SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f6dac0fdfdcbb096436da2f6344f7ac6ab4be42d
SilverMetal/windows/README.md
sysadmin ea2de4339d docs(windows): add Enhanced-Windows hardening spec (Pocket 4 reference) 
Add windows/hardening-spec.md: the detailed config-layer hardening spec for
SilverMetal Enhanced - Windows, with the GPD Pocket 4 (AMD Strix Point) as
reference device. Eight control domains (provisioning, boot/firmware trust,
data-at-rest, kernel/credential isolation, app control, network/radios,
physical/lock-screen, privacy/update) each with verification commands, a
buyer-facing residual-risk statement, and one-off -> SKU productization notes.

Refine the windows/README.md v1 scope to match, grounded in the 2026-06-08
deep-research assessment:
- BitLocker TPM+PIN (never TPM-only) - PIN defeats the faulTPM-class offline
  fTPM attack that is literally a BitLocker VMK extraction
- WDAC (App Control), kernel-enforced, audit-first then enforce, as primary;
  AppLocker demoted to fallback (rename planned applocker/ -> wdac/)
- Telemetry at GP+service+firewall layers, NOT hosts-file blocking of MS
  domains (that breaks Windows Update; violates "update or die")
- Add VBS/HVCI/Credential Guard/Kernel DMA Protection to scope + verify gates
- Note Enterprise (prototype) vs IoT Enterprise LTSC (SKU target) equivalence

Bound by docs/threat-model.md and docs/design-principles.md; nation-state /
firmware tier explicitly NOT claimed on consumer UMPC silicon.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 15:19:37 +01:00

62 lines
3.1 KiB
Markdown
Raw Blame History

# SilverMetal Enhanced — Windows
**Status**: Phase 3W (planning, post-Linux v1)
🛡️ **SilverMetal Enhanced product line** — we harden Windows in place; we do not ship a custom Windows kernel (Microsoft does not permit that).
Tier C — config-layer hardening only. Honest positioning: we cannot modify the Windows kernel or boot chain; we turn every dial Microsoft exposes.
## Scope (v1)
LTSC IoT-based installer that transforms a vanilla Windows install into a SilverMetal-hardened build:
- Windows 11 IoT Enterprise LTSC base (no Cortana, no Store, no Edge baked in, ~10-year support)
- Group Policy hardening (telemetry at `Security` floor, services disabled, sane defaults)
- VBS + HVCI + Credential Guard + Kernel DMA Protection (Microsoft's hardware-backed isolation)
- Defender ASR rules at maximum
- WDAC (App Control for Business) allow-list — kernel-enforced, audit-first then enforce (AppLocker is the documented fallback, not the primary)
- BitLocker enforced — **TPM + PIN** (never TPM-only; PIN defeats the faulTPM-class offline attack on the AMD fTPM)
- Telemetry suppressed at GP + service + firewall layers (**not** hosts-file blocking of Microsoft domains — that breaks Windows Update); residual published, not claimed zero
- Edge / Chrome replaced with SilverBrowser default
- Full SilverLABS Stack preinstalled (native Windows builds)
- SilverVPN MAUI Windows client integrated from existing [`SilverLABS/SilverVPN`](https://git.silverlabs.uk/SilverLABS/SilverVPN)
## Out of scope
- Anything requiring kernel modifications
- Anything requiring developer-controlled verified boot
- Bypassing Microsoft Update (we ship updates via the same channel; we cannot replace it)
## Directory layout
To be populated in Phase 3W. Initial structure planned:
```
windows/
├── installer/ # PowerShell / WiX-based installer
├── policies/ # Group Policy templates, ADMX
├── wdac/ # WDAC (App Control) policies (AppLocker fallback rules if needed)
├── debloat/ # Removal scripts (Edge, Cortana residue, telemetry)
├── stack-installer/ # Native SilverLABS Stack package builders
└── tests/ # Telemetry-leak test, hardening-baseline test
```
## Verification gates
- Telemetry-leak test on hardened install — minimum-feasible Microsoft contact, *documented in full* (we cannot reach zero on Windows; we publish what remains)
- BitLocker enabled with **TPM + PIN** binding verified (TPM-only is rejected)
- VBS / HVCI / Credential Guard verified running
- WDAC allow-list functional (enforced) and documented
- Stack apps install and function
## Full hardening specification
The detailed control spec — eight control domains, verification commands, residual-risk statement, and productization notes — lives in [`hardening-spec.md`](hardening-spec.md). Reference device: GPD Pocket 4 (AMD Strix Point).
## Upstream we depend on
- **Windows 11 IoT Enterprise LTSC** — base OS (licensed)
- **AtlasOS / ReviOS / privacy.sexy** — reference for hardening configs
- **Chris Titus Tech / O&O ShutUp10** — reference for telemetry blocking
- **`SilverLABS/SilverVPN`** — MAUI Windows client (existing)
Reference in New Issue View Git Blame Copy Permalink