3a30a0421e
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.
Scaffold windows/ per the planned layout:
- installer/ build.ps1 (7-stage orchestrator, stages stubbed to M2),
inputs.manifest.json (pinned-input schema), autounattend.xml
(local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/ shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
(used by BOTH the ISO first-boot path and the self-apply track).
BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/ scaffolded with
READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
anti-pattern; rename applocker/ -> wdac/ realised.
All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
39 lines
1.8 KiB
PowerShell
39 lines
1.8 KiB
PowerShell
#Requires -Version 5.1
|
|
<# SilverMetal Enhanced - Windows | Domain D: Kernel & credential isolation
|
|
VBS + HVCI + Credential Guard + LSA protection + Kernel DMA Protection.
|
|
The genuinely strong, hardware-backed part of hardened Windows.
|
|
Spec: ../hardening-spec.md (D) | SCAFFOLD (M1).
|
|
#>
|
|
[CmdletBinding()] param()
|
|
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
|
|
Write-Host '[D] Kernel & credential isolation'
|
|
|
|
# VBS + HVCI (Memory Integrity)
|
|
$dg = 'HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard'
|
|
New-Item $dg -Force | Out-Null
|
|
Set-ItemProperty $dg -Name EnableVirtualizationBasedSecurity -Type DWord -Value 1
|
|
Set-ItemProperty $dg -Name RequirePlatformSecurityFeatures -Type DWord -Value 1 # Secure Boot
|
|
$hvci = "$dg\Scenarios\HypervisorEnforcedCodeIntegrity"
|
|
New-Item $hvci -Force | Out-Null
|
|
Set-ItemProperty $hvci -Name Enabled -Type DWord -Value 1
|
|
|
|
# Credential Guard
|
|
$lsacfg = "$dg\Scenarios\CredentialGuard"
|
|
New-Item $lsacfg -Force | Out-Null
|
|
Set-ItemProperty $lsacfg -Name Enabled -Type DWord -Value 1
|
|
|
|
# LSA protection (RunAsPPL)
|
|
$lsa = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa'
|
|
Set-ItemProperty $lsa -Name RunAsPPL -Type DWord -Value 1
|
|
|
|
# Kernel DMA Protection: on AMD this is firmware-gated (ACPI IVRS DMA_REMAP bit).
|
|
# Block new DMA devices while locked as the compensating control (see Domain G).
|
|
$ki = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection'
|
|
New-Item $ki -Force | Out-Null
|
|
Set-ItemProperty $ki -Name DeviceEnumerationPolicy -Type DWord -Value 0 # block until authorized
|
|
|
|
# TODO-M1: confirm msinfo32 reports VBS=Running + Credential Guard + HVCI after reboot;
|
|
# confirm whether Kernel DMA Protection shows On (IVRS bit) — open question §8.
|
|
|
|
Write-Host ' [D] policy set (VBS/HVCI/CredGuard/LSA-PPL/DMA). Effective after reboot.'
|