transport: ble_gatt: add Kconfig selection for LESC / AUTHEN

mniestroj · mniestroj · commit 33fab68b7713 · 2025-12-17T11:35:40.000+01:00
Introduce Kconfig option for required GATT permissions. Provide 2
options:
 * LE Secure Connection
 * Authentication (with encryption)

This makes sure that proper BT Security Level is reached before trying
being able to access pouch characteristics.

Signed-off-by: Marcin Niestroj &lt;m.niestroj@emb.dev&gt;
diff --git a/src/transport/gatt/Kconfig b/src/transport/gatt/Kconfig
@@ -10,6 +10,17 @@ config POUCH_TRANSPORT_GATT_CUD_ATTRIBUTES
         can be useful during debugging and development to identify
         the characteristics without consulting their UUIDs.
 
+choice POUCH_TRANSPORT_GATT_PERM
+	bool "GATT permissions"
+
+config POUCH_TRANSPORT_GATT_PERM_LESC
+	bool "Require LE Secure Connection for access"
+
+config POUCH_TRANSPORT_GATT_PERM_AUTHEN
+	bool "Require authentication for access"
+
+endchoice # POUCH_TRANSPORT_GATT_PERM
+
 module = POUCH_GATT
 module-str = Pouch GATT
 source "subsys/logging/Kconfig.template.log_config"
diff --git a/src/transport/gatt/device_cert_characteristic.c b/src/transport/gatt/device_cert_characteristic.c
@@ -97,7 +97,7 @@ static ssize_t device_cert_read(struct bt_conn *conn,
 POUCH_GATT_CHARACTERISTIC(device_cert,
                           (const struct bt_uuid *) &pouch_gatt_device_cert_chrc_uuid,
                           BT_GATT_CHRC_READ,
-                          BT_GATT_PERM_READ_LESC,
+                          POUCH_GATT_PERM_READ,
                           device_cert_read,
                           NULL,
                           &device_cert_chrc_ctx);
diff --git a/src/transport/gatt/downlink_characteristic.c b/src/transport/gatt/downlink_characteristic.c
@@ -52,7 +52,7 @@ ssize_t downlink_write(struct bt_conn *conn,
 POUCH_GATT_CHARACTERISTIC(downlink,
                           (const struct bt_uuid *) &pouch_gatt_downlink_chrc_uuid,
                           BT_GATT_CHRC_WRITE,
-                          BT_GATT_PERM_WRITE_LESC,
+                          POUCH_GATT_PERM_WRITE,
                           NULL,
                           downlink_write,
                           NULL);
diff --git a/src/transport/gatt/info_characteristic.c b/src/transport/gatt/info_characteristic.c
@@ -124,7 +124,7 @@ static ssize_t info_read(struct bt_conn *conn,
 POUCH_GATT_CHARACTERISTIC(info,
                           (const struct bt_uuid *) &pouch_gatt_info_chrc_uuid,
                           BT_GATT_CHRC_READ,
-                          BT_GATT_PERM_READ_LESC,
+                          POUCH_GATT_PERM_READ,
                           info_read,
                           NULL,
                           &info_chrc_ctx);
diff --git a/src/transport/gatt/pouch_gatt_declarations.h b/src/transport/gatt/pouch_gatt_declarations.h
@@ -38,3 +38,10 @@
 STRUCT_SECTION_START_EXTERN(bt_gatt_attr);
 #define POUCH_GATT_ATTR_ARRAY_PTR STRUCT_SECTION_START(bt_gatt_attr)
 #define POUCH_GATT_ATTR_ARRAY_LEN(dst) STRUCT_SECTION_COUNT(bt_gatt_attr, dst)
+
+#define POUCH_GATT_PERM_READ                                                        \
+    (IS_ENABLED(CONFIG_POUCH_TRANSPORT_GATT_PERM_AUTHEN) ? BT_GATT_PERM_READ_AUTHEN \
+                                                         : BT_GATT_PERM_READ_LESC)
+#define POUCH_GATT_PERM_WRITE                                                        \
+    (IS_ENABLED(CONFIG_POUCH_TRANSPORT_GATT_PERM_AUTHEN) ? BT_GATT_PERM_WRITE_AUTHEN \
+                                                         : BT_GATT_PERM_WRITE_LESC)
diff --git a/src/transport/gatt/server_cert_characteristic.c b/src/transport/gatt/server_cert_characteristic.c
@@ -153,7 +153,7 @@ static ssize_t server_cert_write(struct bt_conn *conn,
 POUCH_GATT_CHARACTERISTIC(server_cert,
                           (const struct bt_uuid *) &pouch_gatt_server_cert_chrc_uuid,
                           BT_GATT_CHRC_READ | BT_GATT_CHRC_WRITE,
-                          BT_GATT_PERM_READ_LESC | BT_GATT_PERM_WRITE_LESC,
+                          POUCH_GATT_PERM_READ | POUCH_GATT_PERM_WRITE,
                           server_cert_serial_read,
                           server_cert_write,
                           &server_cert_chrc_ctx);
diff --git a/src/transport/gatt/uplink_characteristic.c b/src/transport/gatt/uplink_characteristic.c
@@ -198,7 +198,7 @@ static void uplink_indicate_destroy(struct bt_gatt_indicate_params *params)
 POUCH_GATT_CHARACTERISTIC(uplink,
                           (const struct bt_uuid *) &pouch_gatt_uplink_chrc_uuid,
                           BT_GATT_CHRC_READ | BT_GATT_CHRC_INDICATE,
-                          BT_GATT_PERM_READ_LESC,
+                          POUCH_GATT_PERM_READ,
                           uplink_read,
                           NULL,
                           &uplink_chrc_ctx);
