/* * Copyright (C) 2017 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package android.hardware.biometrics.fingerprint@2.1; import IBiometricsFingerprintClientCallback; interface IBiometricsFingerprint { /** * Set notification callback: * Registers a user function that must receive notifications from the HAL * This call must block if the HAL state machine is in busy state until HAL * leaves the busy state. * * @return deviceId is a unique handle for this fingerprint device */ @callflow(next={"setActiveGroup"}) @entry setNotify(IBiometricsFingerprintClientCallback clientCallback) generates (uint64_t deviceId); /** * Fingerprint pre-enroll enroll request: * Generates a unique token to upper layers to indicate the start of * an enrollment transaction. pre-enroll and post-enroll specify * a pin/password cleared time window where enrollment is allowed. * Pre-enroll only generates a challenge, a full hardwareAuthToken is * generated by trustzone after verifying a pin/password/swipe. This is to * ensure adding a new fingerprint template was preceded by some kind of * credential confirmation (e.g. device password). * * @return 0 if function failed, a uint64_t of challenge otherwise. */ @callflow(next={"enroll", "postEnroll"}) preEnroll() generates (uint64_t authChallenge); /** * Fingerprint enroll request: * Switches the HAL state machine to collect and store a new fingerprint * template. Switches back as soon as enroll is complete, signalled by * (fingerprintMsg.type == FINGERPRINT_TEMPLATE_ENROLLING && * fingerprintMsg.data.enroll.samplesRemaining == 0) * or after timeoutSec seconds. * The fingerprint template must be assigned to the group gid. * * @param hat a valid Hardware Authentication Token (HAT), generated * as a result of a preEnroll() call. * @param gid a framework defined fingerprint set (group) id. * @param timeoutSec a timeout in seconds. * * @return debugErrno is a value the framework logs in case it is not 0. * * A notify() function may be called with a more detailed error structure. */ @callflow(next={"cancel", "enroll", "postEnroll", "remove"}) enroll(uint8_t[69] hat, uint32_t gid, uint32_t timeoutSec) generates (RequestStatus debugErrno); /** * Finishes the enroll operation and invalidates the preEnroll() generated * challenge. This must be called at the end of a multi-finger enrollment * session to indicate that no more fingers may be added. * * @return debugErrno is a value the framework logs in case it is not 0. */ @callflow(next={"authenticate", "setActiveGroup", "enumerate", "remove"}) postEnroll() generates (RequestStatus debugErrno); /** * getAuthenticatorId: * Returns a token associated with the current fingerprint set. This value * must change whenever a new fingerprint is enrolled, thus creating a new * fingerprint set. * * @return getAuthenticatorIdRet current authenticator id, 0 if function * failed. */ @callflow(next={"authenticate"}) getAuthenticatorId() generates (uint64_t AuthenticatorId); /** * Cancel pending enroll or authenticate, sending FINGERPRINT_ERROR_CANCELED * to all running clients. Switches the HAL state machine back to the idle * state. Unlike enrollDone() doesn't invalidate the preEnroll() challenge. * * @return debugErrno is a value the framework logs in case it is not 0. */ @callflow(next={"authenticate", "enroll", "enumerate", "remove", "setActiveGroup"}) cancel() generates (RequestStatus debugErrno); /** * Enumerate all the fingerprint templates found in the directory set by * setActiveGroup(): * For each template found a notify() must be called with: * fingerprintMsg.type == FINGERPRINT_TEMPLATE_ENUMERATED * fingerprintMsg.data.enumerated.finger indicating a template id * fingerprintMsg.data.enumerated.remainingTemplates indicating how many more * enumeration messages to expect. * * @return debugErrno is a value the framework logs in case it is not 0. */ @callflow(next={"remove", "enroll", "authenticate", "setActiveGroup"}) enumerate() generates (RequestStatus debugErrno); /** * Fingerprint remove request: * Deletes fingerprint template(s). * Works only within the path set by setActiveGroup(). * For each template found a notify() must be called with: * fingerprintMsg.type == FINGERPRINT_TEMPLATE_REMOVED * fingerprintMsg.data.removed.finger indicating the template id deleted * fingerprintMsg.data.removed.remainingTemplates indicating how many more * templates must be deleted by this operation. * * @param gid group id must match the last group set by setActiveGroup(). * @param fid template id to delete or 0 to delete all templates within the * current group. * * @return debugErrno is a value the framework logs in case it is not 0. */ @callflow(next={"enumerate", "authenticate", "cancel", "getAuthenticatorId", "setActiveGroup"}) remove(uint32_t gid, uint32_t fid) generates (RequestStatus debugErrno); /** * Restricts the HAL operation to a set of fingerprints belonging to a group * provided. The caller must provide a path to a storage location within the * user's data directory. * * @param gid the fingerprint group (set) id. * @param storePath filesystem path to the template storage directory. * * @return debugErrno is a value the framework logs in case it is not 0. */ @callflow(next={"authenticate", "preEnroll", "enumerate", "remove"}) setActiveGroup(uint32_t gid, string storePath) generates (RequestStatus debugErrno); /** * Authenticates an operation identified by operationId * * @param operationId operation id. * @param gid fingerprint group id. * * @return debugErrno is a value the framework logs in case it is not 0. */ @callflow(next={"cancel", "preEnroll", "remove"}) authenticate(uint64_t operationId, uint32_t gid) generates (RequestStatus debugErrno); };