platform_hardware_interfaces/biometrics/face/1.0/IBiometricsFace.hal
Kevin Chyn ba9ec8795a Add IBiometricsFace#userActivity
Fixes: 116821097

Test: builds
Change-Id: I88363e186a41ce65665122606b357c7d31d8c18d
2018-10-03 18:16:30 -07:00

252 lines
11 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.hardware.biometrics.face@1.0;
import IBiometricsFaceClientCallback;
// TODO(b/78538290): Update comments with state machine transitions when ready.
// TODO(b/78537981): Update comments with callback interaction contract.
// TODO(b/79496983): Update comments with status returns fully enumerated.
/**
* The HAL interface for biometric face authentication.
*/
interface IBiometricsFace {
/**
* Sets the current client callback.
*
* Registers a user function that must receive notifications from the HAL.
* There is usually only one client (FaceService). This call must block
* if the HAL state machine is in busy state until the HAL leaves the
* busy state.
*
* All callback methods pass a deviceId to differentiate callback
* invocations in the case where multiple sensors exist.
*
* @param clientCallback The client defined callback to register.
* @return result, with its "value" parameter representing a "deviceId",
* which must be unique for a given sensor.
*/
@callflow(next={"setActiveUser"})
@entry
setCallback(IBiometricsFaceClientCallback clientCallback)
generates (OptionalUint64 result);
/**
* Sets the active user, which all subsequent HAL operations are applied to.
*
* HAL service implementors must ensure that operations are restricted to
* the given user. Clients must not call any part of this interface, except
* for setCallback(), without first having set an active user. The
* implementation is responsible for cancelling the current operation and
* returning to the idle state. Calling this method with the same userId
* should have no effect on the state machine.
*
* @param userId A non-negative user identifier that must be unique and
* persistent for a given user.
* @param storePath filesystem path to the template storage directory.
*/
@callflow(next={"authenticate", "generateChallenge", "enumerate", "remove"})
setActiveUser(int32_t userId, string storePath) generates (Status status);
/**
* Begins a secure transaction request, e.g. enrollment.
*
* Generates a unique and cryptographically secure random token used to
* indicate the start of a secure transaction. generateChallenge() and
* revokeChallenge() specify a pin/pattern/password cleared time window where
* the secure transaction is allowed.
*
* generateChallenge() generates a challenge which must then be wrapped by the
* gatekeeper after verifying a successful strong authentication attempt,
* which generates a Hardware Authentication Token. The challenge prevents
* spoofing and replay attacks and ensures that we only update a users face
* template if the operation was preceded by some kind of strong credential
* confirmation (e.g. device password).
*
* @param challengeTimeoutSec A timeout in seconds, after which the driver
* must invalidate the challenge. This is to prevent bugs or crashes in
* the system from leaving a challenge enabled indefinitely.
* @return result, with its "value" parameter representing a "challenge": a
* unique and cryptographically secure random token.
*/
@callflow(next={"enroll", "revokeChallenge", "setRequireAttention"})
generateChallenge(uint32_t challengeTimeoutSec)
generates (OptionalUint64 result);
/**
* Enrolls a user's face.
*
* Note that this interface permits implementations where multiple faces can
* be enrolled for a single user. However, allowing multiple faces to be
* enrolled can be a severe security vulnerability and hence, most
* implementations must ensure that only a single face be enrolled at a
* given time. Multi-enrollment must only be used where there is a clear
* necessity for a shared use case, e.g. TVs or cars.
*
* Note that the Hardware Authentication Token must still be valid after
* this call, and must be explicitly invalidated by a call to
* revokeChallenge(). This allows clients to immediately reattempt
* enrollment (for example, if a user wasnt satisfied with their enrollment)
* without having to go through another strong authentication flow.
*
* This method triggers the IBiometricsFaceClientCallback#onEnrollResult()
* method.
*
* @param hat A valid Hardware Authentication Token, generated as a result
* of a generateChallenge() challenge being wrapped by the gatekeeper
* after a sucessful strong authentication request.
* @param timeoutSec A timeout in seconds, after which this enrollment
* attempt is cancelled. Note that the client still needs to
* call revokeChallenge() to terminate the enrollment session.
* @param requireAttention When set to true, requires user attention (e.g.
* eyes open and looking at the device) for enrollment to complete, as
* well as subsequent authentication. This is expected to be enabled by
* default to improve security and decrease falsing (unintentional face
* detection). This feature can be disabled at the user's request
* during enrollment, e.g. for accessibility reasons. When enabled,
* the FaceAcquiredInfo#POOR_GAZE message must be sent when the user's
* attention has not been established. The UI should inform the user
* to look at the device.
* @return status The status of this method call.
*/
@callflow(next={"cancel", "enroll", "revokeChallenge", "remove"})
enroll(vec<uint8_t> hat, uint32_t timeoutSec, bool requireAttention)
generates (Status status);
/**
* Finishes the secure transaction by invalidating the challenge generated
* by generateChallenge().
*
* Clients must call this method once enrollment is complete, and the user's
* face template no longer needs to be updated.
*
* @return status The status of this method call.
*/
@callflow(next={"authenticate", "setActiveUser", "enumerate", "remove"})
revokeChallenge() generates (Status status);
/**
* Requires that all subsequent authenticate calls to first have the
* user's attention. This method does not affect enroll, which has its
* own requireAttention parameter.
*
* Changes the state of previous enrollment setting. Because this may
* decrease security, the user must enter their password before this method
* is invoked (see @param HAT). The driver must verify the HAT before
* changing the requireAttention state.
* Note: In some cases it may not be possible to change the state of this
* flag without re-enrolling. For example, if the user didn't provide
* attention during the original enrollment. This flag reflects the same
* persistent state as the one passed to enroll().
*
* @param requireAttention When set to true, requires user attention for
* authentication to succeed.
* @param hat A valid Hardware Authentication Token, generated as a result
* of getChallenge().
* @return status The status of this method call.
*/
setRequireAttention(bool requireAttention, vec<uint8_t> hat)
generates(Status status);
/**
* Retrieves the current requireAttention state.
*
* @return result, with its value parameter representing the current
* requireAttention state.
*/
getRequireAttention(vec<uint8_t> hat) generates (OptionalBool result);
/**
* Returns an identifier associated with the current face set.
*
* The authenticator ID must change whenever a new face is enrolled. The
* authenticator ID must not be changed when a face is deleted. The
* authenticator ID must be an entropy-encoded random number which all
* current templates are tied to. The authenticator ID must be immutable
* outside of an active enrollment window to prevent replay attacks.
*
* @return result, with its value parameter representing an
* "authenticatorId": an identifier associated to the user's current
* face enrollment.
*/
@callflow(next={"authenticate"})
getAuthenticatorId() generates (OptionalUint64 result);
/**
* Cancels a pending enrollment or authentication request.
*
* @return status The status of this method call.
*/
@callflow(next={"authenticate", "enroll", "enumerate", "remove",
"setActiveUser"})
cancel() generates (Status status);
/**
* Enumerates all face templates associated with the active user.
*
* The onEnumerate() callback method is invoked once for each face template
* found.
*
* @return status The status of this method call.
*/
@callflow(next={"remove", "enroll", "authenticate", "setActiveUser"})
enumerate() generates (Status status);
/**
* Removes a face template or all face templates associated with the active
* user.
*
* This method triggers the IBiometricsFaceClientCallback#onRemoved() method.
*
* @param faceId The id correpsonding to the face to be removed; or 0 if all
* faces are to be removed.
* @return status The status of this method call.
*/
@callflow(next={"enumerate", "authenticate", "cancel", "getAuthenticatorId",
"setActiveUser"})
remove(uint32_t faceId) generates (Status status);
/**
* Authenticates the active user.
*
* An optional operationId can be specified as a token from the transaction
* being authorized. The hardware may enter a standby state during
* authentication, where the device is idle to conserve power while
* authenticating, e.g. after 3 seconds without finding a face. See
* IBiometricsFace#userActivity() for more info.
*
* @param operationId A non-zero operation id associated with a crypto
* object instance; or 0 if not being used.
* @return status The status of this method call.
*/
@callflow(next={"cancel", "generateChallenge", "remove"})
authenticate(uint64_t operationId) generates (Status status);
/**
* A hint to the HAL to continue looking for faces.
*
* This method should only be used when the HAL is in the authenticating
* or standby state. Using this method when the HAL is not in one of the
* mentioned states must return OPERATION_NOT_SUPPORTED. Calling this
* method while the HAL is already authenticating may extend the duration
* where it's looking for a face.
*
* @return status The status of this method call.
*/
userActivity() generates (Status status);
};