New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bluetooth: Add BT_SMP_ENFORCE_MITM option #17464
Bluetooth: Add BT_SMP_ENFORCE_MITM option #17464
Conversation
All checks are passing now. Review history of this comment for details about previous failed status. |
51689fc
to
85c649f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will you also have a patch to update the tester app? If that's needed it might be easier (for the subsequent backport) to include them both in the same PR.
I would wait with tester app PR for now. I think it will be necessary to modify btp documentation as well to add security level parameter to Opcode 0x11 - Pair command/response (or separate command). It's fixed now, set to BT_SECURITY_MEDIUM. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeap, this is needed for manual testing only
we can think on how to extend btp when more tests will be added for autopts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think the addition of the mitm flag is required. When we receive a request we shouldn't let the peer's MITM flag say that we can we want MITM protection unless we can actually acheive it.
And when sending requests, we already check that the required sec_level can be acheived by checking the IO capabilites.
I think the BT_SMP_ENFORCE_MITM option should be the only change.
Having this option disabled, MITM flag state can be controlled by bt_conn_security state. This option is enabled by default to not change the current implementation behavior. Related to SM/MAS/SCPK/BV-01-C. Fixes zephyrproject-rtos#17463 Signed-off-by: Mariusz Skamra <mariusz.skamra@codecoup.pl>
85c649f
to
f3cc3b0
Compare
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub.
git fetch
# Create new working tree.
git worktree add .worktrees/backport v1.14-branch
# Navigate to the new directory.
cd .worktrees/backport
# Cherry-pick all the commits of this pull request and resolve the likely conflicts.
git cherry-pick f3cc3b038837207b278ac173efb269bc5f501929
# Create a new branch with these backported commits.
git checkout -b backport-17464-to-v1.14-branch
# Push it to GitHub.
git push --set-upstream origin backport-17464-to-v1.14-branch
# Go back to the original working tree.
cd ../..
# Delete the working tree.
git worktree remove .worktrees/backport Then, create a pull request where the |
Having this option disabled, MITM flag state can be controlled by
bt_conn_security state. This option is enabled by default to not
change the current implementation behavior.
Related to SM/MAS/SCPK/BV-01-C.
Fixes #17463