SysAdmin
0a0075ce66
Two product lines, named to make scope obvious to buyers: - 🔒 SilverMetal OS — we ship the operating system or ROM (Linux, Pixel, Samsung-unlocked, Motorola-unlocked) - 🛡️ SilverMetal Enhanced — we harden the OS the device already runs (Windows, macOS, iOS, generic Android) Repo alignment: - SilverVPN already exists as a SilverLABS product (server + MAUI client + Linux client + tunnel service). stack/vpn/ is now an integration pointer rather than a re-scaffold; per-platform READMEs reference it. - SilverApple is deprecated; SilverMetal Enhanced — iOS supersedes it. Migration step added as roadmap milestone 3I.1. - SilverDROID name clash explicitly noted as unrelated (it's the SilverSHELL AppStore Android client, not an Android ROM). - SilverChat may overlap with SilverVPN.Client.Chat; alignment decision added as roadmap milestone 1.1.1. Roadmap restructured: phases now track the OS/Enhanced split. Platform matrix re-sectioned and decision flowchart updated. README rewritten around the two-product-line framing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7.7 KiB
7.7 KiB
Roadmap
Milestone-driven, no calendar dates (those slip; milestone gates don't). Each milestone has a definition of done. We don't move on until the previous milestone is met.
The two product lines (SilverMetal OS and SilverMetal Enhanced) share the same roadmap because they share the SilverLABS Application Stack and the same supporting infrastructure. They diverge in delivery format only.
Phase 0 — Foundation (current)
Goal: get the architecture, threat model, and product principles documented and reviewed before writing OS code.
| # | Milestone | Done when |
|---|---|---|
| 0.1 | Repo scaffold | Directory tree + per-platform stubs + per-stack stubs in place |
| 0.2 | Umbrella docs | README.md + docs/{threat-model,design-principles,platform-matrix,roadmap,trust-model}.md complete and reviewed |
| 0.3 | Gitea repo created and pushed | SilverLABS/SilverMetal exists on git.silverlabs.uk with this scaffold |
| 0.4 | Naming framework + repo alignment locked | OS / Enhanced naming applied; SilverApple deprecation noted; SilverVPN integration scope defined |
Status: complete.
Phase 1 — SilverMetal OS — Linux v1 (the MVP)
Goal: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other flavours.
| # | Milestone | Done when |
|---|---|---|
| 1.1 | Kicksecure fork builds reproducibly | live-build produces identical SHA256 across two clean builds |
| 1.2 | Hardening overlay applied | KSPP audit passes; Lynis ≥ 90 in CI; AppArmor strict profiles loaded |
| 1.3 | hardened_malloc integrated as system allocator | Verified active for user sessions; no regressions |
| 1.4 | Telemetry-leak test green | tcpdump on fresh-install idle for 30 min — zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics endpoints |
| 1.5 | LUKS2 + TPM2 PCR-bound install via Calamares | End-to-end: install → reboot → TPM unlock → desktop. Tamper test correctly falls back to passphrase |
| 1.6 | SilverBrowser v1 integrated (ungoogled-chromium rebrand) | Default browser, no Google services, fingerprint defences validated |
| 1.7 | SilverVPN integrated into image | Existing SilverLABS/SilverVPN Linux client + tunnel service preinstalled, always-on default; kill-switch verified |
| 1.8 | SilverSync v1 integrated (Nextcloud backbone, client-side encryption) | Contacts/calendar/files sync end-to-end; server cannot read content |
| 1.9 | Update server + signing ceremony complete | First signed update delivered through alpha channel; rollback verified |
| 1.10 | Public alpha ISO + SBOM + build attestation published | Download page live; reproducible-build instructions documented |
| 1.11 | External privacy-engineering review | One independent reviewer (Kicksecure / Whonix community) signs off on threat-model fidelity |
| 1.12 | Hardware SKU pilot batch | 10 preflashed Coreboot-supported laptops shipped and validated |
Exit criteria for Phase 1: alpha is publicly downloadable, all verification gates green, hardware SKU available for purchase.
Phase 1.1 — Stack expansion
Goal: complete the SilverLABS Application Stack so v1.1 ships with the full suite.
| # | Milestone | Done when |
|---|---|---|
| 1.1.1 | SilverChat v1 — alignment review | Decide whether to pull SilverVPN.Client.Chat in, fork it, or scope SilverChat as a separate effort. Outcome documented in docs/decisions/ |
| 1.1.2 | SilverChat v1 client + homeserver | Cross-platform clients functional; account-number onboarding |
| 1.1.3 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified |
| 1.1.4 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients |
| 1.1.5 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful |
Phase 2 — SilverMetal OS — Droid (Pixel + Samsung + Motorola)
Goal: ship the three ROM-level Android tiers.
| # | Milestone | Done when |
|---|---|---|
| 2.1 | OS — Pixel ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key |
| 2.2 | OS — Samsung (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay |
| 2.3 | OS — Motorola (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay |
| 2.4 | Pixel preflashed pilot | 10 preflashed units shipped |
| 2.5 | Motorola preflashed pilot | 10 preflashed units shipped |
Phase 3 — SilverMetal Enhanced (the four hardening packages)
Goal: ship Enhanced packages for Windows, macOS, iOS, and generic Android.
The four Enhanced flavours can be developed largely in parallel since they share the SilverLABS Stack and don't depend on each other.
3W — Enhanced — Windows
| # | Milestone | Done when |
|---|---|---|
| 3W.1 | LTSC IoT base licensed and acquired | License path documented |
| 3W.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts |
| 3W.3 | Stack ports for Windows | SilverBrowser/Sync/etc. native Windows builds, signed with our cert. SilverVPN MAUI Windows client integrated |
| 3W.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery |
| 3W.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + Enhanced (10 units) |
| 3W.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimum-feasible Microsoft contact, documented |
3M — Enhanced — macOS
| # | Milestone | Done when |
|---|---|---|
| 3M.1 | macOS configuration profile | Signed .mobileconfig enforces FileVault, disables analytics/Siri, configures firewall |
| 3M.2 | macOS setup script | Idempotent script applies non-MDM hardening |
| 3M.3 | Stack ports for macOS | Universal binaries, notarised, signed |
3I — Enhanced — iOS (supersedes SilverApple)
| # | Milestone | Done when |
|---|---|---|
| 3I.1 | Migrate / fold any usable assets from SilverLABS/SilverApple |
Inventory of SilverApple done; reusable parts moved into ios/; SilverApple repo archived |
| 3I.2 | iOS MDM profile | Signed .mobileconfig for personal MDM or Apple Configurator |
| 3I.3 | Stack ports for iOS | App Store releases (Browser may face Apple WebKit constraints — fall back if needed) |
| 3I.4 | Apple setup guide | Step-by-step published guide complementing the profiles |
3A — Enhanced — Android (generic)
| # | Milestone | Done when |
|---|---|---|
| 3A.1 | Generic Android profile installer | "Harden my Android" — Stack apps + work-profile hardening config |
| 3A.2 | Compatibility test matrix | Runs cleanly on Android 13+ across Samsung locked, OnePlus, Xiaomi, OEMs we don't have ROMs for |
Phase 4 — Hardening / immutability / Tor sibling
Goal: post-MVP improvements; not blocking earlier phases.
- Atomic / immutable Linux variant (ostree)
- dm-verity-protected
/ - Tor-by-default sibling product
- ARM64 / Apple Silicon Linux variant
- Coreboot tooling improvements / additional reference hardware
Cross-cutting workstreams (always-on)
- Security advisories — vulnerability response process from Phase 1.10 onward
- External audits — annual or per-major-release third-party review
- Documentation — every phase's gate includes documentation update
- Community / support — issue tracker, support channels, response SLOs
Phase entry/exit philosophy
- We do not start a phase until the previous one's exit criteria are met
- Cross-cutting workstreams run in parallel
- A failing verification gate blocks the phase, full stop — no shipping with known regressions