fix multi-controller ecc smp buiild_warning, use syswork during key generate, and adapt to external/app PSA crypto lib.

zhongzhijie1 · hyson710 · commit 9931065cf52f · 2025-11-17T21:34:28.000+08:00
bug: v/76826

release note: Now all SMP public keys are generated by the host using the PSA crypto backend, not by the controller.
This allows controllers without P-256 hardware support to use LE Secure Connections.

Signed-off-by: zhongzhijie1 &lt;zhongzhijie1@xiaomi.com&gt;
diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig
@@ -994,7 +994,7 @@ endif # BT_DF
 
 config BT_ECC
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
+	select CRYPTO_MBEDTLS if !BUILD_WITH_TFM
 	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
diff --git a/subsys/bluetooth/host/conn.c b/subsys/bluetooth/host/conn.c
@@ -4523,6 +4523,8 @@ int bt_conn_init(struct bt_dev *hdev)
 
 	bt_att_init(hdev);
 
+	bt_ecc_init(hdev);
+
 	err = bt_smp_init(hdev);
 	if (err) {
 		return err;
diff --git a/subsys/bluetooth/host/ecc.c b/subsys/bluetooth/host/ecc.c
@@ -151,7 +151,7 @@ static void generate_pub_key(struct k_work *work)
 
 	SYS_SLIST_FOR_EACH_CONTAINER(&hdev->pub_key_cb_slist, cb, node) {
 		if (cb->func) {
-			cb->func(err ? NULL : pub_key);
+			cb->func(hdev, err ? NULL : hdev->pub_key);
 		}
 	}
 
@@ -217,12 +217,12 @@ static void generate_dh_key(struct k_work *work)
 		atomic_clear_bit(ecc->flags, PENDING_DHKEY);
 
 		if (err) {
-			cb(NULL);
+			cb(hdev, NULL);
 		} else {
 			uint8_t dhkey[BT_DH_KEY_LEN];
 
 			sys_memcpy_swap(dhkey, ecc->dhkey_be, sizeof(ecc->dhkey_be));
-			cb(dhkey);
+			cb(hdev, dhkey);
 		}
 	}
 
@@ -236,7 +236,7 @@ int bt_pub_key_gen(struct bt_dev *hdev, struct bt_pub_key_cb *new_cb)
 	if (IS_ENABLED(CONFIG_BT_USE_DEBUG_KEYS)) {
 		atomic_set_bit(hdev->flags, BT_DEV_HAS_PUB_KEY);
 		__ASSERT_NO_MSG(new_cb->func != NULL);
-		new_cb->func(debug_public_key);
+		new_cb->func(hdev, debug_public_key);
 		return 0;
 	}
 
@@ -264,11 +264,7 @@ int bt_pub_key_gen(struct bt_dev *hdev, struct bt_pub_key_cb *new_cb)
 
 	atomic_clear_bit(hdev->flags, BT_DEV_HAS_PUB_KEY);
 
-	if (IS_ENABLED(CONFIG_BT_LONG_WQ)) {
-		bt_long_wq_submit(&hdev->ecc.pub_key_work);
-	} else {
-		k_work_submit(&hdev->ecc.pub_key_work);
-	}
+	k_work_submit(&hdev->ecc.pub_key_work);
 
 	return 0;
 }
@@ -326,22 +322,27 @@ int bt_dh_key_gen(struct bt_dev *hdev, const uint8_t remote_pk[BT_PUB_KEY_LEN],
 	sys_memcpy_swap(&hdev->ecc.public_key_be[BT_PUB_KEY_COORD_LEN],
 			&remote_pk[BT_PUB_KEY_COORD_LEN], BT_PUB_KEY_COORD_LEN);
 
-	if (IS_ENABLED(CONFIG_BT_LONG_WQ)) {
-		bt_long_wq_submit(&hdev->ecc.dh_key_work);
-	} else {
-		k_work_submit(&hdev->ecc.dh_key_work);
-	}
+	k_work_submit(&hdev->ecc.dh_key_work);
 
 	return 0;
 }
 
 void bt_ecc_init(struct bt_dev *hdev)
 {
+	psa_status_t status;
+
+	status = psa_crypto_init();
+
+	if (status != PSA_SUCCESS) {
+		LOG_ERR("PSA Crypto init failed: %d", status);
+		return;
+	}
+
 	memset(&hdev->ecc, 0, sizeof(hdev->ecc));
 
 	/* Initialize the ECC work queue */
-	k_work_init(hdev->ecc.pub_key_work, generate_pub_key);
-	k_work_init(hdev->ecc.dh_key_work, generate_dh_key);
+	k_work_init(&hdev->ecc.pub_key_work, generate_pub_key);
+	k_work_init(&hdev->ecc.dh_key_work, generate_dh_key);
 }
 
 #ifdef ZTEST_UNITTEST
diff --git a/subsys/bluetooth/host/smp.c b/subsys/bluetooth/host/smp.c
@@ -768,7 +768,7 @@ static bool ltk_derive_link_key_allowed(struct bt_smp *smp)
 	}
 
 	/* Check whether it is has been bonded */
-	link_key = bt_keys_find_link_key(&conn->le.dst.a);
+	link_key = bt_keys_find_link_key(conn->hdev, &conn->le.dst.a);
 	if (link_key == NULL) {
 		return true;
 	}
@@ -810,9 +810,9 @@ static void sc_derive_link_key(struct bt_smp *smp)
 	}
 
 	/* Remove the bonding information */
-	link_key = bt_keys_find_link_key(&conn->le.dst.a);
+	link_key = bt_keys_find_link_key(conn->hdev, &conn->le.dst.a);
 	if (link_key != NULL) {
-		bt_keys_link_key_clear(link_key);
+		bt_keys_link_key_clear(conn->hdev, link_key);
 	}
 
 	/*
@@ -863,7 +863,7 @@ static void sc_derive_link_key(struct bt_smp *smp)
 
 	if (atomic_test_bit(smp->flags, SMP_FLAG_BOND)) {
 		/* Store the link key */
-		bt_keys_link_key_store(link_key);
+		bt_keys_link_key_store(conn->hdev, link_key);
 	}
 }
 
@@ -892,16 +892,16 @@ static void smp_br_reset(struct bt_smp_br *smp)
 	atomic_set_bit(smp->allowed_cmds, BT_SMP_CMD_PAIRING_REQ);
 }
 
-static void smp_br_id_add_replace(struct bt_keys *keys)
+static void smp_br_id_add_replace(struct bt_dev *hdev, struct bt_keys *keys)
 {
 	struct bt_keys *conflict;
 
 	/* Check whether key has been added to resolving list. */
 	if (keys->state & BT_KEYS_ID_ADDED) {
-		bt_id_del(keys);
+		bt_id_del(hdev, keys);
 	}
 
-	conflict = bt_id_find_conflict(keys);
+	conflict = bt_id_find_conflict(hdev, keys);
 	if (conflict != NULL) {
 		int err;
 
@@ -911,8 +911,8 @@ static void smp_br_id_add_replace(struct bt_keys *keys)
 		__ASSERT_NO_MSG(!err);
 	}
 
-	__ASSERT_NO_MSG(!bt_id_find_conflict(keys));
-	bt_id_add(keys);
+	__ASSERT_NO_MSG(!bt_id_find_conflict(hdev, keys));
+	bt_id_add(hdev, keys);
 }
 
 static void smp_pairing_br_complete(struct bt_smp_br *smp, uint8_t status)
@@ -949,7 +949,7 @@ static void smp_pairing_br_complete(struct bt_smp_br *smp, uint8_t status)
 		struct bt_conn_auth_info_cb *listener, *next;
 
 		if (keys) {
-			smp_br_id_add_replace(keys);
+			smp_br_id_add_replace(conn->hdev, keys);
 		}
 
 		if (bond_flag && keys) {
@@ -1074,10 +1074,10 @@ static void smp_br_derive_ltk(struct bt_smp_br *smp)
 	bt_addr_copy(&addr.a, &conn->br.dst);
 	addr.type = BT_ADDR_LE_PUBLIC;
 
-	keys = bt_keys_find_addr(conn->id, &addr);
+	keys = bt_keys_find_addr(conn->hdev, conn->id, &addr);
 	if (keys != NULL) {
 		LOG_DBG("Clear the current keys for %s", bt_addr_le_str(&addr));
-		bt_keys_clear(keys);
+		bt_keys_clear(conn->hdev, keys);
 	}
 
 	keys = bt_keys_get_type(conn->hdev, BT_KEYS_LTK_P256, conn->id, &addr);
@@ -1266,9 +1266,9 @@ static bool smp_br_pairing_allowed(struct bt_smp_br *smp)
 
 	addr.type = BT_ADDR_LE_PUBLIC;
 	bt_addr_copy(&addr.a, &conn->br.dst);
-	le_keys = bt_keys_find_addr(BT_ID_DEFAULT, &addr);
+	le_keys = bt_keys_find_addr(conn->hdev, BT_ID_DEFAULT, &addr);
 
-	key = bt_keys_find_link_key(&conn->br.dst);
+	key = bt_keys_find_link_key(conn->hdev, &conn->br.dst);
 	if (!key) {
 		return false;
 	}
@@ -1524,7 +1524,7 @@ static void convert_to_id_on_irk_match(struct bt_conn *conn, void *data)
 
 	if (bt_rpa_irk_matches(keys->irk.val, &conn->le.dst.a)) {
 		if (conn->le.keys != NULL && conn->le.keys != keys) {
-			bt_keys_clear(conn->le.keys);
+			bt_keys_clear(conn->hdev, conn->le.keys);
 		}
 
 		conn->le.keys = keys;
@@ -1564,7 +1564,7 @@ static uint8_t smp_br_ident_addr_info(struct bt_smp_br *smp,
 	}
 
 	/* Check the BLE connections that has RPA matched with this IRK */
-	keys = bt_keys_get_type(BT_KEYS_IRK, conn->id, &addr);
+	keys = bt_keys_get_type(conn->hdev, BT_KEYS_IRK, conn->id, &addr);
 	if (keys) {
 		bt_conn_foreach(BT_CONN_TYPE_LE, convert_to_id_on_irk_match, keys);
 	} else {

Original file line number	Diff line number	Diff line change
`@@ -768,7 +768,7 @@ static bool ltk_derive_link_key_allowed(struct bt_smp *smp)`
`768`	`768`	`}`
`769`	`769`
`770`	`770`	`/* Check whether it is has been bonded */`
`771`		`- link_key = bt_keys_find_link_key(&conn->le.dst.a);`
	`771`	`+ link_key = bt_keys_find_link_key(conn->hdev, &conn->le.dst.a);`
`772`	`772`	`if (link_key == NULL) {`
`773`	`773`	`return true;`
`774`	`774`	`}`
`@@ -810,9 +810,9 @@ static void sc_derive_link_key(struct bt_smp *smp)`
`810`	`810`	`}`
`811`	`811`
`812`	`812`	`/* Remove the bonding information */`
`813`		`- link_key = bt_keys_find_link_key(&conn->le.dst.a);`
	`813`	`+ link_key = bt_keys_find_link_key(conn->hdev, &conn->le.dst.a);`
`814`	`814`	`if (link_key != NULL) {`
`815`		`- bt_keys_link_key_clear(link_key);`
	`815`	`+ bt_keys_link_key_clear(conn->hdev, link_key);`
`816`	`816`	`}`
`817`	`817`
`818`	`818`	`/*`
`@@ -863,7 +863,7 @@ static void sc_derive_link_key(struct bt_smp *smp)`
`863`	`863`
`864`	`864`	`if (atomic_test_bit(smp->flags, SMP_FLAG_BOND)) {`
`865`	`865`	`/* Store the link key */`
`866`		`- bt_keys_link_key_store(link_key);`
	`866`	`+ bt_keys_link_key_store(conn->hdev, link_key);`
`867`	`867`	`}`
`868`	`868`	`}`
`869`	`869`
`@@ -892,16 +892,16 @@ static void smp_br_reset(struct bt_smp_br *smp)`
`892`	`892`	`atomic_set_bit(smp->allowed_cmds, BT_SMP_CMD_PAIRING_REQ);`
`893`	`893`	`}`
`894`	`894`
`895`		`-static void smp_br_id_add_replace(struct bt_keys *keys)`
	`895`	`+static void smp_br_id_add_replace(struct bt_dev hdev, struct bt_keys keys)`
`896`	`896`	`{`
`897`	`897`	`struct bt_keys *conflict;`
`898`	`898`
`899`	`899`	`/* Check whether key has been added to resolving list. */`
`900`	`900`	`if (keys->state & BT_KEYS_ID_ADDED) {`
`901`		`- bt_id_del(keys);`
	`901`	`+ bt_id_del(hdev, keys);`
`902`	`902`	`}`
`903`	`903`
`904`		`- conflict = bt_id_find_conflict(keys);`
	`904`	`+ conflict = bt_id_find_conflict(hdev, keys);`
`905`	`905`	`if (conflict != NULL) {`
`906`	`906`	`int err;`
`907`	`907`
`@@ -911,8 +911,8 @@ static void smp_br_id_add_replace(struct bt_keys *keys)`
`911`	`911`	`__ASSERT_NO_MSG(!err);`
`912`	`912`	`}`
`913`	`913`
`914`		`- __ASSERT_NO_MSG(!bt_id_find_conflict(keys));`
`915`		`- bt_id_add(keys);`
	`914`	`+ __ASSERT_NO_MSG(!bt_id_find_conflict(hdev, keys));`
	`915`	`+ bt_id_add(hdev, keys);`
`916`	`916`	`}`
`917`	`917`
`918`	`918`	`static void smp_pairing_br_complete(struct bt_smp_br *smp, uint8_t status)`
`@@ -949,7 +949,7 @@ static void smp_pairing_br_complete(struct bt_smp_br *smp, uint8_t status)`
`949`	`949`	`struct bt_conn_auth_info_cb listener, next;`
`950`	`950`
`951`	`951`	`if (keys) {`
`952`		`- smp_br_id_add_replace(keys);`
	`952`	`+ smp_br_id_add_replace(conn->hdev, keys);`
`953`	`953`	`}`
`954`	`954`
`955`	`955`	`if (bond_flag && keys) {`
`@@ -1074,10 +1074,10 @@ static void smp_br_derive_ltk(struct bt_smp_br *smp)`
`1074`	`1074`	`bt_addr_copy(&addr.a, &conn->br.dst);`
`1075`	`1075`	`addr.type = BT_ADDR_LE_PUBLIC;`
`1076`	`1076`
`1077`		`- keys = bt_keys_find_addr(conn->id, &addr);`
	`1077`	`+ keys = bt_keys_find_addr(conn->hdev, conn->id, &addr);`
`1078`	`1078`	`if (keys != NULL) {`
`1079`	`1079`	`LOG_DBG("Clear the current keys for %s", bt_addr_le_str(&addr));`
`1080`		`- bt_keys_clear(keys);`
	`1080`	`+ bt_keys_clear(conn->hdev, keys);`
`1081`	`1081`	`}`
`1082`	`1082`
`1083`	`1083`	`keys = bt_keys_get_type(conn->hdev, BT_KEYS_LTK_P256, conn->id, &addr);`
`@@ -1266,9 +1266,9 @@ static bool smp_br_pairing_allowed(struct bt_smp_br *smp)`
`1266`	`1266`
`1267`	`1267`	`addr.type = BT_ADDR_LE_PUBLIC;`
`1268`	`1268`	`bt_addr_copy(&addr.a, &conn->br.dst);`
`1269`		`- le_keys = bt_keys_find_addr(BT_ID_DEFAULT, &addr);`
	`1269`	`+ le_keys = bt_keys_find_addr(conn->hdev, BT_ID_DEFAULT, &addr);`
`1270`	`1270`
`1271`		`- key = bt_keys_find_link_key(&conn->br.dst);`
	`1271`	`+ key = bt_keys_find_link_key(conn->hdev, &conn->br.dst);`
`1272`	`1272`	`if (!key) {`
`1273`	`1273`	`return false;`
`1274`	`1274`	`}`
`@@ -1524,7 +1524,7 @@ static void convert_to_id_on_irk_match(struct bt_conn conn, void data)`
`1524`	`1524`
`1525`	`1525`	`if (bt_rpa_irk_matches(keys->irk.val, &conn->le.dst.a)) {`
`1526`	`1526`	`if (conn->le.keys != NULL && conn->le.keys != keys) {`
`1527`		`- bt_keys_clear(conn->le.keys);`
	`1527`	`+ bt_keys_clear(conn->hdev, conn->le.keys);`
`1528`	`1528`	`}`
`1529`	`1529`
`1530`	`1530`	`conn->le.keys = keys;`
`@@ -1564,7 +1564,7 @@ static uint8_t smp_br_ident_addr_info(struct bt_smp_br *smp,`
`1564`	`1564`	`}`
`1565`	`1565`
`1566`	`1566`	`/* Check the BLE connections that has RPA matched with this IRK */`
`1567`		`- keys = bt_keys_get_type(BT_KEYS_IRK, conn->id, &addr);`
	`1567`	`+ keys = bt_keys_get_type(conn->hdev, BT_KEYS_IRK, conn->id, &addr);`
`1568`	`1568`	`if (keys) {`
`1569`	`1569`	`bt_conn_foreach(BT_CONN_TYPE_LE, convert_to_id_on_irk_match, keys);`
`1570`	`1570`	`} else {`