SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cd3808de64a3b3ed54abbd6fef802e2eeb462b54
SilverMetal/windows/hardening/06-physical-lock.ps1
sysadmin a0b9c2c989
All checks were successful
Build SilverMetal Enhanced - Windows ISO / build (push) Successful in 3m51s
Details
fix(windows/hardening): tolerate missing hibernation (module G) 
VM run: `powercfg /hibernate on` writes to stderr where hibernation is unsupported
(VMs), which under ErrorActionPreference=Stop aborted module G after its earlier
lock-screen settings applied. Wrap it so the module completes cleanly.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-09 00:46:13 +01:00

35 lines
2.0 KiB
PowerShell
Raw Blame History

#Requires -Version 5.1
<# SilverMetal Enhanced - Windows | Domain G: Physical & lock-screen hygiene
Theft is threat #1 for a pocket device. Short auto-lock, PIN on wake, block
DMA while locked, prefer hibernate, no HW kill switch (software cam/mic).
Spec: ../hardening-spec.md (G) | SCAFFOLD (M1).
#>
[CmdletBinding()] param()
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
Write-Host '[G] Physical & lock-screen hygiene'
# Auto-lock: machine inactivity limit (seconds) + require password on wake.
$sys = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
New-Item $sys -Force | Out-Null
Set-ItemProperty $sys -Name InactivityTimeoutSecs -Type DWord -Value 120 # lock after 2 min idle
$pol = 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
New-Item $pol -Force | Out-Null
Set-ItemProperty $pol -Name ACSettingIndex -Type DWord -Value 1 # require password on wake (AC)
Set-ItemProperty $pol -Name DCSettingIndex -Type DWord -Value 1 # ... and on battery
# Block new DMA-capable devices while the screen is locked (compensates if firmware
# Kernel DMA Protection is absent - see Domain D / open question §8).
$fve = 'HKLM:\SOFTWARE\Policies\Microsoft\FVE'
New-Item $fve -Force | Out-Null
Set-ItemProperty $fve -Name DisableExternalDMAUnderLock -Type DWord -Value 1
# Prefer hibernate over sleep (keys not left resident in RAM as long).
# Tolerate environments without hibernation support (e.g. VMs) -- native stderr
# under ErrorActionPreference=Stop would otherwise abort the module.
try { & powercfg /hibernate on 2>&1 | Out-Null } catch { Write-Host ' (hibernate unavailable here; skipped)' }
# TODO-M1: set lid-close + idle -> hibernate via powercfg; deny camera/mic per-app
# (Device Manager disable is the stopgap; the Pocket 4 has NO hardware kill switch).
# NOTE: SilverDuress (Stack, v1.1) provides duress-PIN / panic-wipe - installed by module 08.
Write-Host ' [G] auto-lock=120s, password-on-wake, DMA-blocked-while-locked, hibernate on.'
Reference in New Issue View Git Blame Copy Permalink