SMP Server Sample with CONFIG_MCUMGR_SMP_BT_AUTHEN=y

Question

Hello everyone!

I have an issue about upgrading firmware over Bluetooth LE with a mandatory pairing of devices. I want only paired devices to have the ability to upgrade firmware over Bluetooth LE, and not all merely connected ones. Thus, I consider your example SMP Server Sample. In its current state, it allows all unauthenticated device to try to upgrade the firmware and only checking the image signature will forbid to run an intruder's image. As I guess, I have to set CONFIG_MCUMGR_SMP_BT_AUTHEN=y https://docs.zephyrproject.org/latest/reference/kconfig/CONFIG_MCUMGR_SMP_BT_AUTHEN.html and modify your example. For some unknown reasons, the provided example doesn't work for me with set CONFIG_MCUMGR_CMD_FS_MGMT, so I commented out a line with CONFIG_MCUMGR_CMD_FS_MGMT=y. Otherwise, it just reboots repeatedly after jumping to the first image slot from MCUBoot. All other modifications are related to adding required authentication callbacks and registering them. Also, I added a security_changed callback. And after it I built and flashed the image:

west build -b nrf52840dk_nrf52840 . -- -DOVERLAY_CONFIG=overlay-bt.conf
west flash --bin-file build/zephyr/app_update.bin --erase

And when I try to upgrade the firmware using nRF Connect for Android everything was merely "frozen" without any progress.

Although the devices were paired successfully, as it seems:

...
[00:00:52.611,663] <inf> smp_bt_sample: Connected
[00:01:20.849,884] <inf> smp_bt_sample: Pairing confirmed: 5a:3c:d2:fb:bc:2d (random).
[00:01:21.269,958] <inf> smp_bt_sample: Security changed: 5a:3c:d2:fb:bc:2d (random) level 2.
[00:01:21.285,949] <inf> smp_bt_sample: Pairing completed: 20:47:da:12:f4:e8 (public), bonded: 1.
[00:01:22.514,953] <inf> smp_bt_sample: Security changed: 20:47:da:12:f4:e8 (public) level 2.

And there's nothing further in UART logs. The new firmware didn't upload at all. And it's the same with both stable and master branches of nRF Connect SDK. And I run it using nRF52840 DK. Can you explain to me how to implement firmware upgrade over the Bluetooth with mandatory device pairing?

In an attachment you can find a modified SMP Server Sample with described above pairing features.

7345.smp_svr_with_auth.zip

So, please, tell me, how to properly modify this example to make it workable with CONFIG_MCUMGR_SMP_BT_AUTHEN=y?

Hung Bui · Accepted Answer

Hi Roman, I think I found what could be wrong here. If you have a look inside smp_bt_attrs[] in smp_bt.c you can find that the characteristic permission is set to BT_GATT_PERM_WRITE_AUTHEN and BT_GATT_PERM_WRITE_AUTHEN when you enable CONFIG_MCUMGR_SMP_BT_AUTHEN. This requires the link not only be encrypted but also authenticated. This means the pairing need to be with MITM protection (passkey, OOB , etc) 
 But there isn't a passkey_display function declared in conn_auth_callbacks inside bluetooth.c so there is no MITM protection when you do bonding with the phone. This explains why the phone couldn't do FOTA. So you have 2 options, one is to change the permission of the SMP_SVR characteristic to BT_GATT_PERM_WRITE_ENCRYPT and BT_GATT_PERM_READ_ENCRYPT instead of _AUTHEN. So you only request pairing without MITM. 
 Or you can add a passkey display call back into bluetooth.c so that you can handle pairing with passkey. For example something like this: static void auth_passkey_display(struct bt_conn *conn, unsigned int passkey)
{
	char addr[BT_ADDR_LE_STR_LEN];

	bt_addr_le_to_str(bt_conn_get_dst(conn), addr, sizeof(addr));

	printk("Passkey for %s: %06u
", addr, passkey);
}

static struct bt_conn_auth_cb conn_auth_callbacks = {
 .cancel = auth_cancel,
 .pairing_confirm = pairing_confirm,
 .pairing_complete = pairing_complete,
 .pairing_failed = pairing_failed,
 .passkey_display = auth_passkey_display,
};

SMP Server Sample with CONFIG_MCUMGR_SMP_BT_AUTHEN=y

Top Replies