SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6bafa852318d1aab4ad9b4f5f34cc9155683e6af
SilverMetal/linux
History
SysAdmin 6bafa85231
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / builder-image (push) Successful in 1s
Details
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 17m27s
Details
fix(linux/build): byte-patch Rock Ridge TF dates after xorriso (M1.1 iter37) 
Run #4284's diagnostic (iter36) confirmed xorriso ignores every
date-setting command we throw at it for the node it just -updated:

    flag=0x0e  →  CREATION + MODIFICATION + ACCESS (short form)
    CREATION   (set from source file btime via touch -d):
        7e 05 08 00 2c 3a 00     (= SOURCE_DATE_EPOCH)
    MODIFICATION   (still wall-clock):
        A=7e 05 08 01 02 2c 00   B=7e 05 08 01 12 33 00
    ACCESS   (still wall-clock):
        A=7e 05 08 01 02 2c 00   B=7e 05 08 01 12 32 00

Tested across iters 34-36:
  * `-alter_date_r all "=N" /`           — only fixed CREATION (b)
  * `-alter_date all "=N" path` after -update — same
  * `-volume_date c m x f u s "=N"`      — volume-level only
  * `touch -d "@N" "${new_sqfs}"` before — fixed CREATION via btime
  * various orderings, with/without `--` terminators
None override xorriso's wall-clock stamping of MOD/ACCESS at -commit.

Concede that fight and just patch the bytes after xorriso writes the
ISO. We KNOW exactly what's wrong — the TF entry for
/live/filesystem.squashfs has its CREATION slot correct (= 7-byte
ISO9660 short-form encoding of SOURCE_DATE_EPOCH) but MODIFICATION
and ACCESS still hold the post-process commit time. So copy the 7
CREATION bytes over the 7 MODIFICATION bytes and 7 ACCESS bytes.

The patcher (embedded Python, since silvermetal-builder ships
python3):
  * Finds every TF entry header (`54 46 1a 01 0e`) near the
    "filesystem.squashfs" NM tag (96-byte window — anchors both
    ends so we don't touch some other file's TF entry).
  * Copies CREATION (offset +5..+12) onto MODIFICATION (+12..+19)
    and ACCESS (+19..+26).
  * Skips entries already correct (so re-running is a no-op).
  * Reports how many entries were patched.

This is surgical: only the entry we know is broken, and only when
its MOD/ACCESS actually differ from the (known-correct) CREATION.

If the next run still drifts, the diagnostic byte-offset will tell
us where the residual leak is (almost certainly in some volume
descriptor field we haven't covered yet — at which point we extend
the patcher).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 02:22:56 +01:00
..
build
fix(linux/build): byte-patch Rock Ridge TF dates after xorriso (M1.1 iter37)
2026-05-08 02:22:56 +01:00
README.md
docs(naming): adopt OS / Enhanced product-line framing + align with existing repos
2026-04-25 03:30:45 +01:00

README.md

SilverMetal OS — Linux

Status: Phase 1 (planning) → moving to milestone 1.1 (reproducible Kicksecure fork build)

🔒 SilverMetal OS product line — we ship the operating system.

The reference SilverMetal flavour. Tier A — full kernel-level hardening, verified boot we control, Debian/Kicksecure-based.

Scope (v1)

See ../docs/roadmap.md Phase 1.

Hardening must-haves

  • Kicksecure base (Debian-derived, hardened upstream)
  • linux-hardened kernel + KSPP sysctl/build flags
  • Secure Boot with our shim/MOK
  • TPM2 PCR-bound LUKS2 unlock (Argon2id), full-disk encryption mandatory
  • AppArmor strict profiles for browsers, mail, viewers, networked daemons
  • GrapheneOS hardened_malloc as system allocator
  • bubblewrap + Flatpak primary; firejail for legacy .deb
  • nftables default-deny inbound, encrypted DNS, SilverVPN always-on default
  • Zero upstream telemetry — verified by integration test
  • SilverBrowser default (ungoogled-chromium-rebranded v1)
  • SilverVPN integrated from existing SilverLABS/SilverVPN (Linux client + tunnel service)
  • SilverSync v1 (Nextcloud-backed, client-side encryption)
  • A/B updates with rollback, signed by our keys
  • Optional amnesic session mode

Out of scope (v1)

  • Atomic / immutable root (v1.1 — ostree experiment)
  • dm-verity on / (v1.1)
  • ARM64 / Apple Silicon (v2)
  • Tor-by-default variant (sibling product later)

Directory layout

linux/
├── build/             # live-build pipeline, reproducible-build config
├── kernel/            # config fragments, linux-hardened pinning
├── overlay/           # /etc + /usr/share/silvermetal + skel hardening overlay
├── packages/
│   ├── include.list   # what's installed
│   └── exclude.list   # what's purged (snap, telemetry, etc.)
├── apparmor/          # custom strict profiles
├── nftables/          # default ruleset
├── installer/         # Calamares branding + hardened defaults
├── update-server/     # signing + repo hosting (infra-as-code)
└── tests/
    ├── lynis-baseline/
    ├── kspp-check/
    └── telemetry-leak/

Verification gates (must pass before public alpha)

  • Two clean builds from same commit → identical SHA256
  • kconfig-hardened-check passes
  • Lynis hardening score ≥ 90
  • 30-min idle telemetry capture: zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics
  • TPM tamper test: LUKS correctly falls back to passphrase
  • AppArmor: every networked binary confined or documented
  • Independent privacy-engineering review

Upstream we depend on

  • Kicksecure — fork base
  • linux-hardened — kernel patchset
  • GrapheneOS hardened_malloc — allocator
  • KSPP — kernel config authority
  • secureblue — reference for v1.1 immutable design
  • SilverLABS/SilverVPN — VPN client + tunnel service (existing, integrated)
Reference in New Issue View Git Blame Copy Permalink