Make nRF52 lockdown support opt-in (#10712)

* Make nRF52 lockdown support opt-in

* Scope lockdown opt-in normalization to nRF52

src/configuration.h

@@ -576,9 +576,10 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 // -----------------------------------------------------------------------------
 // MESHTASTIC_LOCKDOWN — runtime, client-toggleable hardening (nRF52 only)
 //
-// There is NO build flag to turn lockdown on or off. On nRF52 (CC310 hardware
-// crypto) the lockdown machinery is ALWAYS compiled in; whether it is ACTIVE
-// is decided entirely at runtime by EncryptedStorage::isLockdownActive()
+// Lockdown/protect support is opt-in at build time. Builds that need it pass
+// -DMESHTASTIC_ENABLE_LOCKDOWN=1. When enabled on nRF52 (CC310 hardware
+// crypto), whether it is ACTIVE is decided entirely at runtime by
+// EncryptedStorage::isLockdownActive()
 // (== a passphrase has been provisioned, i.e. /prefs/.dek exists). A device
 // that has never been provisioned — or that the operator disabled from the
 // client app — behaves exactly like stock firmware: plaintext storage, no
@@ -594,11 +595,10 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 //               reboots into normal mode. APPROTECT is the one thing that
 //               does NOT revert (see below).
 //
-// MESHTASTIC_LOCKDOWN here is an INTERNAL capability marker, auto-defined for
-// nRF52. It gates the UI bits (lock screen, pairing-PIN handling). It is NOT
-// something a variant sets. Flash-constrained nRF52 variants that genuinely
-// cannot afford the ~tens-of-KB of crypto + access-control code may opt OUT
-// with -DMESHTASTIC_EXCLUDE_LOCKDOWN=1.
+// MESHTASTIC_LOCKDOWN here is an INTERNAL capability marker. It gates the UI
+// bits (lock screen, pairing-PIN handling). Flash-constrained nRF52 variants
+// that genuinely cannot afford the ~tens-of-KB of crypto + access-control code
+// may also opt out with -DMESHTASTIC_EXCLUDE_LOCKDOWN=1.
 //
 //   MESHTASTIC_PHONEAPI_ACCESS_CONTROL — per-connection auth + redaction,
 //                                        gated at runtime on isLockdownActive()
@@ -615,7 +615,22 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 // -DMESHTASTIC_LOCKDOWN_DEBUG=1 keeps the irreversible APPROTECT burn disabled
 // even when provisioned — for development so dev boards never lose SWD.
 // -----------------------------------------------------------------------------
-#if defined(ARCH_NRF52) && !defined(MESHTASTIC_EXCLUDE_LOCKDOWN)
+#if defined(ARCH_NRF52)
+#ifndef MESHTASTIC_ENABLE_LOCKDOWN
+#define MESHTASTIC_ENABLE_LOCKDOWN 0
+#endif
+
+#if !MESHTASTIC_ENABLE_LOCKDOWN
+#undef MESHTASTIC_LOCKDOWN
+#undef MESHTASTIC_PHONEAPI_ACCESS_CONTROL
+#undef MESHTASTIC_ENCRYPTED_STORAGE
+#undef MESHTASTIC_ENABLE_APPROTECT
+#ifndef MESHTASTIC_EXCLUDE_LOCKDOWN
+#define MESHTASTIC_EXCLUDE_LOCKDOWN 1
+#endif
+#endif
+
+#if MESHTASTIC_ENABLE_LOCKDOWN && !defined(MESHTASTIC_EXCLUDE_LOCKDOWN)
 #define MESHTASTIC_LOCKDOWN 1
 #define MESHTASTIC_PHONEAPI_ACCESS_CONTROL 1
 #define MESHTASTIC_ENCRYPTED_STORAGE 1
@@ -623,6 +638,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #define MESHTASTIC_ENABLE_APPROTECT 1
 #endif
 #endif
+#endif
 
 #ifdef MESHTASTIC_LOCKDOWN
 

src/platform/nrf52/NRF52Bluetooth.cpp

@@ -71,9 +71,11 @@ void onConnect(uint16_t conn_handle)
     // the (single, reused) bluetoothPhoneAPI instance, so a prior session's
     // authorization can otherwise survive a quick reconnect. handleStartConfig()
     // re-locks on every want_config too; this closes the window before that.
+#ifdef MESHTASTIC_PHONEAPI_ACCESS_CONTROL
     if (bluetoothPhoneAPI) {
         bluetoothPhoneAPI->setAdminAuthorized(false);
     }
+#endif
 
     // Notify UI (or any other interested firmware components)
     meshtastic::BluetoothStatus newStatus(meshtastic::BluetoothStatus::ConnectionState::CONNECTED);