biometrics/fingerprint/2.1/IBiometricsFingerprint.hal

/*
 * Copyright (C) 2017 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package android.hardware.biometrics.fingerprint@2.1;

import IBiometricsFingerprintClientCallback;

interface IBiometricsFingerprint {
  /**
   * Set notification callback:
   * Registers a user function that must receive notifications from the HAL
   * This call must block if the HAL state machine is in busy state until HAL
   * leaves the busy state.
   *
   * @return deviceId is a unique handle for this fingerprint device
   */
  @callflow(next={"setActiveGroup"})
  @entry
  setNotify(IBiometricsFingerprintClientCallback clientCallback)
      generates (uint64_t deviceId);

  /**
   * Fingerprint pre-enroll enroll request:
   * Generates a unique token to upper layers to indicate the start of
   * an enrollment transaction. pre-enroll and post-enroll specify
   * a pin/password cleared time window where enrollment is allowed.
   * Pre-enroll only generates a challenge, a full hardwareAuthToken is
   * generated by trustzone after verifying a pin/password/swipe. This is to
   * ensure adding a new fingerprint template was preceded by some kind of
   * credential confirmation (e.g. device password).
   *
   * @return 0 if function failed, a uint64_t of challenge otherwise.
   */
  @callflow(next={"enroll", "postEnroll"})
  preEnroll() generates (uint64_t authChallenge);

  /**
   * Fingerprint enroll request:
   * Switches the HAL state machine to collect and store a new fingerprint
   * template. Switches back as soon as enroll is complete, signalled by
   * (fingerprintMsg.type == FINGERPRINT_TEMPLATE_ENROLLING &&
   *  fingerprintMsg.data.enroll.samplesRemaining == 0)
   * or after timeoutSec seconds.
   * The fingerprint template must be assigned to the group gid.
   *
   * @param hat a valid Hardware Authentication Token (HAT), generated
   * as a result of a preEnroll() call.
   * @param gid a framework defined fingerprint set (group) id.
   * @param timeoutSec a timeout in seconds.
   *
   * @return debugErrno is a value the framework logs in case it is not 0.
   *
   * A notify() function may be called with a more detailed error structure.
   */
  @callflow(next={"cancel", "enroll", "postEnroll", "remove"})
  enroll(uint8_t[69] hat, uint32_t gid, uint32_t timeoutSec)
      generates (RequestStatus debugErrno);

  /**
   * Finishes the enroll operation and invalidates the preEnroll() generated
   * challenge. This must be called at the end of a multi-finger enrollment
   * session to indicate that no more fingers may be added.
   *
   * @return debugErrno is a value the framework logs in case it is not 0.
   */
  @callflow(next={"authenticate", "setActiveGroup", "enumerate", "remove"})
  postEnroll() generates (RequestStatus debugErrno);

  /**
   * getAuthenticatorId:
   * Returns a token associated with the current fingerprint set. This value
   * must change whenever a new fingerprint is enrolled, thus creating a new
   * fingerprint set.
   *
   * @return getAuthenticatorIdRet current authenticator id, 0 if function
   * failed.
   */
  @callflow(next={"authenticate"})
  getAuthenticatorId() generates (uint64_t AuthenticatorId);

  /**
   * Cancel pending enroll or authenticate, sending FINGERPRINT_ERROR_CANCELED
   * to all running clients. Switches the HAL state machine back to the idle
   * state. Unlike enrollDone() doesn't invalidate the preEnroll() challenge.
   *
   * @return debugErrno is a value the framework logs in case it is not 0.
   */
  @callflow(next={"authenticate", "enroll", "enumerate", "remove",
    "setActiveGroup"})
  cancel() generates (RequestStatus debugErrno);

  /**
   * Enumerate all the fingerprint templates found in the directory set by
   * setActiveGroup():
   * For each template found a notify() must be called with:
   * fingerprintMsg.type == FINGERPRINT_TEMPLATE_ENUMERATED
   * fingerprintMsg.data.enumerated.finger indicating a template id
   * fingerprintMsg.data.enumerated.remainingTemplates indicating how many more
   * enumeration messages to expect.
   *
   * @return debugErrno is a value the framework logs in case it is not 0.
   */
  @callflow(next={"remove", "enroll", "authenticate", "setActiveGroup"})
  enumerate() generates (RequestStatus debugErrno);

  /**
   * Fingerprint remove request:
   * Deletes fingerprint template(s).
   * Works only within the path set by setActiveGroup().
   * For each template found a notify() must be called with:
   * fingerprintMsg.type == FINGERPRINT_TEMPLATE_REMOVED
   * fingerprintMsg.data.removed.finger indicating the template id deleted
   * fingerprintMsg.data.removed.remainingTemplates indicating how many more
   * templates must be deleted by this operation.
   *
   * @param gid group id must match the last group set by setActiveGroup().
   * @param fid template id to delete or 0 to delete all templates within the
   * current group.
   *
   * @return debugErrno is a value the framework logs in case it is not 0.
   */
  @callflow(next={"enumerate", "authenticate", "cancel", "getAuthenticatorId",
    "setActiveGroup"})
  remove(uint32_t gid, uint32_t fid) generates (RequestStatus debugErrno);

  /**
   * Restricts the HAL operation to a set of fingerprints belonging to a group
   * provided. The caller must provide a path to a storage location within the
   * user's data directory.
   *
   * @param gid the fingerprint group (set) id.
   * @param storePath filesystem path to the template storage directory.
   *
   * @return debugErrno is a value the framework logs in case it is not 0.
   */
  @callflow(next={"authenticate", "preEnroll", "enumerate", "remove"})
  setActiveGroup(uint32_t gid, string storePath)
      generates (RequestStatus debugErrno);

  /**
   * Authenticates an operation identified by operationId
   *
   * @param operationId operation id.
   * @param gid fingerprint group id.
   *
   * @return debugErrno is a value the framework logs in case it is not 0.
   */
  @callflow(next={"cancel", "preEnroll", "remove"})
  authenticate(uint64_t operationId, uint32_t gid)
      generates (RequestStatus debugErrno);
};