CC1352P7: BLE Peripheral security setting gets overwritten by the central

Any updates? 
This is a gentle reminder that I am still waiting for your response.

Any updates?

Hi Omid !

I want to first apologize for the delay of my answer, the thread was initially assigned to an outdated email. This is now fixed, and will now receive support much quickly.

The SysConfig option that you selected indicates that after a connection, the peripheral will attempt to start the pairing process. However, its possible that the central has sent such a pairing request before your peripheral did, and so they were the one to initiate the pairing.

I'm not exactly sure what your goal is. It sounds like you are not satisfied by the central sending a pairing request instead of your peripheral, even though both scenario should end in your device being paired. If your goal is to enforce pairing and bonding with your peripheral, you could protect your characteristics and services by setting their permissions to require authenticated bonding in order to be read. You can see how to do this in the chapter of the User Guide about GATT security.

Kind regards,
Lea

Thanks for your replay Lea,



Well what I want to do is to force paring and secured connection by the peripheral.
I mean regardless of what central does, I want that the peripheral forces the connection to be in secured L2 level.

I can do that simply in Zephyr RTOS, but for some reason the central over-rides this set up.
I tried nrfConnect application on my phone, on that app, the peripheral forces the paring but when I use my custom central app that I created on zephyr RTOS and nrfSDK, the central forces its way through and the security level would be one.

So, I am wondering how I can fix this?
I rather to make all the connections secure from the get go than enforcing security on the characteristics.
However, if that's the only way to enforce encrypted communication I would then resort to that work around.

thanks.

Hi !

The security level of a connection is defined by the Bluetooth specification, and takes into account multiple parameters. It will always try to reach the highest level of security it can with the parameters it was given, such as LE Secure Connection support, IO capabilities, etc.

If the Central refuses to reach a L2 level of security because it cannot or refuses to for some reason, the peripheral cannot force the connection to be upgraded. For example, in Zephyr, the bt_conn_set_security sets the required security level in a variable (conn->required_sec_level). When the security level is changed, the level is compared to the previously desired level. If the level is lower, then the user is free to terminate the connection.

You could do the same thing using SimpleLink SDK, where you are reading the security level of your connection in the GapManager callbacks, and if this level is insufficient, you can terminate the connection. On top of that, I would recommend to set the GATT security level of your characteristics as I have mentioned in my last post.

Kind regards,
Lea

Thanks Lea,

I see, yes, on my zephyr programs I usually do exactly the same on the peripheral to force the security level to L2 from the peripheral side.
Can you give me a code snippet with the gap callbacks and everything, and on what event callback I should terminate it and with what API.

thanks

Hi,

Most of what you need is in the app_pairing.c file of the basic_ble example.
First, the callback for the pairing state changed is handled through the PairingPairStateHandler variable. The event mask is set to have the event related to pairing completion.

Next, in the event handler function (Pairing_pairStateHandler), you can use the linkDB_Encrypted macro to check if your connection is indeed encrypted (AKA Security L2 in BLE). If the connection is not encrypted, you can drop the connection using GAP_TerminateLinkReq.

Your function would look like this :

void Pairing_pairStateHandler(uint32 event, BLEAppUtil_msgHdr_t *pMsgData)
{
    switch (event)
    {
        ...
        
        case BLEAPPUTIL_PAIRING_STATE_COMPLETE:
        {
            MenuModule_printf(APP_MENU_PAIRING_EVENT, 0, "Pairing Status: Complete - "
                              "connectionHandle = "MENU_MODULE_COLOR_YELLOW "%d " MENU_MODULE_COLOR_RESET
                              "status = "MENU_MODULE_COLOR_YELLOW "%d " MENU_MODULE_COLOR_RESET,
                              ((BLEAppUtil_PairStateData_t *)pMsgData)->connHandle,
                              ((BLEAppUtil_PairStateData_t *)pMsgData)->status);

            
            // If the connection is not encrypted/L2 security is not reached
            if (!linkDB_Encrypted(((BLEAppUtil_PairStateData_t *)pMsgData)->connHandle)))
            {
              GAP_TerminateLinkReq(((BLEAppUtil_PairStateData_t *)pMsgData)->connHandle, 0x16);
            }
            break;
        }

        ...

        default:
        {
            break;
        }
    }

}

Kind regards,
Lea

Thanks for the details, but I am not using the basic BLE app.
I am using the simple_peripheral example and there is no app_pairing.c in that example.
Also, I realized there is no simple_ble example for my chip which is cc1352p7_1 (my sdk version is 8.30.1.1)

Best,
Omid