SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d5f9cc2463ac2ff1cfa10ddee05c943e97882d3
SilverMetal/docs/roadmap.md
SysAdmin 7d5f9cc246 chore(scaffold): initial SilverMetal program scaffold 
Cross-platform privacy-hardening program. Two-layer product:
- SilverLABS Application Stack (cross-platform spine)
- Platform Hardening Profiles (per-OS, tier-honest)

Platforms: Linux (Debian/Kicksecure), Android (Pixel/Samsung/Moto/generic),
Windows (LTSC IoT), macOS (profile), iOS (MDM profile). Each flavour has
both a preflashed hardware SKU path and a self-apply "harden your existing
device" path.

Includes umbrella docs (README + threat-model, design-principles,
platform-matrix, roadmap, trust-model), per-platform and per-stack-
component README stubs, .gitignore, LICENSE.

Linux v1 ships first; Stack v1 = Browser + VPN + Sync.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 03:11:48 +01:00

125 lines
6.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Roadmap
Milestone-driven, no calendar dates (those slip; milestone gates don't). Each milestone has a definition of done. We don't move on until the previous milestone is met.
## Phase 0 — Foundation (current)
**Goal**: get the architecture, threat model, and product principles documented and reviewed before writing OS code.
| # | Milestone | Done when |
|---|---|---|
| 0.1 | Repo scaffold | Directory tree + per-platform stubs + per-stack stubs in place |
| 0.2 | Umbrella docs | `README.md` + `docs/{threat-model,design-principles,platform-matrix,roadmap,trust-model}.md` complete and reviewed |
| 0.3 | Gitea repo created and pushed | `SilverLABS/SilverMetal` exists on `git.silverlabs.uk` with this scaffold |
**Status**: in progress (this commit completes 0.10.3).
---
## Phase 1 — SilverMetal Linux v1 (the MVP)
**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other platforms.
| # | Milestone | Done when |
|---|---|---|
| 1.1 | Kicksecure fork builds reproducibly | `live-build` produces identical SHA256 across two clean builds |
| 1.2 | Hardening overlay applied | KSPP audit passes; Lynis ≥ 90 in CI; AppArmor strict profiles loaded |
| 1.3 | hardened_malloc integrated as system allocator | Verified active for user sessions; no regressions |
| 1.4 | Telemetry-leak test green | tcpdump on fresh-install idle for 30 min — zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics endpoints |
| 1.5 | LUKS2 + TPM2 PCR-bound install via Calamares | End-to-end: install → reboot → TPM unlock → desktop. Tamper test correctly falls back to passphrase |
| 1.6 | SilverBrowser v1 integrated (ungoogled-chromium rebrand) | Default browser, no Google services, fingerprint defences validated |
| 1.7 | SilverVPN v1 integrated (WireGuard backbone) | Always-on default; kill-switch verified; account-number signup flow works |
| 1.8 | SilverSync v1 integrated (Nextcloud backbone, client-side encryption) | Contacts/calendar/files sync end-to-end; server cannot read content |
| 1.9 | Update server + signing ceremony complete | First signed update delivered through alpha channel; rollback verified |
| 1.10 | Public alpha ISO + SBOM + build attestation published | Download page live; reproducible-build instructions documented |
| 1.11 | External privacy-engineering review | One independent reviewer (Kicksecure / Whonix community) signs off on threat-model fidelity |
| 1.12 | Hardware SKU pilot batch | 10 preflashed Coreboot-supported laptops shipped and validated |
**Exit criteria for Phase 1**: alpha is publicly downloadable, all verification gates green, hardware SKU available for purchase.
---
## Phase 1.1 — Stack expansion
**Goal**: complete the SilverLABS Application Stack so v1.1 ships with the full suite.
| # | Milestone | Done when |
|---|---|---|
| 1.1.1 | SilverChat v1 (Matrix-based) | Homeserver running; iOS/Android/Linux/Windows/Mac clients functional; account-number onboarding |
| 1.1.2 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified |
| 1.1.3 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients |
| 1.1.4 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful |
---
## Phase 2 — SilverMetal Droid
**Goal**: ship Android coverage across all four tiers (Pixel flagship, Samsung, Motorola, generic profile).
| # | Milestone | Done when |
|---|---|---|
| 2.1 | Pixel flagship ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key |
| 2.2 | Samsung tier (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay |
| 2.3 | Motorola tier (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay |
| 2.4 | Generic Android profile | "Harden my Android" installer: Stack apps + work-profile hardening config; works on Android 13+ |
| 2.5 | Android hardware SKU pilot | Pixel preflashed batch (10 units) + Moto preflashed batch (10 units) |
---
## Phase 3 — SilverMetal Windows
**Goal**: ship the Windows hardening installer for users locked into Windows.
| # | Milestone | Done when |
|---|---|---|
| 3.1 | LTSC IoT base evaluated and licensed for our use | License path documented; base image acquired |
| 3.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts |
| 3.3 | Stack ports for Windows | SilverBrowser/VPN/Sync/etc. native Windows builds, signed with our cert |
| 3.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery |
| 3.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + SilverMetal hardening (10 units) |
| 3.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimal Microsoft contact, documented (we cannot reach zero on Windows; we publish what remains) |
---
## Phase 4 — Apple platforms (macOS + iOS profiles)
**Goal**: ship signed configuration profiles, setup scripts, curated app guidance, and Stack ports for Apple platforms.
| # | Milestone | Done when |
|---|---|---|
| 4.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall |
| 4.2 | macOS setup script | Idempotent script applies non-MDM hardening (default app changes, etc.) |
| 4.3 | Stack ports for macOS | Universal binaries, notarised, signed with our Apple Developer cert |
| 4.4 | iOS MDM profile | Signed `.mobileconfig` for users with personal MDM (or via free Apple Configurator) |
| 4.5 | Stack ports for iOS | App Store releases (Browser may face Apple review constraints — fall back to webkit-based with our defaults) |
| 4.6 | Apple setup guide | Step-by-step published guide complementing the profiles |
---
## Phase 5 — Hardening / immutability / Tor sibling
**Goal**: post-MVP improvements; not blocking earlier phases.
- Atomic / immutable Linux variant (ostree)
- dm-verity-protected `/`
- Tor-by-default sibling product (SilverMetal Onion or similar)
- ARM64 / Apple Silicon Linux variant
- Coreboot tooling improvements / additional reference hardware
---
## Cross-cutting workstreams (always-on)
These run in parallel with phases:
- **Security advisories** — vulnerability response process from Phase 1.10 onward; signed advisories
- **External audits** — annual or per-major-release third-party security review
- **Documentation** — every phase's gate includes documentation update
- **Community / support** — issue tracker, support channels, response SLOs
## Phase entry/exit philosophy
- We do not start a phase until the previous one's exit criteria are met
- We *can* run cross-cutting workstreams in parallel
- A failing verification gate blocks the phase, full stop — no shipping with known regressions
Reference in New Issue View Git Blame Copy Permalink