Hardening Profiles (per-OS, tier-honest) Platforms: Linux (Debian/Kicksecure), Android (Pixel/Samsung/Moto/generic), Windows (LTSC IoT), macOS (profile), iOS (MDM profile). Each flavour has both a preflashed hardware SKU path and a self-apply "harden your existing device" path. Includes umbrella docs (README + threat-model, design-principles, platform-matrix, roadmap, trust-model), per-platform and per-stack- component README stubs, .gitignore, LICENSE. Linux v1 ships first; Stack v1 = Browser + VPN + Sync. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
51
windows/README.md
Normal file
51
windows/README.md
Normal file
@@ -0,0 +1,51 @@
|
||||
# SilverMetal Windows
|
||||
|
||||
**Status**: Phase 3 (planning, post-Linux v1)
|
||||
|
||||
Tier C — config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes.
|
||||
|
||||
## Scope (v1)
|
||||
|
||||
LTSC IoT-based installer that transforms a vanilla Windows install into a SilverMetal-hardened build:
|
||||
|
||||
- Windows 11 IoT Enterprise LTSC base (no Cortana, no Store, no Edge baked in, ~10-year support)
|
||||
- Group Policy hardening (telemetry off, services disabled, sane defaults)
|
||||
- Defender ASR rules at maximum
|
||||
- AppLocker allow-list mode
|
||||
- BitLocker enforced (TPM-bound)
|
||||
- Telemetry blocked at hosts file + service + GP layers
|
||||
- Edge / Chrome replaced with SilverBrowser default
|
||||
- Full SilverLABS Stack preinstalled (native Windows builds)
|
||||
|
||||
## Out of scope
|
||||
|
||||
- Anything requiring kernel modifications
|
||||
- Anything requiring developer-controlled verified boot
|
||||
- Bypassing Microsoft Update (we ship updates via the same channel; we cannot replace it)
|
||||
|
||||
## Directory layout
|
||||
|
||||
To be populated in Phase 3. Initial structure planned:
|
||||
|
||||
```
|
||||
windows/
|
||||
├── installer/ # PowerShell / WiX-based installer
|
||||
├── policies/ # Group Policy templates, ADMX
|
||||
├── applocker/ # AppLocker rules
|
||||
├── debloat/ # Removal scripts (Edge, Cortana residue, telemetry)
|
||||
├── stack-installer/ # Native SilverLABS Stack package builders
|
||||
└── tests/ # Telemetry-leak test, hardening-baseline test
|
||||
```
|
||||
|
||||
## Verification gates
|
||||
|
||||
- Telemetry-leak test on hardened install — minimum-feasible Microsoft contact, *documented in full* (we cannot reach zero on Windows; we publish what remains)
|
||||
- BitLocker enabled with TPM binding verified
|
||||
- AppLocker allow-list functional and documented
|
||||
- Stack apps install and function
|
||||
|
||||
## Upstream we depend on
|
||||
|
||||
- **Windows 11 IoT Enterprise LTSC** — base OS (licensed)
|
||||
- **AtlasOS / ReviOS / privacy.sexy** — reference for hardening configs
|
||||
- **Chris Titus Tech / O&O ShutUp10** — reference for telemetry blocking
|
||||
Reference in New Issue
Block a user