SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6c96e92fa507d56eebd32ea1016be2b44c389c8a
SilverMetal/windows/stack-installer
History
sysadmin 3a30a0421e docs(windows): add ISO-builder design + scaffold the windows/ tree 
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.

Scaffold windows/ per the planned layout:
- installer/  build.ps1 (7-stage orchestrator, stages stubbed to M2),
              inputs.manifest.json (pinned-input schema), autounattend.xml
              (local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/  shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
              (used by BOTH the ISO first-boot path and the self-apply track).
              BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/  scaffolded with
  READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
  anti-pattern; rename applocker/ -> wdac/ realised.

All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 15:35:13 +01:00
..
README.md
docs(windows): add ISO-builder design + scaffold the windows/ tree
2026-06-08 15:35:13 +01:00

README.md

windows/stack-installer

Native Windows installers for the SilverLABS Application Stack, staged into the image and run by ../hardening/08-stack-install.ps1.

Component hardening-spec mapping Status
SilverBrowser A, H (default browser) Linux MVP — Windows build TBD
SilverVPN F (always-on kill-switch) Existing — MAUI Windows client (SilverLABS/SilverVPN)
SilverSync A (replaces OneDrive) Linux MVP — Windows build TBD
SilverChat F (E2EE over VPN) Existing (SilverVPN.Client.Chat)
SilverDuress G (duress / panic-wipe) v1.1
SilverKeys C, A (pwd/2FA + offline BL recovery key) v1.1

Installers must be signature-verified against the SilverLABS signing key (../../docs/trust-model.md) before install. Lands at M4.

Reference in New Issue View Git Blame Copy Permalink