bluetooth: services: mcumgr: update security configuration

Update security configuration for MCUmgr service.

Signed-off-by: Eivind Jølsgard <[email protected]>

Author: eivindj-nordic

applications/firmware_loader/ble_mcumgr/src/main.c

@@ -189,6 +189,9 @@ int main(void)
 			.uuid = BLE_MCUMGR_SERVICE_UUID_SUB,
 		},
 	};
+	struct ble_mcumgr_config mcumgr_cfg = {
+		.sec_mode = BLE_MCUMGR_CONFIG_SEC_MODE_DEFAULT,
+	};
 
 	LOG_INF("BLE MCUmgr sample started");
 	mgmt_callback_register(&os_mgmt_reboot_callback);
@@ -211,7 +214,7 @@ int main(void)
 
 	LOG_INF("Bluetooth enabled");
 
-	nrf_err = ble_mcumgr_init();
+	nrf_err = ble_mcumgr_init(&mcumgr_cfg);
 
 	if (nrf_err) {
 		LOG_ERR("Failed to initialize MCUmgr service, nrf_error %#x", nrf_err);

doc/nrf-bm/libraries/bluetooth/services/ble_mcumgr.rst

@@ -15,6 +15,7 @@ Configuration
 *************
 
 Set the :kconfig:option:`CONFIG_BLE_MCUMGR` Kconfig option to enable the service.
+The characteristic security mode is configured in the :c:struct:`ble_mcumgr_config` structure provided during initialization.
 
 Initialization
 ==============

doc/nrf-bm/release_notes/release_notes_changelog.rst

@@ -143,6 +143,7 @@ BLE Services
   * :ref:`lib_ble_service_hids` service.
   * :ref:`lib_ble_service_hrs` service.
   * :ref:`lib_ble_service_lbs` service.
+  * :ref:`lib_ble_service_mcumgr` service.
 
 * :ref:`lib_ble_service_nus` service:
 

include/bm/bluetooth/services/ble_mcumgr.h

@@ -17,6 +17,7 @@
 #include <stdint.h>
 #include <stdbool.h>
 #include <ble.h>
+#include <bm/bluetooth/services/common.h>
 #include <bm/softdevice_handler/nrf_sdh_ble.h>
 
 #ifdef __cplusplus
@@ -34,13 +35,41 @@ extern "C" {
 #define BLE_MCUMGR_SERVICE_UUID_SUB 0xdc1d
 #define BLE_MCUMGR_CHARACTERISTIC_UUID_SUB 0x7828
 
+/** @brief Default security configuration. */
+#define BLE_MCUMGR_CONFIG_SEC_MODE_DEFAULT                                                         \
+	{                                                                                          \
+		.mcumgr_char = {                                                                   \
+			.read = BLE_GAP_CONN_SEC_MODE_OPEN,                                        \
+			.write = BLE_GAP_CONN_SEC_MODE_OPEN,                                       \
+			.cccd_write = BLE_GAP_CONN_SEC_MODE_OPEN,                                  \
+		},                                                                                 \
+	}
+
+/**
+ * @brief MCUmgr service configuration.
+ */
+struct ble_mcumgr_config {
+	/** Security configuration. */
+	struct {
+		/** MCUmgr characteristic */
+		struct {
+			/** Security requirement for reading MCUmgr characteristic value. */
+			ble_gap_conn_sec_mode_t read;
+			/** Security requirement for writing MCUmgr characteristic value. */
+			ble_gap_conn_sec_mode_t write;
+			/** Security requirement for writing MCUmgr characteristic CCCD. */
+			ble_gap_conn_sec_mode_t cccd_write;
+		} mcumgr_char;
+	} sec_mode;
+};
+
 /**
  * @brief Function for initializing the MCUmgr Bluetooth service.
  *
  * @retval NRF_SUCCESS On success.
  * @retval NRF_ERROR_INVALID_PARAM Invalid parameters.
  */
-uint32_t ble_mcumgr_init(void);
+uint32_t ble_mcumgr_init(struct ble_mcumgr_config *cfg);
 
 /**
  * @brief Function for getting the MCUmgr Bluetooth service UUID type.

samples/boot/mcuboot_recovery_entry/src/main.c

@@ -167,6 +167,9 @@ int main(void)
 			.uuid = BLE_MCUMGR_SERVICE_UUID_SUB,
 		},
 	};
+	struct ble_mcumgr_config mcumgr_cfg = {
+		.sec_mode = BLE_MCUMGR_CONFIG_SEC_MODE_DEFAULT,
+	};
 
 	mgmt_callback_register(&os_mgmt_reboot_callback);
 
@@ -186,7 +189,7 @@ int main(void)
 
 	LOG_INF("Bluetooth enabled");
 
-	nrf_err = ble_mcumgr_init();
+	nrf_err = ble_mcumgr_init(&mcumgr_cfg);
 
 	if (nrf_err) {
 		LOG_ERR("Failed to initialize MCUmgr, nrf_error %#x", nrf_err);

subsys/bluetooth/services/ble_mcumgr/mcumgr.c

@@ -79,14 +79,16 @@ static struct ble_mcumgr_client_context *ble_mcumgr_client_context_get(uint16_t
 	return ((idx >= 0) ? &contexts[idx] : NULL);
 }
 
-static uint32_t mcumgr_characteristic_add(struct ble_mcumgr *service)
+static uint32_t mcumgr_characteristic_add(struct ble_mcumgr *service, struct ble_mcumgr_config *cfg)
 {
 	ble_uuid_t char_uuid = {
 		.type = service->uuid_type_characteristic,
 		.uuid = BLE_MCUMGR_CHARACTERISTIC_UUID_SUB,
 	};
 	ble_gatts_attr_md_t cccd_md = {
-		.vloc = BLE_GATTS_VLOC_STACK
+		.vloc = BLE_GATTS_VLOC_STACK,
+		.read_perm = BLE_GAP_CONN_SEC_MODE_OPEN,
+		.write_perm = cfg->sec_mode.mcumgr_char.cccd_write,
 	};
 	ble_gatts_char_md_t char_md = {
 		.char_props = {
@@ -98,6 +100,8 @@ static uint32_t mcumgr_characteristic_add(struct ble_mcumgr *service)
 	ble_gatts_attr_md_t attr_md = {
 		.vloc = BLE_GATTS_VLOC_STACK,
 		.vlen = true,
+		.read_perm = cfg->sec_mode.mcumgr_char.read,
+		.write_perm = cfg->sec_mode.mcumgr_char.write,
 	};
 	ble_gatts_attr_t attr_char_value = {
 		.p_uuid = &char_uuid,
@@ -107,13 +111,6 @@ static uint32_t mcumgr_characteristic_add(struct ble_mcumgr *service)
 		.max_len = BLE_GATT_MAX_DATA_LEN,
 	};
 
-	BLE_GAP_CONN_SEC_MODE_SET_OPEN(&attr_md.read_perm);
-	BLE_GAP_CONN_SEC_MODE_SET_OPEN(&attr_md.write_perm);
-
-	/* Setup CCCD */
-	BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.read_perm);
-	BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.write_perm);
-
 	return sd_ble_gatts_characteristic_add(service->service_handle, &char_md, &attr_char_value,
 					       &service->characteristic_handle);
 }
@@ -374,7 +371,7 @@ static void on_ble_evt(const ble_evt_t *evt, void *ctx)
 
 NRF_SDH_BLE_OBSERVER(sdh_ble, on_ble_evt, &ble_mcumgr, 0);
 
-uint32_t ble_mcumgr_init(void)
+uint32_t ble_mcumgr_init(struct ble_mcumgr_config *cfg)
 {
 	uint32_t nrf_err;
 	ble_uuid_t ble_uuid;
@@ -418,7 +415,7 @@ uint32_t ble_mcumgr_init(void)
 	}
 
 	/* Add MCUmgr characteristic */
-	nrf_err = mcumgr_characteristic_add(&ble_mcumgr);
+	nrf_err = mcumgr_characteristic_add(&ble_mcumgr, cfg);
 
 	if (nrf_err) {
 		LOG_ERR("mcumgr_characteristic_add failed, nrf_error %#x", nrf_err);