# SilverMetal OS — Linux

**Status**: Phase 1 (planning) → moving to milestone 1.1 (reproducible Kicksecure fork build)

🔒 **SilverMetal OS product line** — we ship the operating system.

The reference SilverMetal flavour. Tier A — full kernel-level hardening, verified boot we control, Debian/Kicksecure-based.

## Scope (v1)

See [`../docs/roadmap.md`](../docs/roadmap.md) Phase 1.

### Hardening must-haves
- Kicksecure base (Debian-derived, hardened upstream)
- linux-hardened kernel + KSPP sysctl/build flags
- Secure Boot with our shim/MOK
- TPM2 PCR-bound LUKS2 unlock (Argon2id), full-disk encryption mandatory
- AppArmor strict profiles for browsers, mail, viewers, networked daemons
- GrapheneOS hardened_malloc as system allocator
- bubblewrap + Flatpak primary; firejail for legacy `.deb`
- nftables default-deny inbound, encrypted DNS, SilverVPN always-on default
- Zero upstream telemetry — verified by integration test
- SilverBrowser default (ungoogled-chromium-rebranded v1)
- SilverVPN integrated from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN) (Linux client + tunnel service)
- SilverSync v1 (Nextcloud-backed, client-side encryption)
- A/B updates with rollback, signed by our keys
- Optional amnesic session mode

### Out of scope (v1)
- Atomic / immutable root (v1.1 — `ostree` experiment)
- dm-verity on `/` (v1.1)
- ARM64 / Apple Silicon (v2)
- Tor-by-default variant (sibling product later)

## Directory layout

```
linux/
├── build/             # live-build pipeline, reproducible-build config
├── kernel/            # config fragments, linux-hardened pinning
├── overlay/           # /etc + /usr/share/silvermetal + skel hardening overlay
├── packages/
│   ├── include.list   # what's installed
│   └── exclude.list   # what's purged (snap, telemetry, etc.)
├── apparmor/          # custom strict profiles
├── nftables/          # default ruleset
├── installer/         # Calamares branding + hardened defaults
├── update-server/     # signing + repo hosting (infra-as-code)
└── tests/
    ├── lynis-baseline/
    ├── kspp-check/
    └── telemetry-leak/
```

## Verification gates (must pass before public alpha)

- Two clean builds from same commit → identical SHA256
- `kconfig-hardened-check` passes
- Lynis hardening score ≥ 90
- 30-min idle telemetry capture: zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics
- TPM tamper test: LUKS correctly falls back to passphrase
- AppArmor: every networked binary confined or documented
- Independent privacy-engineering review

## Upstream we depend on

- **Kicksecure** — fork base
- **linux-hardened** — kernel patchset
- **GrapheneOS hardened_malloc** — allocator
- **KSPP** — kernel config authority
- **secureblue** — reference for v1.1 immutable design
- **`SilverLABS/SilverVPN`** — VPN client + tunnel service (existing, integrated)