Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp971361ybh; Tue, 10 Mar 2020 11:54:14 -0700 (PDT) X-Google-Smtp-Source: ADFU+vswcQG0oi43DJ1kzSL5YS9GreNZQxil3fCKk4bjbb3DbAXIKp6A8Y/Mk5FeIvPQcSYCk71E X-Received: by 2002:aca:aa12:: with SMTP id t18mr2250611oie.95.1583866454011; Tue, 10 Mar 2020 11:54:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583866454; cv=none; d=google.com; s=arc-20160816; b=NjC0n3WaqCiwsLfuVdvM4I6RfX2rAGKX082nJYNI17umQTPzYJlUJw3/Erevahfx9o EIVcpJwTWxjUNfj3K724xwqrNIgKbZkHg5hXS4TtdAhclo+yMFa3g8xzO/6WrxxVFtXm /d16eG7Il/LsNkiN/tJ4TH/bKCswAoziqWxnM/BkIdO3BQglTlc0qsctnut+sZhAuB5Y M3r9jYaHs1P22P2+QVfAiw1RsQjX8epBM8PgKmceLf3jNIGUQmIjKL5qjxrYFAR4jn+c VQdOlEElqhf5zIzh0F/ql/hyeM/46zX1782PR218kucvWKxETDOp64KtD1S9aYgdF8wj 3A5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=5JfwtY3rkRmm7ZnZcwC7Gg+rLqTwd+n5YM++K590c5U=; b=QdemaNCTiQyyqJW0s/qitD6MbzTyAlBkP3WKXGnAoCjN/Z/0mAAjI6XI++07Jn81PR rKv00zbxGymTZk4RK7YE2KEf58kuaoI3oojHnxkEpj8QRwvlonZ8OOhnqsucRxrwXqTX KWW/U+BcUvGn2r/BL/UxofQg3VhnF/eww+F73DFSe1CZvc5M0MhYvZAxKa06mPOK11JT t6/M3gE+/7jBEifHN8MPtaDlHttvjJRnX4SfaZz5UaWRd3U/o7ajzwaX7O2D5CCdoxej zXKfWBCXpU7Ic7rAVsfKoZNotOL5W2OQ5TgVICN588wuo9L63TBoaXgq+50bymYMETw6 VPvw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Rf7+fK1m; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n2si229110otf.117.2020.03.10.11.53.59; Tue, 10 Mar 2020 11:54:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Rf7+fK1m; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726851AbgCJSxt (ORCPT + 99 others); Tue, 10 Mar 2020 14:53:49 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:42659 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726315AbgCJSxt (ORCPT ); Tue, 10 Mar 2020 14:53:49 -0400 Received: by mail-lf1-f67.google.com with SMTP id t21so11816828lfe.9 for ; Tue, 10 Mar 2020 11:53:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5JfwtY3rkRmm7ZnZcwC7Gg+rLqTwd+n5YM++K590c5U=; b=Rf7+fK1mlHKOaxhSjhYodbGHJWWDco5W4k9W4GB1rvL3a1wfDKUHurddGyTEjqvEWr 7j4m3cbLYPCTyvXeE7kafqCZ3rGHvGdWho875/QxJCKwIa5DW0+WqydORWfo1TZWqjmp jDz2yR2V3qBVVe5JesUdNP4U4LWwPoC1n3mbbg1ZOyuYRBOhUm13N76eUOYapesiBiHv SD7Zs91xwyZ6Fg9WQIMLJhEAWpBptmQMcnRZxPO6GrO2iVQ46oO0gua19SYRoPcJkPxf AIZJKcrdQjG4VzdnxvCaG+YKSi/WzE8UmmVMj+C9vm4Ba/QPF/UcuXK9chXF0gQK2aiy Z6YQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5JfwtY3rkRmm7ZnZcwC7Gg+rLqTwd+n5YM++K590c5U=; b=Ya9rtMHFjgT28RU4YgVJ6CNAhfu0Ewixy51ag8qcqILfJuu8Nd1hLAC9SuHvBMm46M DUL8y9Dq0xlsljA5XMTIhSXZz515aTc7QagJXPanqZyCtPXpEShC+Q+JDEoysibwW6Dy pEnJSZj5EL+MuHWgP4vF6JUKdaGcijI08whe0dBnaA+Dz870GKkA3a5Hwn11TDHRJBv+ uxc3HVJknbdRdq/dPinalJ3gJ6kc7a9CZuqvFceJlwI8xstl3ZC8NlBtclW+iSoWXUrB 0zDcCcZfYlv+opQjWEwY9zun9eGluaaXnVMELHst0bhM2kqjye7mHNfzQT6Lk5p8oNS4 0RLg== X-Gm-Message-State: ANhLgQ0eegzrGbN610SnDY5wsiVlZws5ZO2KAGQh88w5RfexN4giybfw xI4b8OjgBG9+HE2lm7Xs+NNGHowmP7osZpEpmHZYDA== X-Received: by 2002:a05:6512:49e:: with SMTP id v30mr4306447lfq.158.1583866425601; Tue, 10 Mar 2020 11:53:45 -0700 (PDT) MIME-Version: 1.0 References: <20200310173649.32722-1-luiz.dentz@gmail.com> In-Reply-To: From: Alain Michaud Date: Tue, 10 Mar 2020 14:53:31 -0400 Message-ID: Subject: Re: [PATCH BlueZ] input: hog: Attempt to set security level if not bonded To: Luiz Augusto von Dentz Cc: BlueZ Content-Type: text/plain; charset="UTF-8" Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Luiz, On Tue, Mar 10, 2020 at 2:46 PM Luiz Augusto von Dentz wrote: > > Hi Alain, > > On Tue, Mar 10, 2020 at 11:37 AM Alain Michaud wrote: > > > > Hi Luiz, > > > > On Tue, Mar 10, 2020 at 2:27 PM Luiz Augusto von Dentz > > wrote: > > > > > > Hi Alain, > > > > > > On Tue, Mar 10, 2020 at 11:04 AM Alain Michaud wrote: > > > > > > > > Hi Luiz, > > > > > > > > On Tue, Mar 10, 2020 at 1:36 PM Luiz Augusto von Dentz > > > > wrote: > > > > > > > > > > From: Luiz Augusto von Dentz > > > > > > > > > > This attempts to set the security if the device is not bonded, the > > > > > kernel will block any communication on the ATT socket while bumping > > > > > the security and if that fails the device will be disconnected which > > > > > is better than having the device dangling around without being able to > > > > > communicate with it until it is properly bonded. > > > > > --- > > > > > profiles/input/hog.c | 13 +++++++++++-- > > > > > 1 file changed, 11 insertions(+), 2 deletions(-) > > > > > > > > > > diff --git a/profiles/input/hog.c b/profiles/input/hog.c > > > > > index dfac68921..f0226ebbd 100644 > > > > > --- a/profiles/input/hog.c > > > > > +++ b/profiles/input/hog.c > > > > > @@ -49,6 +49,8 @@ > > > > > #include "src/shared/util.h" > > > > > #include "src/shared/uhid.h" > > > > > #include "src/shared/queue.h" > > > > > +#include "src/shared/att.h" > > > > > +#include "src/shared/gatt-client.h" > > > > > #include "src/plugin.h" > > > > > > > > > > #include "suspend.h" > > > > > @@ -187,8 +189,15 @@ static int hog_accept(struct btd_service *service) > > > > > } > > > > > > > > > > /* HOGP 1.0 Section 6.1 requires bonding */ > > > > > - if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) > > > > > - return -ECONNREFUSED; > > > > > + if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) { > > > > > + struct bt_gatt_client *client; > > > > > + > > > > > + client = btd_device_get_gatt_client(device); > > > > > + if (!bt_gatt_client_set_security(client, > > > > > + BT_ATT_SECURITY_MEDIUM)) { > > > > > + return -ECONNREFUSED; > > > > > + } > > > > > + } > > > > I wonder if this is really necessary. For example, this may cause a > > > > device the user has not deliberately bonded to suddenly expose a HOG > > > > Service which will trigger the user to pair (most users are known to > > > > blindly accept the pairing). I believe the previous posture is more > > > > secure by having the user deliberately pair HID devices as opposed to > > > > on demand. > > > > > > There are dedicated APIs to connect specific profiles, so if > > > hog_accept is reached it means the user/application does want to > > > connect HoG and in that case it should trigger bonding, so this only > > > automate the process, like Ive commented for legacy HID we already > > > attempt to bump the security in a similar way. Having the user > > > deliberately pair may cause breakage since in most cases the GATT > > > services do that on demand, in fact HoG is possibly the only exception > > > to that since it appear to mandate encryption at connection level > > > rather than on attribute level, so if the user had a peripheral that > > > used to not require bonding it will suddenly stop working but if we do > > > have this change it would possible still work after the pairing > > > procedure is complete. > > The outgoing contract where the user somehow asked for the profile to > > be connected and would result in pairing, I'm ok with. However, this > > being in the accept path, it doesn't seem to always be client side > > initiated, so that still seems like a concern to me. > > Since this is a profile so we are always acting as GATT client here, > so it is either initiated by the client when setting up a new > peripheral or it has been previously setup with Add Device and is > marked to auto connect, the later is exactly the problem I described > that there could be existing peripheral not requiring bonding that > suddenly stop working. My understanding is that the HOG service can get added to any other device through a service change notification or other means, so I don't think it is a safe assumption that this code will only execute if a user explicitly requested it. You are correct that the change may cause a device to stop working if it was using HOGP without bonding, but this would also be a non compliant device and one that compromises the system's security. I'm ok if we make this a configuration in case you believe the compatibility with these sorts of scenarios must be maintained. > > > > > > > > > > > > > > > > > > /* TODO: Replace GAttrib with bt_gatt_client */ > > > > > bt_hog_attach(dev->hog, attrib); > > > > > -- > > > > > 2.21.1 > > > > > > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz