[PM-18100] Add mlock and memfd_secret implementations

[dani-garcia]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-18100

📔 Objective

Implement some new backends for the KeyStore that use the OS memory protections:

• memfd_secret: On newer Linux only, but should protect any content in the store from being read from external programs, even if running as root. It also provides some minor protection against malicious kernel modules, but that can be bypassed.
• mlock: Supported on Unix. Doesn't provide any real protection from reads, but ensures that the keys aren't swapped to disk. Note that Windows also supports a similar VirtualLock API, but I've had some trouble with the crates depending on an older windows crate, so it's not enabled for Windows yet.

Note that for this implementation to be useful, we need to revert the boxing of keys so they are stack allocated. This would mean either not exposing them publicly, or having a separate internal key type.

This requires a MSRV bump to 1.80 for the use of LazyLock, but #256 requires 1.82 anyway.

For this implementation we're using the hashbrown crate, which allows us to create a HashMap that uses a custom allocator. I've implemented a custom allocator for the two protections mentioned above.

To ensure that this works correctly, I've implemented a simple fuzzing test that executes thousands of random operations and compares the results and contents of these new backeds against the basic rust hashmap that we're using now.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
  team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
  issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 5d27e184-ea87-48cc-9abd-9ed1e27166a4

Great job, no security vulnerabilities found in this Pull Request

[codecov]

Codecov Report

Attention: Patch coverage is 84.21053% with 33 lines in your changes missing coverage. Please review.

Project coverage is 69.19%. Comparing base (b185bc6) to head (1ab42c5).

Files with missing lines	Patch %	Lines
...den-crypto/src/store/backend/implementation/mod.rs	85.41%	14 Missing ⚠️
.../implementation/custom_alloc/linux_memfd_secret.rs	78.00%	11 Missing ⚠️
...tore/backend/implementation/custom_alloc/malloc.rs	77.77%	8 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #125      +/-   ##
==========================================
+ Coverage   68.98%   69.19%   +0.20%     
==========================================
  Files         211      214       +3     
  Lines       16112    16319     +207     
==========================================
+ Hits        11115    11292     +177     
- Misses       4997     5027      +30     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud