SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d5f9cc2463ac2ff1cfa10ddee05c943e97882d3
SilverMetal/docs/platform-matrix.md
SysAdmin 7d5f9cc246 chore(scaffold): initial SilverMetal program scaffold 
Cross-platform privacy-hardening program. Two-layer product:
- SilverLABS Application Stack (cross-platform spine)
- Platform Hardening Profiles (per-OS, tier-honest)

Platforms: Linux (Debian/Kicksecure), Android (Pixel/Samsung/Moto/generic),
Windows (LTSC IoT), macOS (profile), iOS (MDM profile). Each flavour has
both a preflashed hardware SKU path and a self-apply "harden your existing
device" path.

Includes umbrella docs (README + threat-model, design-principles,
platform-matrix, roadmap, trust-model), per-platform and per-stack-
component README stubs, .gitignore, LICENSE.

Linux v1 ships first; Stack v1 = Browser + VPN + Sync.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:11:48 +01:00

209 lines
9.1 KiB
Markdown
Raw Blame History

# Platform Matrix
The honest per-platform capability and pros/cons table. This is what a buyer sees on each product page so they can choose based on their actual constraint.
## Hardening tiers
| Tier | What it means |
|---|---|
| **A — Fully controllable** | We own the kernel, boot chain, MAC framework, and update infrastructure |
| **B — Firmware-controllable** | We replace the OS stack but not every firmware blob |
| **C — Config-controllable** | Proprietary kernel; we harden at config + app layer |
| **D — Policy-controllable** | Closed platform; we ship profiles + curated apps + setup only |
## Capability summary
| Platform | Tier | Deliverable | Stack support |
|---|---|---|---|
| SilverMetal Linux | A | Custom Debian/Kicksecure-based ISO | Full, native |
| SilverMetal Droid (Pixel) | B | GrapheneOS-fork ROM | Full, native |
| SilverMetal Droid (Samsung) | C | LineageOS-fork ROM where bootloader unlocks; profile + Stack elsewhere | Full where ROM, Stack-only otherwise |
| SilverMetal Droid (Motorola) | C | DivestOS/LineageOS-fork ROM on supported models | Full where supported |
| SilverMetal Droid (generic) | D | "Harden any Android" — Stack + work-profile config | Stack + config only |
| SilverMetal Windows | C | LTSC IoT installer + hardening + Stack | Full (Stack apps run native) |
| SilverMetal macOS | C-D | Signed config profile + setup script + Stack | Full (Stack apps run native) |
| SilverMetal iOS | D | MDM profile + Stack from App Store | Full (Stack apps via App Store) |
## Per-platform pros / cons
### SilverMetal Linux (Tier A)
**Reference setup. The strongest possible SilverMetal device.**
**Pros**
- Full kernel-level hardening (KSPP, linux-hardened, hardened_malloc)
- Verified boot we control end-to-end (Secure Boot with our shim/MOK, TPM2 PCR-bound LUKS2)
- AppArmor strict profiles for every networked surface
- Reproducible builds; we publish SBOMs and build attestations
- Zero upstream telemetry — every Microsoft/Google/Mozilla/Canonical phone-home removed
- Full SilverLABS Stack runs natively
- Update channel and signing keys are ours
**Cons**
- Learning curve for users coming from Windows/Mac
- Some commercial software does not run natively (Adobe CC, MS Office native — though web/Office365 work, native MS Office does not)
- Some games, particularly anti-cheat-protected titles, will not run
- Hardware compatibility needs checking before purchase (Coreboot SKUs are best-supported)
**Best for**: users whose work is browser + email + office docs + dev + comms; anyone who would otherwise install Linux themselves; the maximum-privacy buyer.
---
### SilverMetal Droid — Pixel flagship (Tier B)
**The secure-phone flagship. GrapheneOS-tier engineering.**
**Pros**
- Verified boot we control via Pixel's relockable bootloader
- Hardened Android kernel (GrapheneOS patches)
- App-level sandbox enforced; sandboxed Google Play *optional*, not required
- Per-app network/sensor/storage permissions
- Duress wipe (v1.1)
- Daily-driveable as a phone
**Cons**
- Pixel hardware only (4a 5G and newer — others EOL)
- Some banking apps and corporate apps refuse to run on non-Play-Integrity devices (workaround: sandboxed Play, but breaks the airtight model)
- Not all carriers support all Pixel models cleanly
**Best for**: the "secure phone" buyer, journalists, activists, anyone who would otherwise buy an Encrochat-style rebadged phone but wants real engineering.
---
### SilverMetal Droid — Samsung (Tier C)
**For users on Samsung hardware. Variable depending on model and region.**
**Pros**
- Wide hardware availability and price range
- LineageOS / DivestOS fork for unlocked-bootloader regions gives most of the benefit
- Knox security layer is genuinely capable on locked models
- Full SilverLABS Stack supported either way
**Cons**
- Many Samsung models — especially US-carrier models — have permanently locked bootloaders; we cannot replace the OS
- Even on unlocked bootloader, we lose verified boot rooting back to our key
- Knox tripped flag is permanent; some Samsung features (Samsung Pay, Knox-protected work apps) may stop working
**Best for**: existing Samsung owners; buyers wanting a non-Pixel Android with strong-enough hardening.
---
### SilverMetal Droid — Motorola (Tier C)
**For users on Motorola hardware. Best Android option after Pixel for unlocked-bootloader hardening.**
**Pros**
- Many Moto models support bootloader unlock cleanly
- DivestOS / LineageOS support is good for popular models
- More affordable than Pixel
- Full SilverLABS Stack supported
**Cons**
- Verified boot weaker than Pixel — no relockable bootloader on most models
- Hardware longevity / update support varies by model
- Driver / firmware blob situation messier than Pixel
**Best for**: budget-conscious buyer wanting custom-ROM-tier hardening without Pixel pricing.
---
### SilverMetal Droid — Generic / "harden my existing Android" (Tier D)
**For users who already own an Android and won't / can't replace the ROM.**
**Pros**
- Works on virtually any Android 13+ device
- Full SilverLABS Stack runs (Browser, VPN, Sync, etc.)
- Work-profile-based isolation contains tracking apps in a managed sandbox
- No bootloader unlock required; no warranty void
**Cons**
- We do not control the OS — Google + your OEM still do
- Verified boot is your OEM's, not ours
- Telemetry from OS-level Google services cannot be fully blocked without a ROM swap
- Honest tier label: D, weakest Android tier
**Best for**: existing Android owners who want privacy improvements without buying new hardware or unlocking their bootloader.
---
### SilverMetal Windows (Tier C)
**For users locked into Windows-only software.**
**Pros**
- Keeps full compatibility with Windows-native software, including Adobe CC, MS Office native, Windows-only line-of-business apps, anti-cheat-protected games
- Removes ~90% of Microsoft telemetry (Group Policy + hosts + service disabling, verified)
- Enforces BitLocker (TPM-bound), Defender ASR rules at maximum, AppLocker allow-listing
- LTSC IoT base = no Cortana, no Store, no Edge baked in, supportable for ~10 years
- Full SilverLABS Stack runs native
- Edge / Chrome replaced with SilverBrowser
**Cons**
- We do not control the kernel, the boot chain, or Windows Update
- Microsoft can change things in updates we cannot prevent
- Some telemetry channels Microsoft does not expose for disabling
- Honest tier label: C, config-layer only — *we say this in marketing*
- Requires LTSC IoT licensing for the strongest variant; standard Win 11 Pro is supported but weaker
**Best for**: business users and creatives who can't leave Windows but want every privacy dial turned to maximum.
---
### SilverMetal macOS (Tier C-D)
**For Mac-committed users.**
**Pros**
- Apple hardware quality is excellent; Secure Enclave + FileVault are genuinely strong when configured
- Lockdown Mode dramatically reduces remote-attack surface
- Apple's app sandboxing is robust at the kernel layer
- Full SilverLABS Stack runs native (universal binaries)
- Safari replaced with SilverBrowser by default
- Telemetry / Siri / analytics all disabled by our profile
**Cons**
- We cannot modify macOS itself
- Apple still receives device-linked metadata we cannot fully stop (App Store auth, OS update checks, Apple ID)
- iCloud is required for some OS features; we scope it to absolute minimum
- Honest positioning: "hardened Mac," not "anonymous Mac"
**Best for**: Mac-committed users (creative professionals, developers on Apple Silicon) who want maximum-feasible hardening on hardware they're keeping.
---
### SilverMetal iOS (Tier D)
**For iPhone users.**
**Pros**
- iOS sandbox + Secure Enclave + Lockdown Mode are genuinely strong against remote attack, in some respects stronger than any other consumer platform
- Full SilverLABS Stack available via App Store (Browser, VPN, Sync, Keys, Chat once approved)
- Hardware-key 2FA (YubiKey/Lightning) supported and recommended in our setup guide
- "Disposable Apple ID" guidance reduces account-graph exposure
**Cons**
- The most restrictive platform — Apple ID is unavoidable for App Store
- Cannot replace many default services (Mail.app, FaceTime, iMessage) — only complement them
- App-level replacements only via App Store (no sideloading in most regions yet)
- Configuration profile + MDM applies; cannot modify iOS itself
- Honest tier label: D, weakest tier in the family — *we say this in marketing*
**Best for**: users whose threat model is commercial surveillance (not state-actor targeting) and who need to stay on iPhone for personal/work reasons.
## Decision flowchart
```
Does the user need maximum privacy and is software-flexible?
→ SilverMetal Linux
Does the user need a phone, primarily?
→ Pixel? → SilverMetal Droid Flagship
→ Samsung/Motorola with unlocked bootloader? → matching ROM tier
→ iPhone or locked Android? → corresponding profile tier
Does the user need Windows-only software?
→ SilverMetal Windows
Is the user Mac-committed?
→ SilverMetal macOS
Does the user already own a device they're keeping?
→ The corresponding "profile" or "harden existing" tier
```
We do not push users between tiers. We tell them what each can deliver and let them choose.
Reference in New Issue View Git Blame Copy Permalink