fix(nimble): Fixed BLE security vulnerability when using fixed IRK

components/bt/host/nimble/Kconfig.in

@@ -163,6 +163,16 @@ config BT_NIMBLE_NVS_PERSIST
     help
             Enable this flag to make bonding persistent across device reboots
 
+config BT_NIMBLE_SMP_ID_RESET
+    bool "Reset device identity when all bonding records are deleted"
+    default n
+    help
+        There are tracking risks associated with using a fixed or static IRK.
+        If enabled this option, Bluedroid will assign a new randomly-generated IRK
+        when all pairing and bonding records are deleted. This would decrease the ability
+        of a previously paired peer to be used to determine whether a device
+        with which it previously shared an IRK is within range.
+
 menuconfig BT_NIMBLE_SECURITY_ENABLE
     bool "Enable BLE SM feature"
     depends on BT_NIMBLE_ENABLED

components/bt/host/nimble/nimble

@@ -1 +1 @@
-Subproject commit 6d147bba6cbfe3e49836781a0a6f90e6f52e5538
+Subproject commit c8f12ce6f1ef0e8cf4c143efaa3bb96e2ec31dca

components/bt/host/nimble/port/include/esp_nimble_cfg.h

@@ -824,6 +824,14 @@
 #define MYNEWT_VAL_BLE_SM_THEIR_KEY_DIST (0)
 #endif
 
+#ifndef MYNEWT_VAL_BLE_SMP_ID_RESET
+#ifdef CONFIG_BT_NIMBLE_SMP_ID_RESET
+#define MYNEWT_VAL_BLE_SMP_ID_RESET CONFIG_BT_NIMBLE_SMP_ID_RESET
+#else
+#define MYNEWT_VAL_BLE_SMP_ID_RESET (0)
+#endif
+#endif
+
 #ifndef MYNEWT_VAL_BLE_CRYPTO_STACK_MBEDTLS
 #define MYNEWT_VAL_BLE_CRYPTO_STACK_MBEDTLS (CONFIG_BT_NIMBLE_CRYPTO_STACK_MBEDTLS)
 #endif