SilverMetal

SilverLABS/SilverMetal

Fork 0

Commit Graph

Author	SHA1	Message	Date
sysadmin	a169d2a452	feat(build): inject virtio-net (NetKVM) driver for HVCI-compatible VM networking Some checks failed Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 4m56s Details The privacy hardening enables HVCI (Memory Integrity), which blocks the legacy e1000 NIC driver (E1G6032E.sys) -> no network in the VM, so winget app installs silently skip. virtio-net's NetKVM driver is WHQL-signed + HVCI-compatible. Staged from virtio-win (w11/amd64) under windows/drivers/netkvm/; build.ps1 already auto- injects any *.inf under windows/drivers/ into install.wim. Pair with a virtio NIC on the VM (already switched). Lets apps actually install under hardening. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-10 14:32:48 +01:00
sysadmin	3a30a0421e	docs(windows): add ISO-builder design + scaffold the windows/ tree Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing frame (IoT = blessed channel for preinstalled custom images; self-apply stays a builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/ oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit- identical on Windows), and M0-M4 milestones. Scaffold windows/ per the planned layout: - installer/ build.ps1 (7-stage orchestrator, stages stubbed to M2), inputs.manifest.json (pinned-input schema), autounattend.xml (local-account OOBE), oem/SetupComplete.cmd (first-boot runner) - hardening/ shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1 (used by BOTH the ISO first-boot path and the self-apply track). BitLocker module enforces TPM+PIN and blocks TPM-only. - policies/ wdac/ debloat/ stack-installer/ drivers/ tests/ scaffolded with READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an anti-pattern; rename applocker/ -> wdac/ realised. All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid. Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware steps documented, not faked). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-08 15:35:13 +01:00

Author

SHA1

Message

Date

sysadmin

a169d2a452

feat(build): inject virtio-net (NetKVM) driver for HVCI-compatible VM networking

Build SilverMetal Enhanced - Windows ISO / build (pull_request) Failing after 4m56s

Details

The privacy hardening enables HVCI (Memory Integrity), which blocks the legacy
e1000 NIC driver (E1G6032E.sys) -> no network in the VM, so winget app installs
silently skip. virtio-net's NetKVM driver is WHQL-signed + HVCI-compatible. Staged
from virtio-win (w11/amd64) under windows/drivers/netkvm/; build.ps1 already auto-
injects any *.inf under windows/drivers/ into install.wim. Pair with a virtio NIC on
the VM (already switched). Lets apps actually install under hardening.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-10 14:32:48 +01:00

sysadmin

3a30a0421e

docs(windows): add ISO-builder design + scaffold the windows/ tree

Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.

Scaffold windows/ per the planned layout:
- installer/  build.ps1 (7-stage orchestrator, stages stubbed to M2),
              inputs.manifest.json (pinned-input schema), autounattend.xml
              (local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/  shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
              (used by BOTH the ISO first-boot path and the self-apply track).
              BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/  scaffolded with
  READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
  anti-pattern; rename applocker/ -> wdac/ realised.

All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-08 15:35:13 +01:00

2 Commits