security: add MESHTASTIC_LOCKDOWN hardened build option

[niccellular]

Summary

Opt-in hardening flag (MESHTASTIC_LOCKDOWN=1) that raises the security
posture of a physical Meshtastic node — encrypted at-rest storage, redacted
config for unauthenticated clients, USB/serial silence, on-screen content
privacy, and SWD lockout — behind a single build flag. nRF52 gets the full
feature set via the CC310 hardware crypto block; other platforms get
DEBUG_MUTE only and a #warning.

Replaces #9771 — same threat model, scoped down to one commit, addresses
prior review feedback (Jorropo: std::unique_ptr + RAII zeroizing
wipers; Copilot: scope/race fixes, backoff bypass, key-material wipes),
generic build flag instead of an nRF52 variant directory.

What it adds

On nRF52 with -DMESHTASTIC_LOCKDOWN=1:

• MESHTASTIC_PHONEAPI_ACCESS_CONTROL — channel PSKs, security private key,
  admin keys, and wifi_psk redacted from any unauthenticated BLE/USB/TCP
  client. Per-connection auth (atomic flag + global auth-epoch counter for
  O(1) revoke-all on Lock Now).
• MESHTASTIC_ENCRYPTED_STORAGE — AES-128-CTR + HMAC-SHA256 at-rest
  encryption of LocalConfig, channel file, NodeDB, etc. Passphrase-gated
  DEK with TTL/boot-count unlock token and three-layer failed-attempt
  backoff (within-boot millis, wall-clock when RTC valid, persisted
  bootsSinceFail counter that's bumped each boot — closes the
  reboot-bypass).
• MESHTASTIC_ENABLE_APPROTECT — one-way UICR APPROTECT write to lock
  SWD/JTAG; the device resets immediately so the lockout takes effect on
  the same boot. Recoverable only via SWD-side nrfjprog --recover,
  which wipes the entire chip including the encrypted DEK.
• DEBUG_MUTE — silence USB/serial logs to prevent passive info leakage.
• Display privacy — src/security/LockdownDisplay.{h,cpp} exposes a
  small policy (shouldRedactDisplay() + noteUserActivity()). Redaction
  is true when storage is locked OR no user input for
  MESHTASTIC_LOCKDOWN_SCREEN_TIMEOUT_MS (default 30s). When active, the
  display renders a centered "LOCKED" + battery instead of node list,
  messages, GPS, channels, etc. InputBroker::handleInputEvent() resets
  the timer on any button/keyboard/touch/rotary event.

On non-nRF52 platforms: a #warning fires; only DEBUG_MUTE activates.

MESHTASTIC_LOCKDOWN_DEBUG=1 — debug variant that exercises the
access-control + encrypted-storage code paths without the irreversible
bits (no APPROTECT, no DEBUG_MUTE). For development and bring-up only.

Wire format

Uses the proper proto schema added in
meshtastic/protobufs#911
(merged):

Client → device: AdminMessage.lockdown_auth (tag 104), carrying:

• passphrase (1–32 bytes; capped at proto level via .options)
• boots_remaining (optional override; 0 = firmware default)
• valid_until_epoch (optional wall-clock TTL; 0 = no time limit)
• lock_now (bool sentinel for Lock Now)

Device → client: FromRadio.lockdown_status (tag 18), carrying:

• state enum: NEEDS_PROVISION / LOCKED / UNLOCKED / UNLOCK_FAILED
• lock_reason (machine-readable detail for LOCKED — needs_auth,
  token_missing, token_expired, token_boots_zero, token_hmac_fail,
  token_rtc_unavailable, etc.)
• boots_remaining, valid_until_epoch (for UNLOCKED)
• backoff_seconds (for UNLOCK_FAILED)

PhoneAPI emits LockdownStatus post-config (so unauthenticated clients
learn how to authenticate) and after each lockdown_auth command.

A matching client-side implementation is in
Meshtastic-Android features/lockdown-v2.
That branch will need a follow-up update to consume the new schema.

Known gaps — display privacy

Only graphics/Screen.cpp (OLED via OLEDDisplayUi) is gated by the
display-privacy policy. The other renderers do not yet consult
shouldRedactDisplay() and will continue to render full content under
lockdown:

• graphics/InkHUD/ (e-ink rich UI)
• graphics/niche/ (TFT niche graphics)
• meshtastic/device-ui (T-Deck/TFT, separate submodule)

Operators running lockdown on hardware using those UIs should treat the
screen as a plaintext leak surface until follow-up work wires those
renderers in.

Notes for review

• All raw new[]/delete[] in EncryptedStorage.cpp replaced with
  std::unique_ptr via ZeroizingArrayPtr (Jorropo). Key-material
  memsets replaced with secure_zero() (volatile-pointer wipe so it
  isn't elided as dead store on dying stack buffers).
• Passphrase-attempt backoff is RTC-tampering-resistant: three layers
  (within-boot millis, wall-clock when getValidTime() is valid,
  persisted bootsSinceFail counter). Token wall-clock expiry uses
  getValidTime() and refuses the token rather than honor a TTL it
  can't verify.
• APProtect.h doc spells out that the operation is recoverable only via
  full chip erase (which destroys all on-device state including the
  encrypted DEK).
• No new variant directory; any env can opt in by appending the flag to
  its build_flags.
• tools/lockdown_provision.py provides CLI provisioning/unlock/lock-now
  for testing. Requires a meshtastic Python package built against
  protobufs that include the new schema.

[Copilot]

Pull request overview

Adds an opt-in hardened firmware build mode (MESHTASTIC_LOCKDOWN=1) intended to improve physical-device security by gating sensitive local APIs, encrypting configuration at rest (nRF52 only), muting debug output, and optionally enabling nRF52 APPROTECT.

Changes:

• Introduces nRF52-only encrypted-at-rest config storage (EncryptedStorage) plus passphrase provision/unlock/lock-now control via AdminModule and a companion provisioning CLI script.
• Adds PhoneAPI access-control/redaction behavior for unauthenticated local clients (and new authorization plumbing).
• Adds optional nRF52 SWD/JTAG lockout support via UICR APPROTECT, wired into setup() under the lockdown build flag.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
tools/lockdown_provision.py	CLI utility to provision/unlock/lock a lockdown device via the Python Meshtastic library.
src/security/SecureZero.h	Adds secure zeroization helpers + zeroizing RAII buffers for key material.
src/security/EncryptedStorage.h	Declares encrypted storage API, formats, and lockdown boot/provision/unlock flows.
src/security/EncryptedStorage.cpp	Implements nRF52 CC310-backed AES-CTR + HMAC encrypted file storage, unlock tokens, and backoff.
src/security/APProtect.h	Documents and declares the APPROTECT enablement helper.
src/security/APProtect.cpp	Implements APPROTECT UICR write logic (nRF52).
src/modules/AdminModule.cpp	Adds lockdown passphrase transport and “Lock Now” handling in set_config(security); ties auth into PhoneAPI + NodeDB reload.
src/mesh/PhoneAPI.h	Adds access-control flags/APIs and atomic auth state for lockdown builds.
src/mesh/PhoneAPI.cpp	Enforces ToRadio gating and redacts secrets for unauthenticated local clients; emits LOCKDOWN_* notifications.
src/mesh/NodeDB.h	Adds reloadFromDisk() for post-unlock reloading.
src/mesh/NodeDB.cpp	Hooks encrypted read/write into load/save proto paths and handles “locked boot” defaulting + migration.
src/main.cpp	Calls enableAPProtect() and EncryptedStorage::initLocked() during setup under feature flags.
src/configuration.h	Defines the MESHTASTIC_LOCKDOWN / MESHTASTIC_LOCKDOWN_DEBUG build-flag behavior and platform gating.
src/PowerFSM.cpp	Avoids disabling BLE in serialEnter() on nRF52.

[Copilot]

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 3 comments.