Skip to content

Add lockdown disable + DISABLED status for runtime lockdown toggle#927

Closed
niccellular wants to merge 2 commits into
meshtastic:developfrom
niccellular:feature/lockdown-disable
Closed

Add lockdown disable + DISABLED status for runtime lockdown toggle#927
niccellular wants to merge 2 commits into
meshtastic:developfrom
niccellular:feature/lockdown-disable

Conversation

@niccellular

Copy link
Copy Markdown
Member

Summary

Adds the two wire-format pieces needed to move MESHTASTIC_LOCKDOWN from a compile-time build flag to a runtime, client-toggleable setting (Android/iOS "lockdown mode" switch).

  • AdminMessage.LockdownAuth.disable (field 6) — with a valid passphrase in the same message, reverts a device out of lockdown: the firmware decrypts every stored config/channel/nodedb file back to plaintext, removes the wrapped DEK / unlock token / monotonic-counter / backoff files, and reboots into normal mode. The inverse of the existing provision/unlock path.
  • FromRadio.LockdownStatus.State.DISABLED (value 5) — reported by a lockdown-capable device that isn't currently in lockdown, so a client can render its toggle as OFF. Distinct from NEEDS_PROVISION (used only mid-enable).

Notes

  • disable requires the passphrase — the device must prove operator ownership before reverting at-rest encryption. boots_remaining / valid_until_epoch / max_session_seconds / lock_now are ignored when disable=true.
  • APPROTECT is explicitly NOT reversed by disable. On silicon where the debug-port lockout is effective it is permanent (clearable only via a full chip erase over a debug probe, which destroys all data). Clients are expected to surface this irreversibility when lockdown is first enabled. This is called out in the field doc comment.
  • Both files validated with protoc.

Test plan

  • buf lint / buf breaking pass in CI
  • Firmware PR consuming these fields builds against the regenerated bindings

Supports moving MESHTASTIC_LOCKDOWN from a compile-time build flag to a
runtime, client-toggleable setting.

- AdminMessage.LockdownAuth.disable (field 6): with a valid passphrase,
  reverts the device out of lockdown — decrypt all stored config back to
  plaintext, drop the wrapped DEK / unlock token / monotonic counter /
  backoff files, reboot into normal mode. APPROTECT is explicitly NOT
  reversed (the debug-port lockout is permanent on silicon where it is
  effective; only a full chip erase clears it).

- FromRadio.LockdownStatus.State.DISABLED (value 5): reported by a
  lockdown-capable device that is not currently in lockdown, so a client
  can render its 'lockdown mode' toggle as OFF. Distinct from
  NEEDS_PROVISION, which is only used mid-enable.
@niccellular

Copy link
Copy Markdown
Member Author

@copilot resolve the merge conflicts in this pull request

@niccellular

Copy link
Copy Markdown
Member Author

Superseded — LockdownAuth.disable and LockdownStatus.State.DISABLED were already merged into develop via separate commits (ae5ccf5 + 79185c6). Closing as obsolete.

@niccellular niccellular closed this Jun 2, 2026
@niccellular niccellular deleted the feature/lockdown-disable branch June 2, 2026 12:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants