nrfconnect · rlubos · Oct 8, 2024 · Sep 17, 2024 · Sep 17, 2024 · Sep 17, 2024
diff --git a/doc/releases/migration-guide-4.0.rst b/doc/releases/migration-guide-4.0.rst
@@ -283,6 +283,10 @@ hawkBit
 MCUmgr
 ======
 
+* The ``MCUMGR_TRANSPORT_BT_AUTHEN`` Kconfig option from the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT` MCUmgr transport has been replaced with the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW` Kconfig choice.
+  The requirement for Bluetooth authentication is now indicated by the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN` Kconfig option.
+  To remove the default requirement for Bluetooth authentication it is necessary to enable the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW` Kconfig option in the project configuration.
+
 Modem
 =====
 

diff --git a/samples/subsys/mgmt/mcumgr/smp_svr/overlay-bt.conf b/samples/subsys/mgmt/mcumgr/smp_svr/overlay-bt.conf
@@ -9,7 +9,6 @@ CONFIG_BT_CTLR_DATA_LENGTH_MAX=251
 
 # Enable the Bluetooth mcumgr transport (unauthenticated).
 CONFIG_MCUMGR_TRANSPORT_BT=y
-CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=n
 CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y
 
 # Enable the Shell mcumgr transport.

diff --git a/scripts/utils/migrate_mcumgr_kconfigs.py b/scripts/utils/migrate_mcumgr_kconfigs.py
@@ -82,7 +82,8 @@
     "MCUMGR_BUF_SIZE" : "MCUMGR_TRANSPORT_NETBUF_SIZE",
     "MCUMGR_BUF_USER_DATA_SIZE" : "MCUMGR_TRANSPORT_NETBUF_USER_DATA_SIZE",
     "MCUMGR_SMP_BT" : "MCUMGR_TRANSPORT_BT",
-    "MCUMGR_SMP_BT_AUTHEN" : "MCUMGR_TRANSPORT_BT_AUTHEN",
+    "MCUMGR_SMP_BT_AUTHEN" : "MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN",
+    "MCUMGR_TRANSPORT_BT_AUTHEN" : "MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN",
     "MCUMGR_SMP_BT_CONN_PARAM_CONTROL" : "MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL",
     "MCUMGR_SMP_BT_CONN_PARAM_CONTROL_MIN_INT" : "MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL_MIN_INT",
     "MCUMGR_SMP_BT_CONN_PARAM_CONTROL_MAX_INT" : "MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL_MAX_INT",

diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig
@@ -645,8 +645,7 @@ config BT_BONDING_REQUIRED
 	  requests will be rejected.
 
 config BT_BONDABLE_PER_CONNECTION
-	bool "Set/clear the bonding flag per-connection [EXPERIMENTAL]"
-	select EXPERIMENTAL
+	bool "Set/clear the bonding flag per-connection"
 	help
 	  Enable support for the bt_conn_set_bondable API function that is
 	  used to set/clear the bonding flag on a per-connection basis.

diff --git a/subsys/bluetooth/host/Kconfig.gatt b/subsys/bluetooth/host/Kconfig.gatt
@@ -302,8 +302,7 @@ config DEVICE_NAME_GATT_WRITABLE_AUTHEN
 endif #BT_DEVICE_NAME_GATT_WRITABLE
 
 config BT_GATT_AUTHORIZATION_CUSTOM
-	bool "Custom authorization of GATT operations [EXPERIMENTAL]"
-	select EXPERIMENTAL
+	bool "Custom authorization of GATT operations"
 	help
 	  This option allows the user to define application-specific
 	  authorization logic for GATT operations that can be registered

diff --git a/subsys/mgmt/mcumgr/transport/Kconfig.bluetooth b/subsys/mgmt/mcumgr/transport/Kconfig.bluetooth
@@ -24,13 +24,25 @@ config MCUMGR_TRANSPORT_BT_REASSEMBLY
 	  When enabled, the SMP BT transport will buffer and reassemble received
 	  packet fragments before passing it for further processing.
 
-config MCUMGR_TRANSPORT_BT_AUTHEN
-	bool "Authenticated requirement for Bluetooth mcumgr SMP transport"
-	depends on BT_SMP
-	default y
+choice MCUMGR_TRANSPORT_BT_PERM
+	prompt "Permission used for the SMP service"
+	default MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN if BT_SMP
+	default MCUMGR_TRANSPORT_BT_PERM_RW
 	help
-	  Enables encrypted and authenticated connection requirement to
-	  Bluetooth SMP transport.
+	  Permission settings for GATT characteristics of the SMP service.
+
+config MCUMGR_TRANSPORT_BT_PERM_RW
+	bool "Read and write allowed"
+
+config MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT
+	bool "Require encryption for access"
+	depends on BT_SMP
+
+config MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN
+	bool "Require encryption and authentication for access"
+	depends on BT_SMP
+
+endchoice
 
 config MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL
 	bool "Request specific connection parameters for SMP packet exchange"

diff --git a/subsys/mgmt/mcumgr/transport/src/smp_bt.c b/subsys/mgmt/mcumgr/transport/src/smp_bt.c
@@ -49,6 +49,27 @@
 					CONFIG_BT_PERIPHERAL_PREF_TIMEOUT),		\
 				    (NULL))
 
+/* Permission levels for GATT characteristics of the SMP service. */
+#ifndef CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN
+#define CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN 0
+#endif
+#ifndef CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT
+#define CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT 0
+#endif
+#ifndef CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW
+#define CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW 0
+#endif
+
+#define SMP_GATT_PERM (							\
+	CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN ?			\
+	(BT_GATT_PERM_READ_AUTHEN | BT_GATT_PERM_WRITE_AUTHEN) :	\
+	CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_ENCRYPT ?			\
+	(BT_GATT_PERM_READ_ENCRYPT | BT_GATT_PERM_WRITE_ENCRYPT) :	\
+	(BT_GATT_PERM_READ | BT_GATT_PERM_WRITE))			\
+
+#define SMP_GATT_PERM_WRITE_MASK \
+	(BT_GATT_PERM_WRITE | BT_GATT_PERM_WRITE_ENCRYPT | BT_GATT_PERM_WRITE_AUTHEN)
+
 /* Minimum number of bytes that must be able to be sent with a notification to a target device
  * before giving up
  */
@@ -358,16 +379,12 @@
 	BT_GATT_CHARACTERISTIC(&smp_bt_chr_uuid.uuid,					\
 			       BT_GATT_CHRC_WRITE_WITHOUT_RESP |			\
 			       BT_GATT_CHRC_NOTIFY,					\
-			       COND_CODE_1(CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN,		\
-					   (BT_GATT_PERM_WRITE_AUTHEN),			\
-					   (BT_GATT_PERM_WRITE)),			\
+			       SMP_GATT_PERM & SMP_GATT_PERM_WRITE_MASK,		\
 			       NULL, smp_bt_chr_write, NULL),				\
 	BT_GATT_CCC(smp_bt_ccc_changed,							\
-		    COND_CODE_1(CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN,			\
-				(BT_GATT_PERM_READ_AUTHEN | BT_GATT_PERM_WRITE_AUTHEN),	\
-				(BT_GATT_PERM_READ | BT_GATT_PERM_WRITE))),
+		    SMP_GATT_PERM),
 
 
 #ifdef CONFIG_MCUMGR_TRANSPORT_BT_DYNAMIC_SVC_REGISTRATION
 static struct bt_gatt_attr attr_smp_bt_svc[] = {SMP_BT_ATTRS};
 static struct bt_gatt_service smp_bt_svc = BT_GATT_SERVICE(attr_smp_bt_svc);

diff --git a/tests/subsys/mgmt/mcumgr/all_options/prj.conf b/tests/subsys/mgmt/mcumgr/all_options/prj.conf
@@ -17,10 +17,9 @@ CONFIG_STREAM_FLASH=y
 CONFIG_IMG_MANAGER=y
 CONFIG_MCUMGR=y
 CONFIG_MCUMGR_TRANSPORT_BT=y
-CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=n
 CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y
 CONFIG_MCUMGR_TRANSPORT_BT_REASSEMBLY=y
-CONFIG_MCUMGR_TRANSPORT_BT_AUTHEN=y
+CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN=y
 CONFIG_MCUMGR_TRANSPORT_DUMMY=y
 CONFIG_MCUMGR_TRANSPORT_DUMMY_RX_BUF_SIZE=512
 CONFIG_MCUMGR_TRANSPORT_SHELL=y
-Original file line number
+Diff line change
@@ Expand Up / @@ -283,6 +283,10 @@ hawkBit @@
     MCUmgr
     ======
+    * The ``MCUMGR_TRANSPORT_BT_AUTHEN`` Kconfig option from the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT` MCUmgr transport has been replaced with the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW` Kconfig choice.
+      The requirement for Bluetooth authentication is now indicated by the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN` Kconfig option.
+      To remove the default requirement for Bluetooth authentication it is necessary to enable the :kconfig:option:`CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW` Kconfig option in the project configuration.
     Modem
     =====
@@ Expand Down @@