diff --git a/doc/releases/migration-guide-4.0.rst b/doc/releases/migration-guide-4.0.rst index 1437b4044de..f8a47907859 100644 --- a/doc/releases/migration-guide-4.0.rst +++ b/doc/releases/migration-guide-4.0.rst @@ -283,6 +283,10 @@ hawkBit MCUmgr ====== +* The ``MCUMGR_TRANSPORT_BT_AUTHEN`` Kconfig option from the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT` MCUmgr transport has been replaced with the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW` Kconfig choice. + The requirement for Bluetooth authentication is now indicated by the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN` Kconfig option. + To remove the default requirement for Bluetooth authentication it is necessary to enable the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW` Kconfig option in the project configuration. + Modem ===== diff --git a/samples/subsys/mgmt/mcumgr/smp_svr/overlay-bt.conf b/samples/subsys/mgmt/mcumgr/smp_svr/overlay-bt.conf index 8942068beb4..1b945465163 100644 --- a/samples/subsys/mgmt/mcumgr/smp_svr/overlay-bt.conf +++ b/samples/subsys/mgmt/mcumgr/smp_svr/overlay-bt.conf @@ -9,7 +9,6 @@ CONFIG_BT_CTLR_DATA_LENGTH_MAX=251 # Enable the Bluetooth mcumgr transport (unauthenticated). CONFIG_MCUMGR_TRANSPORT_BT=y -CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=n CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y # Enable the Shell mcumgr transport. diff --git a/scripts/utils/migrate_mcumgr_kconfigs.py b/scripts/utils/migrate_mcumgr_kconfigs.py index b2ca14e332e..429474f80ce 100644 --- a/scripts/utils/migrate_mcumgr_kconfigs.py +++ b/scripts/utils/migrate_mcumgr_kconfigs.py @@ -82,7 +82,8 @@ "MCUMGR_BUF_SIZE" : "MCUMGR_TRANSPORT_NETBUF_SIZE", "MCUMGR_BUF_USER_DATA_SIZE" : "MCUMGR_TRANSPORT_NETBUF_USER_DATA_SIZE", "MCUMGR_SMP_BT" : "MCUMGR_TRANSPORT_BT", - "MCUMGR_SMP_BT_AUTHEN" : "MCUMGR_TRANSPORT_BT_AUTHEN", + "MCUMGR_SMP_BT_AUTHEN" : "MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN", + "MCUMGR_TRANSPORT_BT_AUTHEN" : "MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN", "MCUMGR_SMP_BT_CONN_PARAM_CONTROL" : "MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL", "MCUMGR_SMP_BT_CONN_PARAM_CONTROL_MIN_INT" : "MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL_MIN_INT", "MCUMGR_SMP_BT_CONN_PARAM_CONTROL_MAX_INT" : "MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL_MAX_INT", diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig index b8d7f629a9c..233c916408f 100644 --- a/subsys/bluetooth/host/Kconfig +++ b/subsys/bluetooth/host/Kconfig @@ -645,8 +645,7 @@ config BT_BONDING_REQUIRED requests will be rejected. config BT_BONDABLE_PER_CONNECTION - bool "Set/clear the bonding flag per-connection [EXPERIMENTAL]" - select EXPERIMENTAL + bool "Set/clear the bonding flag per-connection" help Enable support for the bt_conn_set_bondable API function that is used to set/clear the bonding flag on a per-connection basis. diff --git a/subsys/bluetooth/host/Kconfig.gatt b/subsys/bluetooth/host/Kconfig.gatt index e0ea43025bd..c3751359512 100644 --- a/subsys/bluetooth/host/Kconfig.gatt +++ b/subsys/bluetooth/host/Kconfig.gatt @@ -302,8 +302,7 @@ config DEVICE_NAME_GATT_WRITABLE_AUTHEN endif #BT_DEVICE_NAME_GATT_WRITABLE config BT_GATT_AUTHORIZATION_CUSTOM - bool "Custom authorization of GATT operations [EXPERIMENTAL]" - select EXPERIMENTAL + bool "Custom authorization of GATT operations" help This option allows the user to define application-specific authorization logic for GATT operations that can be registered diff --git a/subsys/mgmt/mcumgr/transport/Kconfig.bluetooth b/subsys/mgmt/mcumgr/transport/Kconfig.bluetooth index 4a65ddf137e..1e1d5c7f6e4 100644 --- a/subsys/mgmt/mcumgr/transport/Kconfig.bluetooth +++ b/subsys/mgmt/mcumgr/transport/Kconfig.bluetooth @@ -24,13 +24,25 @@ config MCUMGR_TRANSPORT_BT_REASSEMBLY When enabled, the SMP BT transport will buffer and reassemble received packet fragments before passing it for further processing. -config MCUMGR_TRANSPORT_BT_AUTHEN - bool "Authenticated requirement for Bluetooth mcumgr SMP transport" - depends on BT_SMP - default y +choice MCUMGR_TRANSPORT_BT_PERM + prompt "Permission used for the SMP service" + default MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN if BT_SMP + default MCUMGR_TRANSPORT_BT_PERM_RW help - Enables encrypted and authenticated connection requirement to - Bluetooth SMP transport. + Permission settings for GATT characteristics of the SMP service. + +config MCUMGR_TRANSPORT_BT_PERM_RW + bool "Read and write allowed" + +config MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT + bool "Require encryption for access" + depends on BT_SMP + +config MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN + bool "Require encryption and authentication for access" + depends on BT_SMP + +endchoice config MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL bool "Request specific connection parameters for SMP packet exchange" diff --git a/subsys/mgmt/mcumgr/transport/src/smp_bt.c b/subsys/mgmt/mcumgr/transport/src/smp_bt.c index f3e72da3c6c..a72c8468647 100644 --- a/subsys/mgmt/mcumgr/transport/src/smp_bt.c +++ b/subsys/mgmt/mcumgr/transport/src/smp_bt.c @@ -49,6 +49,27 @@ LOG_MODULE_DECLARE(mcumgr_smp, CONFIG_MCUMGR_TRANSPORT_LOG_LEVEL); CONFIG_BT_PERIPHERAL_PREF_TIMEOUT), \ (NULL)) +/* Permission levels for GATT characteristics of the SMP service. */ +#ifndef CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN +#define CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN 0 +#endif +#ifndef CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT +#define CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT 0 +#endif +#ifndef CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW +#define CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW 0 +#endif + +#define SMP_GATT_PERM ( \ + CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN ? \ + (BT_GATT_PERM_READ_AUTHEN | BT_GATT_PERM_WRITE_AUTHEN) : \ + CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT ? \ + (BT_GATT_PERM_READ_ENCRYPT | BT_GATT_PERM_WRITE_ENCRYPT) : \ + (BT_GATT_PERM_READ | BT_GATT_PERM_WRITE)) \ + +#define SMP_GATT_PERM_WRITE_MASK \ + (BT_GATT_PERM_WRITE | BT_GATT_PERM_WRITE_ENCRYPT | BT_GATT_PERM_WRITE_AUTHEN) + /* Minimum number of bytes that must be able to be sent with a notification to a target device * before giving up */ @@ -358,14 +379,10 @@ static void smp_bt_ccc_changed(const struct bt_gatt_attr *attr, uint16_t value) BT_GATT_CHARACTERISTIC(&smp_bt_chr_uuid.uuid, \ BT_GATT_CHRC_WRITE_WITHOUT_RESP | \ BT_GATT_CHRC_NOTIFY, \ - COND_CODE_1(CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN, \ - (BT_GATT_PERM_WRITE_AUTHEN), \ - (BT_GATT_PERM_WRITE)), \ + SMP_GATT_PERM & SMP_GATT_PERM_WRITE_MASK, \ NULL, smp_bt_chr_write, NULL), \ BT_GATT_CCC(smp_bt_ccc_changed, \ - COND_CODE_1(CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN, \ - (BT_GATT_PERM_READ_AUTHEN | BT_GATT_PERM_WRITE_AUTHEN), \ - (BT_GATT_PERM_READ | BT_GATT_PERM_WRITE))), + SMP_GATT_PERM), #ifdef CONFIG_MCUMGR_TRANSPORT_BT_DYNAMIC_SVC_REGISTRATION diff --git a/tests/subsys/mgmt/mcumgr/all_options/prj.conf b/tests/subsys/mgmt/mcumgr/all_options/prj.conf index ba15113a923..3087ce16c39 100644 --- a/tests/subsys/mgmt/mcumgr/all_options/prj.conf +++ b/tests/subsys/mgmt/mcumgr/all_options/prj.conf @@ -17,10 +17,9 @@ CONFIG_STREAM_FLASH=y CONFIG_IMG_MANAGER=y CONFIG_MCUMGR=y CONFIG_MCUMGR_TRANSPORT_BT=y -CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=n CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y CONFIG_MCUMGR_TRANSPORT_BT_REASSEMBLY=y -CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=y +CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN=y CONFIG_MCUMGR_TRANSPORT_DUMMY=y CONFIG_MCUMGR_TRANSPORT_DUMMY_RX_BUF_SIZE=512 CONFIG_MCUMGR_TRANSPORT_SHELL=y