bluetooth: host: Deprecate data signing (CONFIG_BT_SIGNING) and LE security mode 2#99204
Merged
nashif merged 3 commits intozephyrproject-rtos:mainfrom Nov 19, 2025
Merged
Conversation
PavelVPV
force-pushed
the
deprecate_signing
branch
2 times, most recently
from
15ed496 to
ea18a47
Compare
|
The following west manifest projects have changed revision in this Pull Request:
✅ All manifest checks OK Note: This message is automatically posted and updated by the Manifest GitHub Action. |
github-actions
bot
added
manifest
manifest-edtt
DNM (manifest)
PavelVPV
force-pushed
the
deprecate_signing
branch
2 times, most recently
from
3e68c5b to
54d6488
Compare
PavelVPV
changed the title
zephyrbot
added
area: Bluetooth Qualification
zephyrbot
requested review from
HaavardRei,
alwa-nordic,
asbjornsabo,
carlescufi,
cvinayak,
erbr-ot,
hermabe,
jhedberg and
ppryga
There was a problem hiding this comment.
Pull Request Overview
This PR deprecates Bluetooth LE Security mode 2 and data signing support due to security vulnerabilities (replay attacks) and specification changes (ES-18901 deprecates data signing). The deprecation marks CONFIG_BT_SIGNING and BT_GATT_CHRC_AUTH as deprecated while removing associated tests and updating sample code.
Key changes:
- Marked
CONFIG_BT_SIGNINGKconfig option andBT_GATT_CHRC_AUTHmacro as deprecated - Removed data signing test cases and BTP signed write commands from test infrastructure
- Updated sample applications to remove signing-specific code and refactor variable/function names
- Removed data signing related ICS features from Bluetooth qualification files
Reviewed Changes
Copilot reviewed 50 out of 50 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| west.yml | Updates EDTT tool remote and revision to reference PR branch for corresponding test changes |
| tests/bsim/bluetooth/tester/src/bsim_btp.c | Removes BTP signed write without response opcode validation |
| tests/bsim/bluetooth/ll/edtt/gatt_test_app/src/gatt/service_f_1.c | Removes BT_GATT_CHRC_AUTH from characteristic properties and updates copyright |
| tests/bsim/bluetooth/ll/conn/prj_*.conf | Removes CONFIG_BT_SIGNING from multiple test configuration files |
| tests/bluetooth/tester/src/btp_gatt.c | Removes signed write without response command handler implementation |
| tests/bluetooth/tester/src/btp/btp_gatt.h | Removes BTP_GATT_SIGNED_WRITE_WITHOUT_RSP opcode and command structure definitions |
| tests/bluetooth/tester/prj.conf | Removes CONFIG_BT_SIGNING configuration |
| tests/bluetooth/shell/*.conf | Removes CONFIG_BT_SIGNING from shell test configurations |
| tests/bluetooth/qualification/ICS_Zephyr_Bluetooth_Host.pts | Updates QDID and removes ICS entries for data signing features |
| tests/bluetooth/qualification/ICS_Zephyr_Bluetooth_Host.bqw | Updates qualification workspace with new QDID, date, and removes signing features |
| tests/bluetooth/init/testcase.yaml | Removes test cases 7, 8, 9, and 14 that were specific to signing configurations |
| tests/bluetooth/init/prj_*.conf | Removes CONFIG_BT_SIGNING from initialization test configurations |
| subsys/bluetooth/host/shell/gatt.c | Removes printing of BT_GATT_CHRC_AUTH property in characteristic property display |
| subsys/bluetooth/host/Kconfig | Adds DEPRECATED selection to CONFIG_BT_SIGNING option |
| samples/bluetooth/peripheral_accept_list/src/main.c | Renames signed-related variables/functions to generic names (signed_value → stored_value) |
| samples/bluetooth/peripheral_accept_list/prj.conf | Removes CONFIG_BT_SIGNING configuration |
| samples/bluetooth/peripheral/src/main.c | Removes signed write characteristic and associated handler functions |
| samples/bluetooth/peripheral/prj.conf | Removes CONFIG_BT_SIGNING configuration |
| samples/bluetooth/direct_adv/src/main.c | Renames signed-related variables/functions to generic names and reformats function signatures |
| samples/bluetooth/direct_adv/prj.conf | Removes CONFIG_BT_SIGNING configuration |
| include/zephyr/bluetooth/gatt.h | Adds @deprecated tag to BT_GATT_CHRC_AUTH macro documentation |
| doc/releases/migration-guide-4.4.rst | Documents deprecation of CONFIG_BT_SIGNING and BT_GATT_CHRC_AUTH |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Thalley
reviewed
Nov 13, 2025
Contributor
Thalley
left a comment
Thalley
left a comment
There was a problem hiding this comment.
Nice job on the PR and the description and explanation. A few comments/questions
PavelVPV
force-pushed
the
deprecate_signing
branch
from
54d6488 to
a39143b
Compare
Contributor
|
bqw changes are based on TCRL PKG100, right? |
PavelVPV
force-pushed
the
deprecate_signing
branch
from
a39143b to
e7ab67b
Compare
This commit deprecates: - the `CONFIG_BT_SIGNING` Kconfig option - `BT_GATT_CHRC_AUTH` property IOW, this commit deprecates the LE Security mode 2 support. Explanation: Erratum ES-26047 introduced in Bluetooth Core Specification v6.2 requires SingCounter to be persistently stored to prevent replay attacks. Currently, the Host doesn't store SignCounter, therefore the device is vulnerable to replay attacks after reboot. Additionally, the current implementation doesn't assume that SignCounter of a received message can be incremented by more than one and thus may not validate correct message. The Bluetooth Security and Privacy Best Practices Guide recommends to not using Data signing and recommends to use LE Security mode 1 levels 2, 3 or 4 instead. The Signed Write Without Response sub-procedure, which is the only user of Data signing, is optional (see Vol 3, Part G, Table 4.1). See also ES-18901. The aforementioned reasons make no sense to keep this feature. Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no>
Remove duplicated prj.conf file. prj_6, prj_7, prj_14 are identicall. Since prj_6.conf is unchanged, keeping it. prj_8, prj_9, prj_15 are identicall. Since prj_15.conf is unchanged, keeping it. Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no>
This commit removes data signing related ICS. Removed ICS: - SM 6/1: Signing Algorithm Generation - SM 6/2: Signing Algorithm Resolving - GATT 3/13: Signed Write Without Response - GATT 9/10: Signed Write Command - GATT 7/3: LE Security mode 2 - GAP 25/2: LE Security mode 2 - GAP 35/2: LE Security mode 2 - GAP 25/5: Connection data signing procedure - GAP 35/5: Connection data signing procedure - GAP 25/6: Authenticate signed data procedure - GAP 35/6: Authenticate signed data procedure - GAP 27b/8: Connection Signature Resolving Key (CSRK) - GAP 37b/8: Connection Signature Resolving Key (CSRK) The following tests are not supported any longer: - GAP/SEC/CSIGN/BI-01-C - GAP/SEC/CSIGN/BI-02-C - GAP/SEC/CSIGN/BI-03-C - GAP/SEC/CSIGN/BI-04-C - GAP/SEC/CSIGN/BV-01-C - GAP/SEC/CSIGN/BV-02-C - GATT/CL/GAW/BV-02-C - SM/CEN/SIGN/BV-01-C Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no>
PavelVPV
force-pushed
the
deprecate_signing
branch
from
e7ab67b to
4a0b937
Compare
Contributor
Author
|
Reverted edttools hash in west.yaml and created a follow-up issue there instead. |
github-actions
bot
removed
the
DNM (manifest)
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 50 out of 50 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| static ssize_t read_signed(struct bt_conn *conn, const struct bt_gatt_attr *attr, | ||
| void *buf, uint16_t len, uint16_t offset) | ||
| static ssize_t read_cb(struct bt_conn *conn, const struct bt_gatt_attr *attr, void *buf, | ||
| uint16_t len, uint16_t offset) |
There was a problem hiding this comment.
Inconsistent indentation: Line 40 uses 7 spaces for continuation indentation while the surrounding code and other files use tabs. This should be changed to use a single tab for consistency.
Suggested change
| uint16_t len, uint16_t offset) | |
| uint16_t len, uint16_t offset) |
Contributor
Author
There was a problem hiding this comment.
The indentation seems correct:
Contributor
Author
Yes |
|
Thalley
approved these changes
Nov 14, 2025
Contributor
Author
|
@alwa-nordic , please review again. |
alwa-nordic
approved these changes
Nov 19, 2025
jhedberg
approved these changes
Nov 19, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR deprecates:
CONFIG_BT_SIGNINGKconfig optionBT_GATT_CHRC_AUTHpropertyIOW, this commit deprecates the LE Security mode 2 support.
Explanation:
Erratum ES-26047 introduced in Bluetooth Core Specification v6.2 requires SingCounter to be persistently stored to prevent replay attacks.
Currently, the Host doesn't store SignCounter, therefore the device is vulnerable to replay attacks after reboot.
Additionally, the current implementation doesn't assume that SignCounter of a received message can be incremented by more than one and thus may not validate correct message.
The Bluetooth Security and Privacy Best Practices Guide recommends to not using Data signing and recommends to use LE Security mode 1 levels 2, 3 or 4 instead.
The Signed Write Without Response sub-procedure, which is the only user of Data signing, is optional (see Vol 3, Part G, Table 4.1).
See also ES-18901.
The aforementioned reasons make no sense to keep this feature.
Removed ICS:
The following tests are not supported any longer:
Corresponding AutoPTS PR: auto-pts/auto-pts#1610-> Not needed for now as there are other platforms that use AutoPTS (see discussion in the PR).Corresponding EDTTools PR: EDTTool/EDTT#88-> Commented out tests instead and created a follow-up issue: EDTTool/EDTT#89