SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

docs(windows): Enhanced-Windows hardening spec (GPD Pocket 4 reference) #2

Merged
SilverLABS merged 2 commits from docs/enhanced-windows-hardening-spec into main 2026-06-08 14:45:15 +00:00
Conversation 0 Commits 2 Files Changed 25 +1042 -7
SilverLABS commented 2026-06-08 14:19:56 +00:00
Owner
Copy Link

SilverMetal Enhanced — Windows: hardening specification

Adds windows/hardening-spec.md — the detailed config-layer (Tier C) hardening spec for SilverMetal Enhanced — Windows, with the GPD Pocket 4 (AMD Ryzen AI 9 HX 370 / Strix Point) as reference device. Serves as both a one-off hardening guide for the immediate unit and the prototype of the productized LTSC SKU.

Grounded in a 2026-06-08 deep-research assessment (21 sources, adversarially verified) and bound by docs/threat-model.md + docs/design-principles.md.

What's in the spec

Eight control domains, each with a verification command (evidence before assertions):

  • A Provisioning baseline (clean image, local account, telemetry → Security floor, debloat)
  • B Boot & firmware trust (Secure Boot + custom keys, BIOS admin password, firmware-update hygiene)
  • C Data at rest — BitLocker XTS-AES-256 + PIN
  • D Kernel & credential isolation — VBS/HVCI/Credential Guard/Kernel DMA Protection
  • E Application control — WDAC audit→enforce
  • F Network & radios — SilverVPN kill-switch, encrypted DNS, WiFi-only (no baseband module)
  • G Physical & lock-screen hygiene — TPM+PIN, DMA lock policy, SilverDuress
  • H Privacy minimisation & update integrity
  • Plus the SilverLABS Stack mapping, a buyer-facing residual-risk statement, verification gates, productization notes, and open questions.

Refinements to the existing windows/README.md v1 scope

  1. BitLocker TPM + PIN, never TPM-only — the faulTPM research is literally a BitLocker VMK extraction from the AMD fTPM; a PIN forces an offline brute-force the attacker can't shortcut. (was "TPM-bound")
  2. WDAC (App Control) primary, kernel-enforced, audit-first — AppLocker demoted to fallback (it isn't kernel-enforced); planned applocker/wdac/. (was "AppLocker allow-list")
  3. Telemetry at GP + service + firewall layers, NOT hosts-file blocking of Microsoft domains — hosts-blocking MS breaks Windows Update, violating design-principle #13 "update or die". (was "hosts file")
  4. Added VBS/HVCI/Credential Guard/Kernel DMA Protection to scope + verify gates; noted Enterprise (prototype) vs IoT Enterprise LTSC (SKU target) hardening equivalence.

Honest positioning (per design-principle #2)

Nation-state / firmware tier is explicitly NOT claimed on consumer UMPC silicon: closed AMI-class BIOS, always-on AMD PSP (no ME-disable equivalent), no hardware kill switches. Buyers whose threat model centres there are pointed to SilverMetal OS — Linux on coreboot/ME-neutralised hardware (docs/hardware-skus.md).

🤖 Generated with Claude Code

## SilverMetal Enhanced — Windows: hardening specification Adds `windows/hardening-spec.md` — the detailed config-layer (Tier C) hardening spec for **SilverMetal Enhanced — Windows**, with the **GPD Pocket 4** (AMD Ryzen AI 9 HX 370 / Strix Point) as reference device. Serves as both a one-off hardening guide for the immediate unit and the prototype of the productized LTSC SKU. Grounded in a 2026-06-08 deep-research assessment (21 sources, adversarially verified) and bound by `docs/threat-model.md` + `docs/design-principles.md`. ### What's in the spec Eight control domains, each with a **verification command** (evidence before assertions): - **A** Provisioning baseline (clean image, local account, telemetry → `Security` floor, debloat) - **B** Boot & firmware trust (Secure Boot + custom keys, BIOS admin password, firmware-update hygiene) - **C** Data at rest — BitLocker XTS-AES-256 **+ PIN** - **D** Kernel & credential isolation — VBS/HVCI/Credential Guard/Kernel DMA Protection - **E** Application control — WDAC audit→enforce - **F** Network & radios — SilverVPN kill-switch, encrypted DNS, **WiFi-only (no baseband module)** - **G** Physical & lock-screen hygiene — TPM+PIN, DMA lock policy, SilverDuress - **H** Privacy minimisation & update integrity - Plus the SilverLABS Stack mapping, a buyer-facing **residual-risk statement**, verification gates, productization notes, and open questions. ### Refinements to the existing `windows/README.md` v1 scope 1. **BitLocker TPM + PIN, never TPM-only** — the faulTPM research is literally a BitLocker VMK extraction from the AMD fTPM; a PIN forces an offline brute-force the attacker can't shortcut. *(was "TPM-bound")* 2. **WDAC (App Control) primary, kernel-enforced, audit-first** — AppLocker demoted to fallback (it isn't kernel-enforced); planned `applocker/` → `wdac/`. *(was "AppLocker allow-list")* 3. **Telemetry at GP + service + firewall layers, NOT hosts-file blocking of Microsoft domains** — hosts-blocking MS breaks Windows Update, violating design-principle #13 "update or die". *(was "hosts file")* 4. Added **VBS/HVCI/Credential Guard/Kernel DMA Protection** to scope + verify gates; noted **Enterprise** (prototype) vs **IoT Enterprise LTSC** (SKU target) hardening equivalence. ### Honest positioning (per design-principle #2) Nation-state / firmware tier is **explicitly NOT claimed** on consumer UMPC silicon: closed AMI-class BIOS, always-on AMD PSP (no ME-disable equivalent), no hardware kill switches. Buyers whose threat model centres there are pointed to **SilverMetal OS — Linux** on coreboot/ME-neutralised hardware (`docs/hardware-skus.md`). 🤖 Generated with [Claude Code](https://claude.com/claude-code)
SilverLABS added 1 commit 2026-06-08 14:19:57 +00:00
docs(windows): add Enhanced-Windows hardening spec (Pocket 4 reference) ea2de4339d 
Add windows/hardening-spec.md: the detailed config-layer hardening spec for
SilverMetal Enhanced - Windows, with the GPD Pocket 4 (AMD Strix Point) as
reference device. Eight control domains (provisioning, boot/firmware trust,
data-at-rest, kernel/credential isolation, app control, network/radios,
physical/lock-screen, privacy/update) each with verification commands, a
buyer-facing residual-risk statement, and one-off -> SKU productization notes.

Refine the windows/README.md v1 scope to match, grounded in the 2026-06-08
deep-research assessment:
- BitLocker TPM+PIN (never TPM-only) - PIN defeats the faulTPM-class offline
  fTPM attack that is literally a BitLocker VMK extraction
- WDAC (App Control), kernel-enforced, audit-first then enforce, as primary;
  AppLocker demoted to fallback (rename planned applocker/ -> wdac/)
- Telemetry at GP+service+firewall layers, NOT hosts-file blocking of MS
  domains (that breaks Windows Update; violates "update or die")
- Add VBS/HVCI/Credential Guard/Kernel DMA Protection to scope + verify gates
- Note Enterprise (prototype) vs IoT Enterprise LTSC (SKU target) equivalence

Bound by docs/threat-model.md and docs/design-principles.md; nation-state /
firmware tier explicitly NOT claimed on consumer UMPC silicon.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS added 1 commit 2026-06-08 14:35:13 +00:00
docs(windows): add ISO-builder design + scaffold the windows/ tree 3a30a0421e 
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.

Scaffold windows/ per the planned layout:
- installer/  build.ps1 (7-stage orchestrator, stages stubbed to M2),
              inputs.manifest.json (pinned-input schema), autounattend.xml
              (local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/  shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
              (used by BOTH the ISO first-boot path and the self-apply track).
              BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/  scaffolded with
  READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
  anti-pattern; rename applocker/ -> wdac/ realised.

All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SilverLABS merged commit d58aa3ec17 into main 2026-06-08 14:45:15 +00:00
SilverLABS deleted branch docs/enhanced-windows-hardening-spec 2026-06-08 14:45:15 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
SilverLABS
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SilverLABS/SilverMetal#2
Delete Branch "docs/enhanced-windows-hardening-spec"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?