| Sasha Levitskiy | 7bceb23 | 2016-09-02 11:27:42 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package android.hardware.biometrics.fingerprint@2.1; |
| 18 | |
| 19 | interface IBiometricsFingerprint { |
| 20 | /* |
| 21 | * Fingerprint pre-enroll enroll request: |
| 22 | * Generates a unique token to upper layers to indicate the start of |
| 23 | * an enrollment transaction. pre-enroll and post-enroll specify |
| 24 | * a pin/password cleared time window where enrollment is allowed. |
| 25 | * Pre-enroll only generates a challenge, a full hardwareAuthToken is |
| 26 | * generated by trustzone after verifying a pin/password/swipe. This is to |
| 27 | * ensure adding a new fingerprint template was preceded by some kind of |
| 28 | * credential confirmation (e.g. device password). |
| 29 | * |
| 30 | * @return 0 if function failed, a uint64_t of challenge otherwise. |
| 31 | */ |
| 32 | @callflow(next={"enroll", "postEnroll"}) |
| 33 | preEnroll() generates (uint64_t authChallenge); |
| 34 | |
| 35 | /* |
| 36 | * Fingerprint enroll request: |
| 37 | * Switches the HAL state machine to collect and store a new fingerprint |
| 38 | * template. Switches back as soon as enroll is complete, signalled by |
| 39 | * (fingerprintMsg.type == FINGERPRINT_TEMPLATE_ENROLLING && |
| 40 | * fingerprintMsg.data.enroll.samplesRemaining == 0) |
| 41 | * or after timeoutSec seconds. |
| 42 | * The fingerprint template must be assigned to the group gid. |
| 43 | * |
| 44 | * @param hat a valid Hardware Authentication Token (HAT), generated |
| 45 | * as a result of a preEnroll() call. |
| 46 | * @param gid a framework defined fingerprint set (group) id. |
| 47 | * @param timeoutSec a timeout in seconds. |
| 48 | * |
| 49 | * @return isOk indicates if the request is accepted. |
| 50 | * @return debugErrno is a value the framework logs in case isOk == false. |
| 51 | * |
| 52 | * A notify() function may be called with a more detailed error structure. |
| 53 | */ |
| 54 | @callflow(next={"cancel", "enroll", "postEnroll", "remove"}) |
| 55 | enroll(HwAuthToken hat, uint32_t gid, uint32_t timeoutSec) |
| 56 | generates (bool isOk, int32_t debugErrno); |
| 57 | |
| 58 | /* |
| 59 | * Finishes the enroll operation and invalidates the preEnroll() generated |
| 60 | * challenge. This must be called at the end of a multi-finger enrollment |
| 61 | * session to indicate that no more fingers may be added. |
| 62 | * |
| 63 | * @return isOk indicates if the request is accepted. |
| 64 | * @return debugErrno is a value the framework logs in case isOk == false. |
| 65 | */ |
| 66 | @callflow(next={"authenticate", "setActiveGroup", "enumerate", "remove"}) |
| 67 | postEnroll() generates (bool isOk, int32_t debugErrno); |
| 68 | |
| 69 | /* |
| 70 | * getAuthenticatorId: |
| 71 | * Returns a token associated with the current fingerprint set. This value |
| 72 | * must change whenever a new fingerprint is enrolled, thus creating a new |
| 73 | * fingerprint set. |
| 74 | * |
| 75 | * @return getAuthenticatorIdRet current authenticator id, 0 if function |
| 76 | * failed. |
| 77 | */ |
| 78 | @callflow(next={"authenticate"}) |
| 79 | getAuthenticatorId() generates (uint64_t AuthenticatorId); |
| 80 | |
| 81 | /* |
| 82 | * Cancel pending enroll or authenticate, sending FINGERPRINT_ERROR_CANCELED |
| 83 | * to all running clients. Switches the HAL state machine back to the idle |
| 84 | * state. Unlike enrollDone() doesn't invalidate the preEnroll() challenge. |
| 85 | * |
| 86 | * @return isOk indicates if the request is accepted. |
| 87 | * @return debugErrno is a value the framework logs in case isOk == false. |
| 88 | */ |
| 89 | @callflow(next={"authenticate", "enroll", "enumerate", "remove", |
| 90 | "setActiveGroup"}) |
| 91 | cancel() generates (bool isOk, int32_t debugErrno); |
| 92 | |
| 93 | /* |
| 94 | * Enumerate all the fingerprint templates found in the directory set by |
| 95 | * setActiveGroup(): |
| 96 | * For each template found a notify() must be called with: |
| 97 | * fingerprintMsg.type == FINGERPRINT_TEMPLATE_ENUMERATED |
| 98 | * fingerprintMsg.data.enumerated.finger indicating a template id |
| 99 | * fingerprintMsg.data.enumerated.remainingTemplates indicating how many more |
| 100 | * enumeration messages to expect. |
| 101 | * |
| 102 | * @return isOk indicates if the request is accepted. |
| 103 | * @return debugErrno is a value the framework logs in case isOk == false. |
| 104 | */ |
| 105 | @callflow(next={"remove", "enroll", "authenticate", "setActiveGroup"}) |
| 106 | enumerate() generates (bool isOk, int32_t debugErrno); |
| 107 | |
| 108 | /* |
| 109 | * Fingerprint remove request: |
| 110 | * Deletes fingerprint template(s). |
| 111 | * Works only within the path set by setActiveGroup(). |
| 112 | * For each template found a notify() must be called with: |
| 113 | * fingerprintMsg.type == FINGERPRINT_TEMPLATE_REMOVED |
| 114 | * fingerprintMsg.data.removed.finger indicating the template id deleted |
| 115 | * fingerprintMsg.data.removed.remainingTemplates indicating how many more |
| 116 | * templates must be deleted by this operation. |
| 117 | * |
| 118 | * @param gid group id must match the last group set by setActiveGroup(). |
| 119 | * @param fid template id to delete or 0 to delete all templates within the |
| 120 | * current group. |
| 121 | * |
| 122 | * @return isOk indicates if the request is accepted. |
| 123 | * @return debugErrno is a value the framework logs in case isOk == false. |
| 124 | */ |
| 125 | @callflow(next={"enumerate", "authenticate", "cancel", "getAuthenticatorId", |
| 126 | "setActiveGroup"}) |
| 127 | remove(uint32_t gid, uint32_t fid) generates (bool isOk, int32_t debugErrno); |
| 128 | |
| 129 | /* |
| 130 | * Restricts the HAL operation to a set of fingerprints belonging to a group |
| 131 | * provided. The caller must provide a path to a storage location within the |
| 132 | * user's data directory. |
| 133 | * |
| 134 | * @param gid the fingerprint group (set) id. |
| 135 | * @param storePath filesystem path to the template storage directory. |
| 136 | * |
| 137 | * @return isOk indicates if the request is accepted. |
| 138 | * @return debugErrno is a value the framework logs in case isOk == false. |
| 139 | */ |
| 140 | @callflow(next={"authenticate", "preEnroll", "enumerate", "remove"}) |
| 141 | @entry |
| 142 | setActiveGroup(uint32_t gid, string storePath) |
| 143 | generates (bool isOk, int32_t debugErrno); |
| 144 | |
| 145 | /* |
| Sasha Levitskiy | 2ef9f66 | 2016-10-21 11:01:34 -0700 | [diff] [blame^] | 146 | * Authenticates an operation identified by operationId |
| Sasha Levitskiy | 7bceb23 | 2016-09-02 11:27:42 -0700 | [diff] [blame] | 147 | * |
| 148 | * @param operationId operation id. |
| 149 | * @param gid fingerprint group id. |
| 150 | * |
| 151 | * @return isOk indicates if the request is accepted. |
| 152 | * @return debugErrno is a value the framework logs in case isOk == false. |
| 153 | */ |
| 154 | @callflow(next={"cancel", "preEnroll", "remove"}) |
| 155 | authenticate(uint64_t operationId, uint32_t gid) |
| 156 | generates (bool isOk, int32_t debugErrno); |
| 157 | }; |