[nrf fromtree] mgmt: mcumgr: transport: bluetooth: add all gatt permission levels

Added new Kconfigs for defining permission level of GATT
characteristics that are part of the Bluetooth SMP service in the
MCUmgr subsys.

Removed the CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN as the new Kconfig
options are mutually exclusive and need to be groupa as the Kconfig
choice option.

Signed-off-by: Kamil Piszczek <[email protected]>
(cherry picked from commit 8c0bc54)

Author: kapi-no

doc/releases/migration-guide-4.0.rst

@@ -283,6 +283,10 @@ hawkBit
 MCUmgr
 ======
 
+* The ``MCUMGR_TRANSPORT_BT_AUTHEN`` Kconfig option from the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT` MCUmgr transport has been replaced with the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW` Kconfig choice.
+  The requirement for Bluetooth authentication is now indicated by the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN` Kconfig option.
+  To remove the default requirement for Bluetooth authentication it is necessary to enable the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW` Kconfig option in the project configuration.
+
 Modem
 =====
 

samples/subsys/mgmt/mcumgr/smp_svr/overlay-bt.conf

@@ -9,7 +9,6 @@ CONFIG_BT_CTLR_DATA_LENGTH_MAX=251
 
 # Enable the Bluetooth mcumgr transport (unauthenticated).
 CONFIG_MCUMGR_TRANSPORT_BT=y
-CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=n
 CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y
 
 # Enable the Shell mcumgr transport.

scripts/utils/migrate_mcumgr_kconfigs.py

@@ -82,7 +82,8 @@
     "MCUMGR_BUF_SIZE" : "MCUMGR_TRANSPORT_NETBUF_SIZE",
     "MCUMGR_BUF_USER_DATA_SIZE" : "MCUMGR_TRANSPORT_NETBUF_USER_DATA_SIZE",
     "MCUMGR_SMP_BT" : "MCUMGR_TRANSPORT_BT",
-    "MCUMGR_SMP_BT_AUTHEN" : "MCUMGR_TRANSPORT_BT_AUTHEN",
+    "MCUMGR_SMP_BT_AUTHEN" : "MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN",
+    "MCUMGR_TRANSPORT_BT_AUTHEN" : "MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN",
     "MCUMGR_SMP_BT_CONN_PARAM_CONTROL" : "MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL",
     "MCUMGR_SMP_BT_CONN_PARAM_CONTROL_MIN_INT" : "MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL_MIN_INT",
     "MCUMGR_SMP_BT_CONN_PARAM_CONTROL_MAX_INT" : "MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL_MAX_INT",

subsys/mgmt/mcumgr/transport/Kconfig.bluetooth

@@ -24,13 +24,25 @@ config MCUMGR_TRANSPORT_BT_REASSEMBLY
 	  When enabled, the SMP BT transport will buffer and reassemble received
 	  packet fragments before passing it for further processing.
 
-config MCUMGR_TRANSPORT_BT_AUTHEN
-	bool "Authenticated requirement for Bluetooth mcumgr SMP transport"
-	depends on BT_SMP
-	default y
+choice MCUMGR_TRANSPORT_BT_PERM
+	prompt "Permission used for the SMP service"
+	default MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN if BT_SMP
+	default MCUMGR_TRANSPORT_BT_PERM_RW
 	help
-	  Enables encrypted and authenticated connection requirement to
-	  Bluetooth SMP transport.
+	  Permission settings for GATT characteristics of the SMP service.
+
+config MCUMGR_TRANSPORT_BT_PERM_RW
+	bool "Read and write allowed"
+
+config MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT
+	bool "Require encryption for access"
+	depends on BT_SMP
+
+config MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN
+	bool "Require encryption and authentication for access"
+	depends on BT_SMP
+
+endchoice
 
 config MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL
 	bool "Request specific connection parameters for SMP packet exchange"

subsys/mgmt/mcumgr/transport/src/smp_bt.c

@@ -49,6 +49,27 @@ LOG_MODULE_DECLARE(mcumgr_smp, CONFIG_MCUMGR_TRANSPORT_LOG_LEVEL);
 					CONFIG_BT_PERIPHERAL_PREF_TIMEOUT),		\
 				    (NULL))
 
+/* Permission levels for GATT characteristics of the SMP service. */
+#ifndef CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN
+#define CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN 0
+#endif
+#ifndef CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT
+#define CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT 0
+#endif
+#ifndef CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW
+#define CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW 0
+#endif
+
+#define SMP_GATT_PERM (							\
+	CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN ?			\
+	(BT_GATT_PERM_READ_AUTHEN | BT_GATT_PERM_WRITE_AUTHEN) :	\
+	CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT ?			\
+	(BT_GATT_PERM_READ_ENCRYPT | BT_GATT_PERM_WRITE_ENCRYPT) :	\
+	(BT_GATT_PERM_READ | BT_GATT_PERM_WRITE))			\
+
+#define SMP_GATT_PERM_WRITE_MASK \
+	(BT_GATT_PERM_WRITE | BT_GATT_PERM_WRITE_ENCRYPT | BT_GATT_PERM_WRITE_AUTHEN)
+
 /* Minimum number of bytes that must be able to be sent with a notification to a target device
  * before giving up
  */
@@ -358,14 +379,10 @@ static void smp_bt_ccc_changed(const struct bt_gatt_attr *attr, uint16_t value)
 	BT_GATT_CHARACTERISTIC(&smp_bt_chr_uuid.uuid,					\
 			       BT_GATT_CHRC_WRITE_WITHOUT_RESP |			\
 			       BT_GATT_CHRC_NOTIFY,					\
-			       COND_CODE_1(CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN,		\
-					   (BT_GATT_PERM_WRITE_AUTHEN),			\
-					   (BT_GATT_PERM_WRITE)),			\
+			       SMP_GATT_PERM & SMP_GATT_PERM_WRITE_MASK,		\
 			       NULL, smp_bt_chr_write, NULL),				\
 	BT_GATT_CCC(smp_bt_ccc_changed,							\
-		    COND_CODE_1(CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN,			\
-				(BT_GATT_PERM_READ_AUTHEN | BT_GATT_PERM_WRITE_AUTHEN),	\
-				(BT_GATT_PERM_READ | BT_GATT_PERM_WRITE))),
+		    SMP_GATT_PERM),
 
 
 #ifdef CONFIG_MCUMGR_TRANSPORT_BT_DYNAMIC_SVC_REGISTRATION

tests/subsys/mgmt/mcumgr/all_options/prj.conf

@@ -17,10 +17,9 @@ CONFIG_STREAM_FLASH=y
 CONFIG_IMG_MANAGER=y
 CONFIG_MCUMGR=y
 CONFIG_MCUMGR_TRANSPORT_BT=y
-CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=n
 CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y
 CONFIG_MCUMGR_TRANSPORT_BT_REASSEMBLY=y
-CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=y
+CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN=y
 CONFIG_MCUMGR_TRANSPORT_DUMMY=y
 CONFIG_MCUMGR_TRANSPORT_DUMMY_RX_BUF_SIZE=512
 CONFIG_MCUMGR_TRANSPORT_SHELL=y