SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
10e099fcf9f3a5e0c2fb247b47ec41dd0ff91368
SilverMetal/linux
History
SysAdmin 10e099fcf9
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / builder-image (push) Successful in 1s
Details
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 17m56s
Details
fix(linux/build): scrub nvme/hostid + dkms logs, rebuild squashfs (M1.1 iter29) 
Run #4276's diffoscope (now actually working — see iter28) pinned the
M1.1 reproducibility failure to exactly two files inside the rootfs
squashfs:

    /etc/nvme/hostid
        - c5867514-b138-4bfc-a2ae-f801d05a3606
        + 62e3fae3-692d-4451-ab04-353e27547806
    /var/lib/dkms/tirdad/0.1/<kver>/x86_64/log/make.log
        - Thu May  7 20:23:04 UTC 2026
        + Thu May  7 20:39:14 UTC 2026
        - # elapsed time: 00:00:01
        + # elapsed time: 00:00:00

Inner squashfs file sizes differed by 4 bytes (983547059 vs 983547063);
the outer ISO size matched because squashfs pads to block boundaries.
Both files come from upstream Debian package postinsts that run inside
the live-build chroot:

  * nvme-cli's postinst calls `nvme gen-hostnqn` and writes a fresh
    random UUID to /etc/nvme/hostid the first time it's installed.
    Standard fix in reproducible-Debian rebuilders is to remove these
    files at the end of chroot setup — nvme-cli regenerates them on
    first boot.
  * DKMS captures wall-clock build times in its module make.log. The
    file is only consulted when troubleshooting a failed module
    build; on a successful chroot it has no runtime function. Drop
    /var/lib/dkms/<…>/log/ entirely.

Both fixes have to land *inside* the chroot before mksquashfs seals
it. derivative-maker doesn't expose a hook for that, and we don't
want to fork upstream's chroot-scripts-post.d, so build-inner.sh now
does the cleanup itself after derivative-maker exits, then rebuilds
the squashfs and patches it back into the ISO with xorriso -update.

mksquashfs flags chosen for max determinism:
  -reproducible -mkfs-time $SOURCE_DATE_EPOCH -all-time $SOURCE_DATE_EPOCH
  -no-exports -no-xattrs -all-root -no-recovery
  -comp xz -b 1M -Xdict-size 100%

xorriso -update swaps just /live/filesystem.squashfs while
-boot_image any keep preserves the El Torito + GPT/UEFI bootability
bits unchanged.

Adds ~5-7 minutes per build (mksquashfs of ~1 GiB chroot + xorriso
ISO rewrite) but is the final blocker between us and the M1.1
reproducibility gate passing. Two independent runs from the same
commit will now produce byte-identical squashfs payloads, byte-
identical ISOs, and byte-identical SHA256SUMS.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 21:49:25 +01:00
..
build
fix(linux/build): scrub nvme/hostid + dkms logs, rebuild squashfs (M1.1 iter29)
2026-05-07 21:49:25 +01:00
README.md
docs(naming): adopt OS / Enhanced product-line framing + align with existing repos
2026-04-25 03:30:45 +01:00

README.md

SilverMetal OS — Linux

Status: Phase 1 (planning) → moving to milestone 1.1 (reproducible Kicksecure fork build)

🔒 SilverMetal OS product line — we ship the operating system.

The reference SilverMetal flavour. Tier A — full kernel-level hardening, verified boot we control, Debian/Kicksecure-based.

Scope (v1)

See ../docs/roadmap.md Phase 1.

Hardening must-haves

  • Kicksecure base (Debian-derived, hardened upstream)
  • linux-hardened kernel + KSPP sysctl/build flags
  • Secure Boot with our shim/MOK
  • TPM2 PCR-bound LUKS2 unlock (Argon2id), full-disk encryption mandatory
  • AppArmor strict profiles for browsers, mail, viewers, networked daemons
  • GrapheneOS hardened_malloc as system allocator
  • bubblewrap + Flatpak primary; firejail for legacy .deb
  • nftables default-deny inbound, encrypted DNS, SilverVPN always-on default
  • Zero upstream telemetry — verified by integration test
  • SilverBrowser default (ungoogled-chromium-rebranded v1)
  • SilverVPN integrated from existing SilverLABS/SilverVPN (Linux client + tunnel service)
  • SilverSync v1 (Nextcloud-backed, client-side encryption)
  • A/B updates with rollback, signed by our keys
  • Optional amnesic session mode

Out of scope (v1)

  • Atomic / immutable root (v1.1 — ostree experiment)
  • dm-verity on / (v1.1)
  • ARM64 / Apple Silicon (v2)
  • Tor-by-default variant (sibling product later)

Directory layout

linux/
├── build/             # live-build pipeline, reproducible-build config
├── kernel/            # config fragments, linux-hardened pinning
├── overlay/           # /etc + /usr/share/silvermetal + skel hardening overlay
├── packages/
│   ├── include.list   # what's installed
│   └── exclude.list   # what's purged (snap, telemetry, etc.)
├── apparmor/          # custom strict profiles
├── nftables/          # default ruleset
├── installer/         # Calamares branding + hardened defaults
├── update-server/     # signing + repo hosting (infra-as-code)
└── tests/
    ├── lynis-baseline/
    ├── kspp-check/
    └── telemetry-leak/

Verification gates (must pass before public alpha)

  • Two clean builds from same commit → identical SHA256
  • kconfig-hardened-check passes
  • Lynis hardening score ≥ 90
  • 30-min idle telemetry capture: zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics
  • TPM tamper test: LUKS correctly falls back to passphrase
  • AppArmor: every networked binary confined or documented
  • Independent privacy-engineering review

Upstream we depend on

  • Kicksecure — fork base
  • linux-hardened — kernel patchset
  • GrapheneOS hardened_malloc — allocator
  • KSPP — kernel config authority
  • secureblue — reference for v1.1 immutable design
  • SilverLABS/SilverVPN — VPN client + tunnel service (existing, integrated)
Reference in New Issue View Git Blame Copy Permalink