/* * Copyright (C) 2018 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package android.hardware.biometrics.face@1.0; import IBiometricsFaceClientCallback; /** * The HAL interface for biometric face authentication. */ interface IBiometricsFace { /** * Sets the current client callback. * * Registers a user function that must receive notifications from the HAL. * There is usually only one client (FaceService). This call must block * if the HAL state machine is in busy state until the HAL leaves the * busy state. * * All callback methods pass a deviceId to differentiate callback * invocations in the case where multiple sensors exist. * * @param clientCallback The client defined callback to register. * @return result, with its "value" parameter representing a "deviceId", * which must be unique for a given sensor. */ @callflow(next={"setActiveUser"}) @entry setCallback(IBiometricsFaceClientCallback clientCallback) generates (OptionalUint64 result); /** * Sets the active user, which all subsequent HAL operations are applied to. * * HAL service implementors must ensure that operations are restricted to * the given user. Clients must not call any part of this interface, except * for setCallback(), without first having set an active user. The * implementation is responsible for cancelling the current operation and * returning to the idle state. Calling this method with the same userId * should have no effect on the state machine. * * Note that onLockoutChanged() MUST be invoked by the implementation in * response to a user change in order to update the framework with the * timeout of the new user (or 0 if the user is not locked out). * * @param userId A non-negative user identifier that must be unique and * persistent for a given user. * @param storePath absolute filesystem path to the template storage * directory. This must be the /data/vendor_de/<user>/facedata * directory specified by the SeLinux policy. */ @callflow(next={"authenticate", "generateChallenge", "enumerate", "remove"}) setActiveUser(int32_t userId, string storePath) generates (Status status); /** * Begins a secure transaction request, e.g. enroll() or resetLockout(). * * Generates a unique and cryptographically secure random token used to * indicate the start of a secure transaction. generateChallenge() and * revokeChallenge() specify a window where the resulting HAT that is * generated in response to checking the user's PIN/pattern/password * can be used to verify/perform a secure transaction. * * generateChallenge() generates a challenge which must then be wrapped by * gatekeeper after verifying a successful strong authentication attempt, * which generates a Hardware Authentication Token. The challenge prevents * spoofing and replay attacks and ensures that only a transaction backed * by a user authentication (PIN/pattern/password) can proceed. * * The implementation should be tolerant of revokeChallenge() being invoked * after timeout has expired. * * @param challengeTimeoutSec A timeout in seconds, after which the driver * must invalidate the challenge. This is to prevent bugs or crashes in * the system from leaving a challenge enabled indefinitely. * @return result, with its "value" parameter representing a "challenge": a * unique and cryptographically secure random token. */ @callflow(next={"enroll", "revokeChallenge", "setFeature"}) generateChallenge(uint32_t challengeTimeoutSec) generates (OptionalUint64 result); /** * Enrolls a user's face. * * Note that the Hardware Authentication Token must be valid for the * duration of enrollment and thus should be explicitly invalidated by a * call to revokeChallenge() when enrollment is complete, to reduce the * window of opportunity to re-use the challenge and HAT. For example, * Settings calls generateChallenge() once to allow the user to enroll one * or more faces or toggle secure settings without having to re-enter the * PIN/pattern/password. Once the user completes the operation, Settings * invokes revokeChallenge() to close the transaction. If the HAT is expired, * the implementation must invoke onError with UNABLE_TO_PROCESS. * * This method triggers the IBiometricsFaceClientCallback#onEnrollResult() * method. * * @param hat A valid Hardware Authentication Token, generated as a result * of a generateChallenge() challenge being wrapped by the gatekeeper * after a successful strong authentication request. * @param timeoutSec A timeout in seconds, after which this enroll * attempt is cancelled. Note that the framework can continue * enrollment by calling this again with a valid HAT. This timeout is * expected to be used to limit power usage if the device becomes idle * during enrollment. The implementation is expected to send * ERROR_TIMEOUT if this happens. * @param disabledFeatures A list of features to be disabled during * enrollment. Note that all features are enabled by default. * @return status The status of this method call. */ @callflow(next={"cancel", "enroll", "revokeChallenge", "remove"}) enroll(vec<uint8_t> hat, uint32_t timeoutSec, vec<Feature> disabledFeatures) generates (Status status); /** * Finishes the secure transaction by invalidating the challenge generated * by generateChallenge(). * * Clients must call this method once the secure transaction (e.g. enroll * or setFeature) is completed. See generateChallenge(). * * @return status The status of this method call. */ @callflow(next={"authenticate", "setActiveUser", "enumerate", "remove"}) revokeChallenge() generates (Status status); /** * Changes the state of previous enrollment setting. Because this may * decrease security, the user must enter their password before this method * is invoked (see @param HAT). The driver must verify the HAT before * changing any feature state. This method must return ILLEGAL_ARGUMENT if * the HAT or faceId is invalid. This must only be invoked after * setActiveUser() is called. * * Note: In some cases it may not be possible to change the state of this * flag without re-enrolling. For example, if the user didn't provide * attention during the original enrollment. This flag reflects the same * persistent state as the one passed to enroll(). * * Note: This call may block for a short amount of time (few hundred * milliseconds). Clients are expected to invoke this asynchronously if it * takes much longer than the above limit. Also note that the result is * returned solely through Status (and not onError). * * @param feature The feature to be enabled or disabled. * @param enabled True to enable the feature, false to disable. * @param hat A valid Hardware Authentication Token, generated as a result * of getChallenge(). * @param faceId the ID of the enrollment returned by onEnrollResult() for * the feature to update. * @return status The status of this method call. */ setFeature(Feature feature, bool enabled, vec<uint8_t> hat, uint32_t faceId) generates(Status status); /** * Retrieves the current state of the feature. If the faceId is invalid, * the implementation must return ILLEGAL_ARGUMENT. * * @param faceId the ID of the enrollment returned by enroll(). * @return result with the value set to true if the feature is enabled, * false if disabled. */ getFeature(Feature feature, uint32_t faceId) generates (OptionalBool result); /** * Returns an identifier associated with the current face set. * * The authenticator ID must change whenever a new face is enrolled. The * authenticator ID must not be changed when a face is deleted. The * authenticator ID must be an entropy-encoded random number which all * current templates are tied to. The authenticator ID must be immutable * outside of an active enrollment window to prevent replay attacks. * * @return result, with its value parameter representing an * "authenticatorId": an identifier associated to the user's current * face enrollment. */ @callflow(next={"authenticate"}) getAuthenticatorId() generates (OptionalUint64 result); /** * Cancels the current enroll, authenticate, remove, or enumerate operation. * * @return status The status of this method call. */ @callflow(next={"authenticate", "enroll", "enumerate", "remove", "setActiveUser"}) cancel() generates (Status status); /** * Enumerates all face templates associated with the active user. * * The onEnumerate() callback method is invoked once for each face template * found. * * @return status The status of this method call. */ @callflow(next={"remove", "enroll", "authenticate", "setActiveUser"}) enumerate() generates (Status status); /** * Removes a face template or all face templates associated with the active * user. * * This method triggers the IBiometricsFaceClientCallback#onRemoved() method. * * @param faceId The id correpsonding to the face to be removed; or 0 if all * faces are to be removed. * @return status The status of this method call. */ @callflow(next={"enumerate", "authenticate", "cancel", "getAuthenticatorId", "setActiveUser"}) remove(uint32_t faceId) generates (Status status); /** * Authenticates the active user. * * An optional operationId can be specified as a token from the transaction * being authorized. The hardware may enter a standby state during * authentication, where the device is idle to conserve power while * authenticating, e.g. after 3 seconds without finding a face. See * IBiometricsFace#userActivity() for more info. * * @param operationId A non-zero operation id associated with a crypto * object instance; or 0 if not being used. * @return status The status of this method call. */ @callflow(next={"cancel", "generateChallenge", "remove"}) authenticate(uint64_t operationId) generates (Status status); /** * A hint to the HAL to continue looking for faces. * * This method should only be used when the HAL is in the authenticating * or standby state. Using this method when the HAL is not in one of the * mentioned states must return OPERATION_NOT_SUPPORTED. Calling this * method while the HAL is already authenticating may extend the duration * where it's looking for a face. * * @return status The status of this method call. */ userActivity() generates (Status status); /** * Reset lockout for the current user. * * Note: This call may block for a short amount of time (few hundred * milliseconds). Clients are expected to invoke this asynchronously if it * takes much longer than the above limit. * * @param hat A valid Hardware Authentication Token, generated when the * user authenticates with PIN/pattern/pass. When the Hardware * Authentication Token is verified, lockout must be reset and * onLockoutChanged must be called with duration 0. * @return status The status of this method call. */ resetLockout(vec<uint8_t> hat) generates (Status status); };