fix(nimble): Fixed BLE security vulnerability when using fixed IRK

components/bt/host/nimble/Kconfig.in

@@ -164,6 +164,16 @@ config BT_NIMBLE_NVS_PERSIST
     help
             Enable this flag to make bonding persistent across device reboots
 
+config BT_NIMBLE_SMP_ID_RESET
+    bool "Reset device identity when all bonding records are deleted"
+    default n
+    help
+        There are tracking risks associated with using a fixed or static IRK.
+        If enabled this option, Bluedroid will assign a new randomly-generated IRK
+        when all pairing and bonding records are deleted. This would decrease the ability
+        of a previously paired peer to be used to determine whether a device
+        with which it previously shared an IRK is within range.
+
 menuconfig BT_NIMBLE_SECURITY_ENABLE
     bool "Enable BLE SM feature"
     depends on BT_NIMBLE_ENABLED

components/bt/host/nimble/nimble

@@ -1 +1 @@
-Subproject commit ec9f21253ae539b44855fed223bee52979a9d251
+Subproject commit 46ae5865554f2fd7df829b6b9b5ca24522b9ad76

components/bt/host/nimble/port/include/esp_nimble_cfg.h

@@ -892,6 +892,14 @@
 #define MYNEWT_VAL_BLE_SM_THEIR_KEY_DIST (0)
 #endif
 
+#ifndef MYNEWT_VAL_BLE_SMP_ID_RESET
+#ifdef CONFIG_BT_NIMBLE_SMP_ID_RESET
+#define MYNEWT_VAL_BLE_SMP_ID_RESET CONFIG_BT_NIMBLE_SMP_ID_RESET
+#else
+#define MYNEWT_VAL_BLE_SMP_ID_RESET (0)
+#endif
+#endif
+
 #ifndef MYNEWT_VAL_BLE_CRYPTO_STACK_MBEDTLS
 #define MYNEWT_VAL_BLE_CRYPTO_STACK_MBEDTLS (CONFIG_BT_NIMBLE_CRYPTO_STACK_MBEDTLS)
 #endif