SilverMetal/windows/hardening/01-boot-firmware.ps1

#Requires -Version 5.1
<#  SilverMetal Enhanced - Windows | Domain B: Boot & firmware trust
    Most of B is a FIRMWARE step (Secure Boot custom-key enrollment, BIOS admin
    password) that an OS image cannot perform. This module STAGES our keys and
    reports Secure Boot state; the enrollment itself is done in UEFI setup at
    provisioning (SKU) or as a documented user step (self-apply).
    Spec: ../hardening-spec.md (B)   |   SCAFFOLD (M1).
#>
[CmdletBinding()] param()
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
Write-Host '[B] Boot & firmware trust'

try {
    if (Confirm-SecureBootUEFI) { Write-Host '   Secure Boot: ENABLED' }
    else { Write-Warning '   Secure Boot is DISABLED - enable + enrol custom keys in UEFI setup.' }
} catch { Write-Warning "   Secure Boot state unavailable (legacy/CSM?): $_" }

# TODO-M1: stage SilverMetal PK/KEK/db (retain Microsoft UEFI CA for option ROMs) to a known path
#          for KeyTool/manual enrollment; document the firmware-side procedure.
# REMINDER (manual, NOT scriptable here): set a BIOS admin password; disable PXE/legacy/CSM;
#          verify enrolled keys survive a GPD BIOS update (open question, hardening-spec.md §8).

Write-Host '   [B] staged (firmware enrollment is a documented manual step)'