Merge "WIFI: Set MAC address for bridged interface" into sc-dev
diff --git a/audio/common/7.0/enums/include/android_audio_policy_configuration_V7_0-enums.h b/audio/common/7.0/enums/include/android_audio_policy_configuration_V7_0-enums.h
index a92a277..79243b6 100644
--- a/audio/common/7.0/enums/include/android_audio_policy_configuration_V7_0-enums.h
+++ b/audio/common/7.0/enums/include/android_audio_policy_configuration_V7_0-enums.h
@@ -225,6 +225,14 @@
return isTelephonyDevice(stringToAudioDevice(device));
}
+static inline bool isEchoReferenceDevice(AudioDevice device) {
+ return device == AudioDevice::AUDIO_DEVICE_IN_ECHO_REFERENCE;
+}
+
+static inline bool isEchoReferenceDevice(const std::string& device) {
+ return isEchoReferenceDevice(stringToAudioDevice(device));
+}
+
static inline bool maybeVendorExtension(const std::string& s) {
// Only checks whether the string starts with the "vendor prefix".
static const std::string vendorPrefix = "VX_";
diff --git a/audio/core/all-versions/vts/functional/7.0/AudioPrimaryHidlHalTest.cpp b/audio/core/all-versions/vts/functional/7.0/AudioPrimaryHidlHalTest.cpp
index 0b3098b..79ac295 100644
--- a/audio/core/all-versions/vts/functional/7.0/AudioPrimaryHidlHalTest.cpp
+++ b/audio/core/all-versions/vts/functional/7.0/AudioPrimaryHidlHalTest.cpp
@@ -710,7 +710,8 @@
// Returning 'true' when no source is found so the test can fail later with a more clear
// problem description.
return !maybeSourceAddress.has_value() ||
- !xsd::isTelephonyDevice(maybeSourceAddress.value().deviceType);
+ !(xsd::isTelephonyDevice(maybeSourceAddress.value().deviceType) ||
+ xsd::isEchoReferenceDevice(maybeSourceAddress.value().deviceType));
}
void createPatchIfNeeded() {
diff --git a/biometrics/face/aidl/android/hardware/biometrics/face/EnrollmentType.aidl b/biometrics/face/aidl/android/hardware/biometrics/face/EnrollmentType.aidl
index d7f3175..c960933 100644
--- a/biometrics/face/aidl/android/hardware/biometrics/face/EnrollmentType.aidl
+++ b/biometrics/face/aidl/android/hardware/biometrics/face/EnrollmentType.aidl
@@ -19,6 +19,15 @@
@VintfStability
@Backing(type="byte")
enum EnrollmentType {
+ /**
+ * Default enrollment type.
+ */
DEFAULT,
+
+ /**
+ * Enrollment type for people with limited vision or mobility. For example,
+ * enrollment of this type will not ask the user to move their head or
+ * look directly at the device.
+ */
ACCESSIBILITY,
}
diff --git a/biometrics/face/aidl/android/hardware/biometrics/face/FaceSensorType.aidl b/biometrics/face/aidl/android/hardware/biometrics/face/FaceSensorType.aidl
index 57f39d4..a5ed2e8 100644
--- a/biometrics/face/aidl/android/hardware/biometrics/face/FaceSensorType.aidl
+++ b/biometrics/face/aidl/android/hardware/biometrics/face/FaceSensorType.aidl
@@ -16,4 +16,23 @@
package android.hardware.biometrics.face;
-@VintfStability @Backing(type="byte") enum FaceSensorType { UNKNOWN, RGB, IR }
+@VintfStability
+@Backing(type="byte")
+enum FaceSensorType {
+ /**
+ * Placeholder value used for default initialization of FaceSensorType.
+ * This value means FaceSensorType wasn't explicitly initialized and must
+ * be discarded by the recipient.
+ */
+ UNKNOWN,
+
+ /**
+ * The face sensor is an RGB camera.
+ */
+ RGB,
+
+ /**
+ * The face sensor is an infrared camera.
+ */
+ IR,
+}
diff --git a/biometrics/face/aidl/android/hardware/biometrics/face/IFace.aidl b/biometrics/face/aidl/android/hardware/biometrics/face/IFace.aidl
index 11cdf77..4d7e59e 100644
--- a/biometrics/face/aidl/android/hardware/biometrics/face/IFace.aidl
+++ b/biometrics/face/aidl/android/hardware/biometrics/face/IFace.aidl
@@ -25,28 +25,30 @@
/**
* getSensorProps:
*
- * @return A list of properties for all face sensors available to the HAL.
+ * @return A list of properties for all of the face sensors supported by the HAL.
*/
SensorProps[] getSensorProps();
/**
* createSession:
*
- * Creates a session that can be used by the framework to perform operations such as
- * enroll, authenticate, etc. for the given sensorId and userId.
+ * Creates an instance of ISession that can be used by the framework to perform operations such
+ * as ISession#enroll, ISession#authenticate, etc. for the given sensorId and userId.
*
- * Calling this method while there is an active session is considered an error. If the
- * framework is in a bad state and for some reason cannot close its session, it should use
- * the reset method below.
+ * Calling this method while there is an active session is considered an error. If the framework
+ * wants to create a new session when it already has an active session, it must first cancel the
+ * current operation if it's cancellable or wait until it completes. Then, the framework must
+ * explicitly close the session with ISession#close. Once the framework receives
+ * ISessionCallback#onSessionClosed, a new session can be created.
*
* Implementations must store user-specific state or metadata in /data/vendor_de/<user>/facedata
* as specified by the SELinux policy. The directory /data/vendor_de is managed by vold (see
* vold_prepare_subdirs.cpp). Implementations may store additional user-specific data, such as
- * embeddings or templates in StrongBox.
+ * embeddings or templates, in StrongBox.
*
- * @param sensorId The sensorId with which this session is being created.
- * @param userId The userId with which this session is being created.
- * @param cb A callback to notify the framework about the session's results and events.
+ * @param sensorId The sensorId for which this session is being created.
+ * @param userId The userId for which this session is being created.
+ * @param cb A callback to notify the framework about the session's events.
* @return A new session.
*/
ISession createSession(in int sensorId, in int userId, in ISessionCallback cb);
diff --git a/biometrics/face/aidl/android/hardware/biometrics/face/ISession.aidl b/biometrics/face/aidl/android/hardware/biometrics/face/ISession.aidl
index a9a8c16..2a57e3a 100644
--- a/biometrics/face/aidl/android/hardware/biometrics/face/ISession.aidl
+++ b/biometrics/face/aidl/android/hardware/biometrics/face/ISession.aidl
@@ -24,13 +24,12 @@
import android.hardware.keymaster.HardwareAuthToken;
/**
- * Operations that can be performed for unique sessions retrieved via IFace#createSession.
* Operations defined within this interface can be divided into the following categories:
* 1) Cancellable operations. These are usually the operations that can execute for several
- * minutes. To allow for cancellation, they return an instance of ICancellationSignal that
- * lets the framework cancel them by calling ICancellationSignal#cancel. If such an operation
- * is cancelled, it must notify the framework by calling ISessionCallback#onError with
- * Error::CANCELED.
+ * minutes. To allow for cancellation, they return an instance of ICancellationSignal that
+ * lets the framework cancel them by calling ICancellationSignal#cancel. If such an operation
+ * is cancelled, it must notify the framework by calling ISessionCallback#onError with
+ * Error::CANCELED.
* 2) Non-cancellable operations. Such operations cannot be cancelled once started.
*
* The lifecycle of an operation ends when one of its terminal callbacks is called. For example,
@@ -83,15 +82,20 @@
* | 0 | 10 | <Time4> | <Random4> |
* ----------------------------------------------
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onChallengeGenerated
+ *
*/
void generateChallenge();
/**
* revokeChallenge:
*
- * Revokes a challenge that was previously generated. Note that if an invalid combination of
- * parameters is requested, the implementation must still notify the framework using the
- * provided callback.
+ * Revokes a challenge that was previously generated. Note that if a non-existent challenge is
+ * provided, the HAL must still notify the framework using ISessionCallback#onChallengeRevoked.
+ *
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onChallengeRevoked
*
* @param challenge Challenge that should be revoked.
*/
@@ -100,9 +104,9 @@
/**
* getEnrollmentConfig:
*
- * Returns the enrollment configuration depending on the provided enrollment type. Enrollment
- * configuration determines how many stages the enrollment will have and the requirements for
- * each of the stages.
+ * Returns the enrollment configuration for the provided enrollment type. Enrollment
+ * configuration determines how many stages the enrollment will have and the requirements
+ * for each of the stages.
*
* @param enrollmentType See the EnrollmentType enum.
* @return An EnrollmentStageConfig array that describes each enrollment stage.
@@ -117,22 +121,28 @@
* At any point during enrollment, if a non-recoverable error occurs, the HAL must notify the
* framework via ISessionCallback#onError with the applicable enrollment-specific error.
*
- * Before capturing face data, the implementation must first verify the authenticity and
- * integrity of the provided HardwareAuthToken. In addition, it must check that the challenge
- * within the provided HardwareAuthToken is valid. See ISession#generateChallenge. If any of
- * the above checks fail, the framework must be notified using ISessionCallback#onError with
- * Error::UNABLE_TO_PROCESS.
+ * Before capturing face data, the HAL must first verify the authenticity and integrity of the
+ * provided HardwareAuthToken. In addition, it must check that the challenge within the provided
+ * HardwareAuthToken is valid. See ISession#generateChallenge. If any of the above checks fail,
+ * the framework must be notified using ISessionCallback#onError with Error::UNABLE_TO_PROCESS.
*
- * During enrollment, the implementation may notify the framework via
- * ISessionCallback#onAcquired with messages that may be used to guide the user. This callback
- * can be invoked multiple times if necessary. Similarly, the framework may be notified of
- * enrollment progress changes via ISessionCallback#onEnrollmentProgress. Once the framework is
- * notified that there are 0 "remaining" steps, the framework may cache the "enrollmentId". See
+ * During enrollment, the HAL may notify the framework via ISessionCallback#onAcquired with
+ * messages that may be used to guide the user. This callback can be invoked multiple times if
+ * necessary. Similarly, the framework may be notified of enrollment progress changes via
+ * ISessionCallback#onEnrollmentProgress. Once the framework is notified that there are 0
+ * "remaining" steps, the framework may cache the "enrollmentId". See
* ISessionCallback#onEnrollmentProgress for more info.
*
* When a face is successfully added and before the framework is notified of remaining=0, the
- * implementation MUST update and associate this (sensorId, userId) pair with a new
- * entropy-encoded random identifier. See ISession#getAuthenticatorId for more information.
+ * HAL must update and associate this (sensorId, userId) pair with a new entropy-encoded random
+ * identifier. See ISession#getAuthenticatorId for more information.
+ *
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onError
+ * - ISessionCallback#onEnrollmentProgress(enrollmentId, remaining=0)
+ *
+ * Other applicable callbacks:
+ * - ISessionCallback#onAcquired
*
* @param hat See above documentation.
* @param enrollmentType See the EnrollmentType enum.
@@ -154,15 +164,18 @@
* At any point during authentication, if a non-recoverable error occurs, the HAL must notify
* the framework via ISessionCallback#onError with the applicable authentication-specific error.
*
- * During authentication, the implementation may notify the framework via
- * ISessionCallback#onAcquired with messages that may be used to guide the user. This callback
- * can be invoked multiple times if necessary.
+ * During authentication, the HAL may notify the framework via ISessionCallback#onAcquired with
+ * messages that may be used to guide the user. This callback can be invoked multiple times if
+ * necessary.
*
- * The HAL must notify the framework of accepts/rejects via ISessionCallback#onAuthentication*.
+ * The HAL must notify the framework of accepts/rejects via
+ * ISessionCallback#onAuthenticationSucceeded and ISessionCallback#onAuthenticationFailed,
+ * correspondingly.
*
- * The authentication lifecycle ends when either
- * 1) A face is accepted, and ISessionCallback#onAuthenticationSucceeded is invoked, or
- * 2) Any non-recoverable error occurs (such as lockout). See the full list of
+ * The authentication lifecycle ends when any of the following happens:
+ * 1) A face is accepted, and ISessionCallback#onAuthenticationSucceeded is invoked.
+ * 2) A face is rejected, and ISessionCallback#onAuthenticationFailed is invoked.
+ * 3) Any non-recoverable error occurs (such as lockout). See the full list of
* authentication-specific errors in the Error enum.
*
* Note that upon successful authentication, the lockout counter for this (sensorId, userId)
@@ -174,16 +187,26 @@
* must be set with the operationId passed in during #authenticate. If the sensor is NOT
* SensorStrength::STRONG, the HardwareAuthToken MUST be null.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onError
+ * - ISessionCallback#onAuthenticationSucceeded
+ * - ISessionCallback#onAuthenticationFailed
+ *
+ * Other applicable callbacks:
+ * - ISessionCallback#onAcquired
+ * - ISessionCallback#onLockoutTimed
+ * - ISessionCallback#onLockoutPermanent
+ *
* @param operationId For sensors configured as SensorStrength::STRONG, this must be used ONLY
* upon successful authentication and wrapped in the HardwareAuthToken's
* "challenge" field and sent to the framework via
- * ISessionCallback#onAuthenticated. The operationId is an opaque identifier
- * created from a separate secure subsystem such as, but not limited to
- * KeyStore/KeyMaster. The HardwareAuthToken can then be used as an
- * attestation for the provided operation. For example, this is used
- * to unlock biometric-bound auth-per-use keys (see
+ * ISessionCallback#onAuthenticationSucceeded. The operationId is an opaque
+ * identifier created from a separate secure subsystem such as, but not
+ * limited to KeyStore/KeyMaster. The HardwareAuthToken can then be used as
+ * an attestation for the provided operation. For example, this is used to
+ * unlock biometric-bound auth-per-use keys (see
* setUserAuthenticationParameters in KeyGenParameterSpec.Builder and
- * KeyProtection.Builder.
+ * KeyProtection.Builder).
* @return ICancellationSignal An object that can be used by the framework to cancel this
* operation.
*/
@@ -193,32 +216,36 @@
* detectInteraction:
*
* A request to start looking for faces without performing matching. Must only be called if
- * SensorProps#supportsDetectInteraction is true. If invoked on implementations that do not
- * support this functionality, the HAL must respond with ISession#onError(UNABLE_TO_PROCESS, 0).
+ * SensorProps#supportsDetectInteraction is true. If invoked on HALs that do not support this
+ * functionality, the HAL must respond with ISession#onError(UNABLE_TO_PROCESS, 0).
*
- * The framework will use this method in cases where determing user presence is required, but
- * identifying/authentication is not. For example, when the device is encrypted (first boot) or
- * in lockdown mode.
+ * The framework will use this operation in cases where determining user presence is required,
+ * but identifying/authenticating is not. For example, when the device is encrypted (first boot)
+ * or in lockdown mode.
*
* At any point during detectInteraction, if a non-recoverable error occurs, the HAL must notify
* the framework via ISessionCallback#onError with the applicable error.
*
- * The implementation must only check for a face-like image was detected (e.g. to
- * minimize interactions due to non-face objects), and the lockout counter must not
- * be modified.
+ * The HAL must only check whether a face-like image was detected (e.g. to minimize interactions
+ * due to non-face objects), and the lockout counter must not be modified.
*
- * Upon detecting any face, the implementation must invoke
- * ISessionCallback#onInteractionDetected.
+ * Upon detecting any face, the HAL must invoke ISessionCallback#onInteractionDetected.
*
- * The lifecycle of this operation ends when either
+ * The lifecycle of this operation ends when either:
* 1) Any face is detected and the framework is notified via
- * ISessionCallback#onInteractiondetected
- * 2) The operation was cancelled by the framework (see ICancellationSignal)
- * 3) An error occurred, for example ERROR::TIMEOUT
+ * ISessionCallback#onInteractionDetected.
+ * 2) An error occurrs, for example Error::TIMEOUT.
*
- * Note that if the operation is canceled, the implementation must notify the framework via
+ * Note that if the operation is canceled, the HAL must notify the framework via
* ISessionCallback#onError with Error::CANCELED.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onError
+ * - ISessionCallback#onInteractionDetected
+ *
+ * Other applicable callbacks:
+ * - ISessionCallback#onAcquired
+ *
* @return ICancellationSignal An object that can be used by the framework to cancel this
* operation.
*/
@@ -227,12 +254,14 @@
/*
* enumerateEnrollments:
*
- * A request to enumerate (list) the enrollments for this (sensorId, userId) pair. The
- * framework typically uses this to ensure that its cache is in sync with the HAL.
+ * A request to enumerate (list) the enrollments for this (sensorId, userId) pair. The framework
+ * typically uses this to ensure that its cache is in sync with the HAL.
*
- * The implementation must then notify the framework with a list of enrollments applicable
- * for the current session via ISessionCallback#onEnrollmentsEnumerated.
+ * The HAL must then notify the framework with a list of enrollments applicable for the current
+ * session via ISessionCallback#onEnrollmentsEnumerated.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onEnrollmentsEnumerated
*/
void enumerateEnrollments();
@@ -242,8 +271,12 @@
* A request to remove the enrollments for this (sensorId, userId) pair.
*
* After removing the enrollmentIds from everywhere necessary (filesystem, secure subsystems,
- * etc), the implementation must notify the framework via ISessionCallback#onEnrollmentsRemoved.
+ * etc), the HAL must notify the framework via ISessionCallback#onEnrollmentsRemoved.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onEnrollmentsRemoved
+ *
+ * @param enrollmentIds a list of enrollments that should be removed.
*/
void removeEnrollments(in int[] enrollmentIds);
@@ -257,6 +290,10 @@
*
* The HAL must notify the framework about the result by calling
* ISessionCallback#onFeaturesRetrieved.
+ *
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onError
+ * - ISessionCallback#onFeaturesRetrieved
*/
void getFeatures();
@@ -264,15 +301,19 @@
* setFeature:
*
* Enables or disables a feature for this (sensorId, userId) pair. Because certain features may
- * decrease security, the user must enter their password before this method is invoked
- * (see @param hat). The HAL must verify the hat before changing any feature state.
+ * decrease security, the user must enter their password before this operation is invoked
+ * (see @param hat). The HAL must verify the HAT before changing any feature state.
*
- * If the hat is invalid or if the user is not enrolled, the HAL must invoke
+ * If the HAT is invalid or if the user is not enrolled, the HAL must invoke
* ISessionCallback#onError with Error::UNABLE_TO_PROCESS.
*
* After the feature is successfully set, the HAL must notify the framework by calling
* ISessionCallback#onFeatureSet.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onError
+ * - ISessionCallback#onFeatureSet
+ *
* @param hat HardwareAuthToken See above documentation.
* @param feature The feature to be enabled or disabled.
* @param enabled Whether the provided features should be enabled or disabled.
@@ -295,8 +336,8 @@
* KeyProtection.Builder.setInvalidatedByBiometricEnrollment.
*
* In addition, upon successful face authentication, the signed HAT that is returned to
- * the framework via ISessionCallback#onAuthenticated must contain this identifier in the
- * authenticatorId field.
+ * the framework via ISessionCallback#onAuthenticationSucceeded must contain this identifier in
+ * the authenticatorId field.
*
* Returns an entropy-encoded random identifier associated with the current set of enrollments
* via ISessionCallback#onAuthenticatorIdRetrieved. The authenticatorId
@@ -305,20 +346,21 @@
* 3) MUST not change if a face is deleted.
* 4) MUST be an entropy-encoded random number
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onAuthenticatorIdRetrieved
*/
void getAuthenticatorId();
/**
* invalidateAuthenticatorId:
*
- * This method only applies to sensors that are configured as SensorStrength::STRONG. If invoked
- * by the framework for sensor of other strengths, the HAL should immediately invoke
+ * This operation only applies to sensors that are configured as SensorStrength::STRONG. If
+ * invoked by the framework for sensors of other strengths, the HAL should immediately invoke
* ISessionCallback#onAuthenticatorIdInvalidated.
*
* The following only applies to sensors that are configured as SensorStrength::STRONG.
*
- * When invoked by the framework, the implementation must perform the following sequence of
- * events:
+ * When invoked by the framework, the HAL must perform the following sequence of events:
* 1) Update the authenticatorId with a new entropy-encoded random number
* 2) Persist the new authenticatorId to non-ephemeral storage
* 3) Notify the framework that the above is completed, via
@@ -326,18 +368,20 @@
*
* A practical use case of invalidation would be when the user adds a new enrollment to a sensor
* managed by a different HAL instance. The public android.security.keystore APIs bind keys to
- * "all biometrics" rather than "face-only" or "face-only" (see #getAuthenticatorId
- * for more details). As such, the framework would coordinate invalidation across multiple
- * biometric HALs as necessary.
+ * "all biometrics" rather than "fingerprint-only" or "face-only" (see #getAuthenticatorId for
+ * more details). As such, the framework would coordinate invalidation across multiple biometric
+ * HALs as necessary.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onAuthenticatorIdInvalidated
*/
void invalidateAuthenticatorId();
/**
* resetLockout:
*
- * Requests the implementation to clear the lockout counter. Upon receiving this request, the
- * implementation must perform the following:
+ * Requests the HAL to clear the lockout counter. Upon receiving this request, the HAL must
+ * perform the following:
* 1) Verify the authenticity and integrity of the provided HAT
* 2) Verify that the timestamp provided within the HAT is relatively recent (e.g. on the
* order of minutes, not hours).
@@ -373,6 +417,9 @@
* See the Android CDD section 7.3.10 for the full set of lockout and rate-limiting
* requirements.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onLockoutCleared
+ *
* @param hat HardwareAuthToken See above documentation.
*/
void resetLockout(in HardwareAuthToken hat);
@@ -384,9 +431,14 @@
* If the HAL is busy performing a cancellable operation, the operation must be explicitly
* cancelled with a call to ICancellationSignal#cancel before the session can be closed.
*
+ * After a session is closed, the HAL must notify the framework by calling
+ * ISessionCallback#onSessionClosed.
+ *
* All sessions must be explicitly closed. Calling IFace#createSession while there is an active
* session is considered an error.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onSessionClosed
*/
void close();
}
diff --git a/biometrics/face/aidl/android/hardware/biometrics/face/ISessionCallback.aidl b/biometrics/face/aidl/android/hardware/biometrics/face/ISessionCallback.aidl
index 23570bd..b3c348d 100644
--- a/biometrics/face/aidl/android/hardware/biometrics/face/ISessionCallback.aidl
+++ b/biometrics/face/aidl/android/hardware/biometrics/face/ISessionCallback.aidl
@@ -37,11 +37,11 @@
/**
* This method must only be used to notify the framework during the following operations:
- * 1) ISession#authenticate
- * 2) ISession#detectInteraction
+ * - ISession#authenticate
+ * - ISession#detectInteraction
*
- * These messages may be used to provide user guidance multiple times if necessary per
- * operation.
+ * These messages may be used to provide user guidance multiple times per operation if
+ * necessary.
*
* @param frame See the AuthenticationFrame enum.
*/
@@ -51,8 +51,8 @@
* This method must only be used to notify the framework during the ISession#enroll
* operation.
*
- * These messages may be used to provide user guidance multiple times if necessary per
- * operation.
+ * These messages may be used to provide user guidance multiple times per operation if
+ * necessary.
*
* @param frame See the EnrollmentFrame enum.
*/
@@ -60,18 +60,18 @@
/**
* This method must only be used to notify the framework during the following operations:
- * 1) ISession#enroll
- * 2) ISession#authenticate
- * 3) ISession#detectInteraction
- * 4) ISession#invalidateAuthenticatorId
- * 5) ISession#resetLockout
+ * - ISession#enroll
+ * - ISession#authenticate
+ * - ISession#detectInteraction
+ * - ISession#invalidateAuthenticatorId
+ * - ISession#resetLockout
*
* These messages may be used to notify the framework or user that a non-recoverable error
* has occurred. The operation is finished, and the HAL must proceed with the next operation
* or return to the idling state.
*
- * Note that cancellation (see common::ICancellationSignal) and preemption must be followed with
- * an Error::CANCELED message.
+ * Note that cancellation (see common::ICancellationSignal) must be followed with an
+ * Error::CANCELED message.
*
* @param error See the Error enum.
* @param vendorCode Only valid if error == Error::VENDOR. The vendorCode must be used to index
diff --git a/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/IFingerprint.aidl b/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/IFingerprint.aidl
index 271a9bf..75f90a1 100644
--- a/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/IFingerprint.aidl
+++ b/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/IFingerprint.aidl
@@ -25,31 +25,31 @@
/**
* getSensorProps:
*
- * @return A list of properties for all sensors that an instance of the HAL supports.
+ * @return A list of properties for all of the fingerprint sensors supported by the HAL.
*/
SensorProps[] getSensorProps();
/**
* createSession:
*
- * Creates a instance of ISession which can be used by the framework to perform operations
- * such as ISession#enroll, ISession#authenticate, etc. for the given sensorId and userId.
+ * Creates an instance of ISession that can be used by the framework to perform operations such
+ * as ISession#enroll, ISession#authenticate, etc. for the given sensorId and userId.
*
* Calling this method while there is an active session is considered an error. If the framework
* wants to create a new session when it already has an active session, it must first cancel the
- * current operation if it's cancellable, or wait until it completes. Then, the framework must
+ * current operation if it's cancellable or wait until it completes. Then, the framework must
* explicitly close the session with ISession#close. Once the framework receives
* ISessionCallback#onSessionClosed, a new session can be created.
*
* Implementations must store user-specific state or metadata in /data/vendor_de/<user>/fpdata
- * as specified by the SeLinux policy. This directory is created/removed by vold (see
+ * as specified by the SELinux policy. The directory /data/vendor_de is managed by vold (see
* vold_prepare_subdirs.cpp). Implementations may store additional user-specific data, such as
- * embeddings or templates in StrongBox.
+ * embeddings or templates, in StrongBox.
*
- * @param sensorId The sensor with which this session is being created.
- * @param userId The userId with which this session is being created.
- * @param cb Used to notify the framework.
- * @return A new session
+ * @param sensorId The sensorId for which this session is being created.
+ * @param userId The userId for which this session is being created.
+ * @param cb A callback to notify the framework about the session's events.
+ * @return A new session.
*/
ISession createSession(in int sensorId, in int userId, in ISessionCallback cb);
}
diff --git a/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/ISession.aidl b/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/ISession.aidl
index 02ef138..f1d96d3 100644
--- a/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/ISession.aidl
+++ b/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/ISession.aidl
@@ -20,30 +20,29 @@
import android.hardware.keymaster.HardwareAuthToken;
/**
- * Operations that can be performed for unique sessions retrieved via IFingerprint#createSession.
- * Methods defined within this interface can be split into the following categories:
- * 1) Non-interrupting operations. These operations are handled by the HAL in FIFO order.
- * 1a) Cancellable operations. These are usually the operations that can execute for several
- * minutes. To allow for cancellation, they return an instance of ICancellationSignal that
- * lets the framework cancel them by calling ICancellationSignal#cancel. If such an operation
- * is cancelled, it must notify the framework by calling ISessionCallback#onError with
- * Error::CANCELED.
- * 1b) Non-cancellable operations. Such operations cannot be cancelled once started.
+ * Operations defined within this interface can be split into the following categories:
+ * 1) Non-interrupting operations. These operations are handled by the HAL in a FIFO order.
+ * 1a) Cancellable operations. These operations can usually run for several minutes. To allow
+ * for cancellation, they return an instance of ICancellationSignal that allows the
+ * framework to cancel them by calling ICancellationSignal#cancel. If such an operation is
+ * cancelled, it must notify the framework by calling ISessionCallback#onError with
+ * Error::CANCELED.
+ * 1b) Non-cancellable operations. Such operations cannot be cancelled once started.
* 2) Interrupting operations. These operations may be invoked by the framework immediately,
* regardless of whether another operation is executing. For example, on devices with sensors
- * of FingerprintSensorType::UNDER_DISPLAY_*, ISession#onFingerDown may be invoked while the
+ * of FingerprintSensorType::UNDER_DISPLAY_*, ISession#onPointerDown may be invoked while the
* HAL is executing ISession#enroll, ISession#authenticate or ISession#detectInteraction.
*
- * The lifecycle of a non-interrupting operation ends when one of its terminal callbacks is called.
- * For example, ISession#authenticate is considered completed when either of the following callbacks
- * is called: ISessionCallback#onError or ISessionCallback#onAuthenticationSucceeded.
+ * The lifecycle of a non-interrupting operation ends when one of its final callbacks is called.
+ * For example, ISession#authenticate is considered completed when either ISessionCallback#onError
+ * or ISessionCallback#onAuthenticationSucceeded is called.
*
* The lifecycle of an interrupting operation ends when it returns. Interrupting operations do not
* have callbacks.
*
* ISession only supports execution of one non-interrupting operation at a time, regardless of
- * whether it's cancellable. The framework must wait for a corresponding callback indicating the end
- * of the current non-interrupting operation before a new non-interrupting operation can be started.
+ * whether it's cancellable. The framework must wait for a callback indicating the end of the
+ * current non-interrupting operation before a new non-interrupting operation can be started.
*/
@VintfStability
interface ISession {
@@ -89,15 +88,19 @@
* | 0 | 10 | <Time4> | <Random4> |
* ----------------------------------------------
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onChallengeGenerated
*/
void generateChallenge();
/**
* revokeChallenge:
*
- * Revokes a challenge that was previously generated. Note that if an invalid combination of
- * parameters is requested, the implementation must still notify the framework using the
- * provided callback.
+ * Revokes a challenge that was previously generated. Note that if a non-existent challenge is
+ * provided, the HAL must still notify the framework using ISessionCallback#onChallengeRevoked.
+ *
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onChallengeRevoked
*
* @param challenge Challenge that should be revoked.
*/
@@ -111,26 +114,33 @@
* At any point during enrollment, if a non-recoverable error occurs, the HAL must notify the
* framework via ISessionCallback#onError with the applicable enrollment-specific error.
*
- * Before capturing fingerprint data, the implementation must first verify the authenticity and
- * integrity of the provided HardwareAuthToken. In addition, it must check that the challenge
- * within the provided HardwareAuthToken is valid. See ISession#generateChallenge. If any of
- * the above checks fail, the framework must be notified via ISessionCallback#onError and the
- * HAL must notify the framework when it returns to the idle state. See
+ * Before capturing fingerprint data, the HAL must first verify the authenticity and integrity
+ * of the provided HardwareAuthToken. In addition, it must check that the challenge within the
+ * provided HardwareAuthToken is valid. See ISession#generateChallenge. If any of the above
+ * checks fail, the framework must be notified using ISessionCallback#onError with
* Error::UNABLE_TO_PROCESS.
*
- * During enrollment, the implementation may notify the framework via
- * ISessionCallback#onAcquired with messages that may be used to guide the user. This callback
- * can be invoked multiple times if necessary. Similarly, the framework may be notified of
- * enrollment progress changes via ISessionCallback#onEnrollmentProgress. Once the framework is
- * notified that there are 0 "remaining" steps, the framework may cache the "enrollmentId". See
- * ISessionCallback#onEnrollmentProgress for more info. The HAL must notify the framework once
- * it returns to the idle state.
+ * During enrollment, the HAL may notify the framework via ISessionCallback#onAcquired with
+ * messages that may be used to guide the user. This callback can be invoked multiple times if
+ * necessary. Similarly, the framework may be notified of enrollment progress changes via
+ * ISessionCallback#onEnrollmentProgress. Once the framework is notified that there are 0
+ * "remaining" steps, the framework may cache the "enrollmentId". See
+ * ISessionCallback#onEnrollmentProgress for more info.
*
* When a finger is successfully added and before the framework is notified of remaining=0, the
- * implementation MUST update and associate this (sensorId, userId) pair with a new new
- * entropy-encoded random identifier. See ISession#getAuthenticatorId for more information.
+ * HAL must update and associate this (sensorId, userId) pair with a new entropy-encoded random
+ * identifier. See ISession#getAuthenticatorId for more information.
+ *
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onError
+ * - ISessionCallback#onEnrollmentProgress(enrollmentId, remaining=0)
+ *
+ * Other applicable callbacks:
+ * - ISessionCallback#onAcquired
*
* @param hat See above documentation.
+ * @return ICancellationSignal An object that can be used by the framework to cancel this
+ * operation.
*/
ICancellationSignal enroll(in HardwareAuthToken hat);
@@ -142,14 +152,16 @@
* At any point during authentication, if a non-recoverable error occurs, the HAL must notify
* the framework via ISessionCallback#onError with the applicable authentication-specific error.
*
- * During authentication, the implementation may notify the framework via
- * ISessionCallback#onAcquired with messages that may be used to guide the user. This callback
- * can be invoked multiple times if necessary.
+ * During authentication, the HAL may notify the framework via ISessionCallback#onAcquired with
+ * messages that may be used to guide the user. This callback can be invoked multiple times if
+ * necessary.
*
- * The HAL must notify the framework of accepts/rejects via ISessionCallback#onAuthentication*.
+ * The HAL must notify the framework of accepts and rejects via
+ * ISessionCallback#onAuthenticationSucceeded and ISessionCallback#onAuthenticationFailed,
+ * correspondingly.
*
- * The authentication lifecycle ends when either
- * 1) A fingerprint is accepted, and ISessionCallback#onAuthenticationSucceeded is invoked, or
+ * The authentication lifecycle ends when either:
+ * 1) A fingerprint is accepted, and ISessionCallback#onAuthenticationSucceeded is invoked.
* 2) Any non-recoverable error occurs (such as lockout). See the full list of
* authentication-specific errors in the Error enum.
*
@@ -162,16 +174,28 @@
* must be set with the operationId passed in during #authenticate. If the sensor is NOT
* SensorStrength::STRONG, the HardwareAuthToken MUST be null.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onError
+ * - ISessionCallback#onAuthenticationSucceeded
+ *
+ * Other applicable callbacks:
+ * - ISessionCallback#onAcquired
+ * - ISessionCallback#onAuthenticationFailed
+ * - ISessionCallback#onLockoutTimed
+ * - ISessionCallback#onLockoutPermanent
+ *
* @param operationId For sensors configured as SensorStrength::STRONG, this must be used ONLY
* upon successful authentication and wrapped in the HardwareAuthToken's
* "challenge" field and sent to the framework via
- * ISessionCallback#onAuthenticated. The operationId is an opaque identifier
- * created from a separate secure subsystem such as, but not limited to
- * KeyStore/KeyMaster. The HardwareAuthToken can then be used as an
- * attestation for the provided operation. For example, this is used
- * to unlock biometric-bound auth-per-use keys (see
+ * ISessionCallback#onAuthenticationSucceeded. The operationId is an opaque
+ * identifier created from a separate secure subsystem such as, but not
+ * limited to KeyStore/KeyMaster. The HardwareAuthToken can then be used as
+ * an attestation for the provided operation. For example, this is used to
+ * unlock biometric-bound auth-per-use keys (see
* setUserAuthenticationParameters in KeyGenParameterSpec.Builder and
- * KeyProtection.Builder.
+ * KeyProtection.Builder).
+ * @return ICancellationSignal An object that can be used by the framework to cancel this
+ * operation.
*/
ICancellationSignal authenticate(in long operationId);
@@ -179,44 +203,52 @@
* detectInteraction:
*
* A request to start looking for fingerprints without performing matching. Must only be called
- * if SensorProps#supportsDetectInteraction is true. If invoked on implementations that do not
- * support this functionality, the HAL must respond with ISession#onError(UNABLE_TO_PROCESS, 0).
+ * if SensorProps#supportsDetectInteraction is true. If invoked on HALs that do not support this
+ * functionality, the HAL must respond with ISession#onError(UNABLE_TO_PROCESS, 0).
*
- * The framework will use this method in cases where determing user presence is required, but
- * identifying/authentication is not. For example, when the device is encrypted (first boot) or
- * in lockdown mode.
+ * The framework will use this operation in cases where determining user presence is required,
+ * but identifying/authenticating is not. For example, when the device is encrypted (first boot)
+ * or in lockdown mode.
*
* At any point during detectInteraction, if a non-recoverable error occurs, the HAL must notify
* the framework via ISessionCallback#onError with the applicable error.
*
- * The implementation must only check for a fingerprint-like image was detected (e.g. to
- * minimize interactions due to non-fingerprint objects), and the lockout counter must not
- * be modified.
+ * The HAL must only check whether a fingerprint-like image was detected (e.g. to minimize
+ * interactions due to non-fingerprint objects), and the lockout counter must not be modified.
*
- * Upon detecting any fingerprint, the implementation must invoke
- * ISessionCallback#onInteractionDetected.
+ * Upon detecting any fingerprint, the HAL must invoke ISessionCallback#onInteractionDetected.
*
- * The lifecycle of this operation ends when either
+ * The lifecycle of this operation ends when either:
* 1) Any fingerprint is detected and the framework is notified via
- * ISessionCallback#onInteractiondetected
- * 2) The operation was cancelled by the framework (see ICancellationSignal)
- * 3) The HAL ends the operation, for example when a subsequent operation pre-empts this one.
+ * ISessionCallback#onInteractionDetected.
+ * 2) An error occurs, for example Error::TIMEOUT.
*
- * Note that if the operation is canceled, the implementation must notify the framework via
+ * Note that if the operation is canceled, the HAL must notify the framework via
* ISessionCallback#onError with Error::CANCELED.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onError
+ * - ISessionCallback#onInteractionDetected
+ *
+ * Other applicable callbacks:
+ * - ISessionCallback#onAcquired
+ *
+ * @return ICancellationSignal An object that can be used by the framework to cancel this
+ * operation.
*/
ICancellationSignal detectInteraction();
/*
* enumerateEnrollments:
*
- * A request to enumerate (list) the enrollments for this (sensorId, userId) pair. The
- * framework typically uses this to ensure that its cache is in sync with the HAL.
+ * A request to enumerate (list) the enrollments for this (sensorId, userId) pair. The framework
+ * typically uses this to ensure that its cache is in sync with the HAL.
*
- * The implementation must then notify the framework with a list of enrollments applicable
- * for the current session via ISessionCallback#onEnrollmentsEnumerated.
+ * The HAL must then notify the framework with a list of enrollments applicable for the current
+ * session via ISessionCallback#onEnrollmentsEnumerated.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onEnrollmentsEnumerated
*/
void enumerateEnrollments();
@@ -226,8 +258,12 @@
* A request to remove the enrollments for this (sensorId, userId) pair.
*
* After removing the enrollmentIds from everywhere necessary (filesystem, secure subsystems,
- * etc), the implementation must notify the framework via ISessionCallback#onEnrollmentsRemoved.
+ * etc), the HAL must notify the framework via ISessionCallback#onEnrollmentsRemoved.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onEnrollmentsRemoved
+ *
+ * @param enrollmentIds a list of enrollments that should be removed.
*/
void removeEnrollments(in int[] enrollmentIds);
@@ -240,15 +276,15 @@
* The following only applies to sensors that are configured as SensorStrength::STRONG.
*
* The authenticatorId is a (sensorId, user)-specific identifier which can be used during key
- * generation and key import to to associate a key (in KeyStore / KeyMaster) with the current
- * set of enrolled fingerprints. For example, the following public Android APIs allow for keys
- * to be invalidated when the user adds a new enrollment after the key was created:
+ * generation and import to associate the key (in KeyStore / KeyMaster) with the current set of
+ * enrolled fingerprints. For example, the following public Android APIs allow for keys to be
+ * invalidated when the user adds a new enrollment after the key was created:
* KeyGenParameterSpec.Builder.setInvalidatedByBiometricEnrollment and
* KeyProtection.Builder.setInvalidatedByBiometricEnrollment.
*
* In addition, upon successful fingerprint authentication, the signed HAT that is returned to
- * the framework via ISessionCallback#onAuthenticated must contain this identifier in the
- * authenticatorId field.
+ * the framework via ISessionCallback#onAuthenticationSucceeded must contain this identifier in
+ * the authenticatorId field.
*
* Returns an entropy-encoded random identifier associated with the current set of enrollments
* via ISessionCallback#onAuthenticatorIdRetrieved. The authenticatorId
@@ -257,20 +293,21 @@
* 3) MUST not change if a fingerprint is deleted.
* 4) MUST be an entropy-encoded random number
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onAuthenticatorIdRetrieved
*/
void getAuthenticatorId();
/**
* invalidateAuthenticatorId:
*
- * This method only applies to sensors that are configured as SensorStrength::STRONG. If invoked
- * by the framework for sensor of other strengths, the HAL should immediately invoke
+ * This operation only applies to sensors that are configured as SensorStrength::STRONG. If
+ * invoked by the framework for sensors of other strengths, the HAL should immediately invoke
* ISessionCallback#onAuthenticatorIdInvalidated.
*
* The following only applies to sensors that are configured as SensorStrength::STRONG.
*
- * When invoked by the framework, the implementation must perform the following sequence of
- * events:
+ * When invoked by the framework, the HAL must perform the following sequence of events:
* 1) Update the authenticatorId with a new entropy-encoded random number
* 2) Persist the new authenticatorId to non-ephemeral storage
* 3) Notify the framework that the above is completed, via
@@ -278,23 +315,25 @@
*
* A practical use case of invalidation would be when the user adds a new enrollment to a sensor
* managed by a different HAL instance. The public android.security.keystore APIs bind keys to
- * "all biometrics" rather than "fingerprint-only" or "face-only" (see #getAuthenticatorId
- * for more details). As such, the framework would coordinate invalidation across multiple
- * biometric HALs as necessary.
+ * "all biometrics" rather than "fingerprint-only" or "face-only" (see #getAuthenticatorId for
+ * more details). As such, the framework would coordinate invalidation across multiple biometric
+ * HALs as necessary.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onAuthenticatorIdInvalidated
*/
void invalidateAuthenticatorId();
/**
* resetLockout:
*
- * Requests the implementation to clear the lockout counter. Upon receiving this request, the
- * implementation must perform the following:
+ * Requests the HAL to clear the lockout counter. Upon receiving this request, the HAL must
+ * perform the following:
* 1) Verify the authenticity and integrity of the provided HAT
* 2) Verify that the timestamp provided within the HAT is relatively recent (e.g. on the
* order of minutes, not hours).
* If either of the checks fail, the HAL must invoke ISessionCallback#onError with
- * Error::UNABLE_TO_PROCESS and return to the idling state.
+ * Error::UNABLE_TO_PROCESS.
*
* Upon successful verification, the HAL must clear the lockout counter and notify the framework
* via ISessionCallback#onLockoutCleared.
@@ -325,6 +364,9 @@
* See the Android CDD section 7.3.10 for the full set of lockout and rate-limiting
* requirements.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onLockoutCleared
+ *
* @param hat HardwareAuthToken See above documentation.
*/
void resetLockout(in HardwareAuthToken hat);
@@ -343,6 +385,8 @@
* All sessions must be explicitly closed. Calling IFingerprint#createSession while there is an
* active session is considered an error.
*
+ * Callbacks that signify the end of this operation's lifecycle:
+ * - ISessionCallback#onSessionClosed
*/
void close();
@@ -353,16 +397,16 @@
/**
* onPointerDown:
*
- * This method only applies to sensors that are configured as
+ * This operation only applies to sensors that are configured as
* FingerprintSensorType::UNDER_DISPLAY_*. If invoked erroneously by the framework for sensors
* of other types, the HAL must treat this as a no-op and return immediately.
*
- * For sensors of type FingerprintSensorType::UNDER_DISPLAY_*, this method is used to notify the
- * HAL of display touches. This method can be invoked when the HAL is performing any one of:
- * ISession#authenticate, ISession#enroll, ISession#detectInteraction.
+ * This operation is used to notify the HAL of display touches. This operation can be invoked
+ * when the HAL is performing any one of: ISession#authenticate, ISession#enroll,
+ * ISession#detectInteraction.
*
- * Note that the framework will only invoke this method if the event occurred on the display on
- * which this sensor is located.
+ * Note that the framework will only invoke this operation if the event occurred on the display
+ * on which this sensor is located.
*
* Note that for sensors which require illumination such as
* FingerprintSensorType::UNDER_DISPLAY_OPTICAL, and where illumination is handled below the
@@ -379,10 +423,13 @@
/**
* onPointerUp:
*
- * This method only applies to sensors that are configured as
+ * This operation only applies to sensors that are configured as
* FingerprintSensorType::UNDER_DISPLAY_*. If invoked for sensors of other types, the HAL must
* treat this as a no-op and return immediately.
*
+ * This operation can be invoked when the HAL is performing any one of: ISession#authenticate,
+ * ISession#enroll, ISession#detectInteraction.
+ *
* @param pointerId See android.view.MotionEvent#getPointerId
*/
void onPointerUp(in int pointerId);
@@ -390,12 +437,15 @@
/*
* onUiReady:
*
- * This method only applies to sensors that are configured as
+ * This operation only applies to sensors that are configured as
* FingerprintSensorType::UNDER_DISPLAY_OPTICAL. If invoked for sensors of other types, the HAL
* must treat this as a no-op and return immediately.
*
+ * This operation can be invoked when the HAL is performing any one of: ISession#authenticate,
+ * ISession#enroll, ISession#detectInteraction.
+ *
* For FingerprintSensorType::UNDER_DISPLAY_OPTICAL where illumination is handled above the
- * HAL, the framework will invoke this method to notify that the illumination has started.
+ * HAL, the framework will invoke this operation to notify when the illumination is showing.
*/
void onUiReady();
}
diff --git a/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/ISessionCallback.aidl b/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/ISessionCallback.aidl
index 95657b3..f699966 100644
--- a/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/ISessionCallback.aidl
+++ b/biometrics/fingerprint/aidl/android/hardware/biometrics/fingerprint/ISessionCallback.aidl
@@ -34,12 +34,12 @@
/**
* This method must only be used to notify the framework during the following operations:
- * 1) ISession#enroll
- * 2) ISession#authenticate
- * 3) ISession#detectInteraction
+ * - ISession#enroll
+ * - ISession#authenticate
+ * - ISession#detectInteraction
*
- * These messages may be used to provide user guidance multiple times if necessary per
- * operation.
+ * These messages may be used to provide user guidance multiple times per operation if
+ * necessary.
*
* @param info See the AcquiredInfo enum.
* @param vendorCode Only valid if info == AcquiredInfo::VENDOR. The vendorCode must be used to
@@ -51,18 +51,18 @@
/**
* This method must only be used to notify the framework during the following operations:
- * 1) ISession#enroll
- * 2) ISession#authenticate
- * 3) ISession#detectInteraction
- * 4) ISession#invalidateAuthenticatorId
- * 5) ISession#resetLockout
+ * - ISession#enroll
+ * - ISession#authenticate
+ * - ISession#detectInteraction
+ * - ISession#invalidateAuthenticatorId
+ * - ISession#resetLockout
*
* These messages may be used to notify the framework or user that a non-recoverable error
* has occurred. The operation is finished, and the HAL can proceed with the next operation
* or return to the idling state.
*
- * Note that cancellation (see common::ICancellationSignal) and preemption must be followed with
- * an Error::CANCELED message.
+ * Note that cancellation (see common::ICancellationSignal) must be followed with an
+ * Error::CANCELED message.
*
* @param error See the Error enum.
* @param vendorCode Only valid if error == Error::VENDOR. The vendorCode must be used to index
@@ -100,8 +100,8 @@
* This method must only be used to notify the framework during ISession#authenticate.
*
* Used to notify the framework upon rejected attempts. Note that the authentication
- * lifecycle ends when either 1) a fingerprint is accepted, or 2) an occurred. The
- * authentication lifecycle does NOT end when a fingerprint is rejected.
+ * lifecycle ends when either 1) a fingerprint is accepted, or 2) an error occurred.
+ * The authentication lifecycle does NOT end when a fingerprint is rejected.
*/
void onAuthenticationFailed();
diff --git a/memtrack/aidl/android/hardware/memtrack/IMemtrack.aidl b/memtrack/aidl/android/hardware/memtrack/IMemtrack.aidl
index e78d4d7..13c3389 100644
--- a/memtrack/aidl/android/hardware/memtrack/IMemtrack.aidl
+++ b/memtrack/aidl/android/hardware/memtrack/IMemtrack.aidl
@@ -31,12 +31,14 @@
* accounting for stride, bit depth, rounding up to page size, etc.
*
* The following getMemory() categories are important for memory accounting in
- * `dumpsys meminfo` and should be reported as described below:
+ * Android frameworks (e.g. `dumpsys meminfo`) and should be reported as described
+ * below:
*
* - MemtrackType::GRAPHICS and MemtrackRecord::FLAG_SMAPS_UNACCOUNTED
- * This should report the PSS of all DMA buffers mapped by the process
- * with the specified PID. This PSS can be calculated using ReadDmaBufPss()
- * form libdmabufinfo.
+ * This should report the PSS of all CPU-Mapped DMA-BUFs (buffers mapped into
+ * the process address space) and all GPU-Mapped DMA-BUFs (buffers mapped into
+ * the GPU device address space on behalf of the process), removing any overlap
+ * between the CPU-mapped and GPU-mapped sets.
*
* - MemtrackType::GL and MemtrackRecord::FLAG_SMAPS_UNACCOUNTED
* This category should report all GPU private allocations for the specified
@@ -46,6 +48,10 @@
* Any other memory not accounted for in /proc/<pid>/smaps if any, otherwise
* this should return 0.
*
+ * SMAPS_UNACCOUNTED memory should also include memory that is mapped with
+ * VM_PFNMAP flag set. For these mappings PSS and RSS are reported as 0 in smaps.
+ * Such mappings have no backing page structs from which PSS/RSS can be calculated.
+ *
* Constructor for the interface should be used to perform memtrack management
* setup actions and must be called once before any calls to getMemory().
*/
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index 9cc795d..2241735 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -277,6 +277,10 @@
* must return ErrorCode::INVALID_ARGUMENT. The values 3 and 65537 must be supported. It is
* recommended to support all prime values up to 2^64.
*
+ * o Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER specify the valid date range for
+ * the returned X.509 certificate holding the public key. If omitted, generateKey must return
+ * ErrorCode::MISSING_NOT_BEFORE or ErrorCode::MISSING_NOT_AFTER.
+ *
* The following parameters are not necessary to generate a usable RSA key, but generateKey must
* not return an error if they are omitted:
*
@@ -297,6 +301,10 @@
* Tag::EC_CURVE must be provided to generate an ECDSA key. If it is not provided, generateKey
* must return ErrorCode::UNSUPPORTED_KEY_SIZE. TEE IKeyMintDevice implementations must support
* all curves. StrongBox implementations must support P_256.
+
+ * Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER must be provided to specify the
+ * valid date range for the returned X.509 certificate holding the public key. If omitted,
+ * generateKey must return ErrorCode::MISSING_NOT_BEFORE or ErrorCode::MISSING_NOT_AFTER.
*
* == AES Keys ==
*
@@ -805,9 +813,10 @@
byte[] convertStorageKeyToEphemeral(in byte[] storageKeyBlob);
/**
- * Returns parameters associated with the provided key. This should match the
- * KeyCharacteristics present in the KeyCreationResult returned by generateKey(),
- * importKey(), or importWrappedKey().
+ * Returns KeyMint-enforced parameters associated with the provided key. The returned tags are
+ * a subset of KeyCharacteristics found in the KeyCreationResult returned by generateKey(),
+ * importKey(), or importWrappedKey(). The returned value is a subset, as it does not include
+ * any Keystore-enforced parameters.
*
* @param keyBlob The opaque descriptor returned by generateKey, importKey or importWrappedKey.
*
diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
index 58e02b3..270574b 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
@@ -483,12 +483,12 @@
/**
* Tag::TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and
- * specifies that this key must not be usable unless the user provides confirmation of the data
- * to be signed. Confirmation is proven to keyMint via an approval token. See
- * CONFIRMATION_TOKEN, as well as the ConfirmationUI HAL.
+ * specifies that this key must not be usable unless the user provides confirmation of the data
+ * to be signed. Confirmation is proven to keyMint via an approval token. See the authToken
+ * parameter of begin(), as well as the ConfirmationUI HAL.
*
* If an attempt to use a key with this tag does not have a cryptographically valid
- * CONFIRMATION_TOKEN provided to finish() or if the data provided to update()/finish() does not
+ * token provided to finish() or if the data provided to update()/finish() does not
* match the data described in the token, keyMint must return NO_USER_CONFIRMATION.
*
* Must be hardware-enforced.
@@ -497,9 +497,11 @@
/**
* Tag::UNLOCKED_DEVICE_REQUIRED specifies that the key may only be used when the device is
- * unlocked.
+ * unlocked, as reported to KeyMint via authToken operation parameter and the
+ * IKeyMintDevice::deviceLocked() method
*
- * Must be software-enforced.
+ * Must be hardware-enforced (but is also keystore-enforced on a per-user basis: see the
+ * deviceLocked() documentation).
*/
UNLOCKED_DEVICE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 509,
@@ -870,8 +872,9 @@
*
* STORAGE_KEY is used to denote that a key generated or imported is a key used for storage
* encryption. Keys of this type can either be generated or imported or secure imported using
- * keyMint. exportKey() can be used to re-wrap storage key with a per-boot ephemeral key
- * wrapped key once the key characteristics are enforced.
+ * keyMint. The convertStorageKeyToEphemeral() method of IKeyMintDevice can be used to re-wrap
+ * storage key with a per-boot ephemeral key wrapped key once the key characteristics are
+ * enforced.
*
* Keys with this tag cannot be used for any operation within keyMint.
* ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to
@@ -919,11 +922,10 @@
RESET_SINCE_ID_ROTATION = (7 << 28) /* TagType:BOOL */ | 1004,
/**
- * Tag::CONFIRMATION_TOKEN is used to deliver a cryptographic token proving that the user
- * confirmed a signing request. The content is a full-length HMAC-SHA256 value. See the
- * ConfirmationUI HAL for details of token computation.
+ * OBSOLETE: Do not use. See the authToken parameter for IKeyMintDevice::begin and for
+ * IKeyMintOperation methods instead.
*
- * Must never appear in KeyCharacteristics.
+ * TODO(b/191738660): Delete when keystore1 is deleted.
*/
CONFIRMATION_TOKEN = (9 << 28) /* TagType:BYTES */ | 1005,
diff --git a/security/keymint/aidl/vts/functional/Android.bp b/security/keymint/aidl/vts/functional/Android.bp
index ff08ce6..386029f 100644
--- a/security/keymint/aidl/vts/functional/Android.bp
+++ b/security/keymint/aidl/vts/functional/Android.bp
@@ -23,16 +23,11 @@
default_applicable_licenses: ["hardware_interfaces_license"],
}
-cc_test {
- name: "VtsAidlKeyMintTargetTest",
+cc_defaults {
+ name: "keymint_vts_defaults",
defaults: [
- "VtsHalTargetTestDefaults",
"use_libaidlvintf_gtest_helper_static",
- ],
- srcs: [
- "AttestKeyTest.cpp",
- "DeviceUniqueAttestationTest.cpp",
- "KeyMintTest.cpp",
+ "VtsHalTargetTestDefaults",
],
shared_libs: [
"libbinder_ndk",
@@ -43,9 +38,24 @@
"android.hardware.security.secureclock-V1-ndk_platform",
"libcppbor_external",
"libcppcose_rkp",
+ "libjsoncpp",
"libkeymint",
"libkeymint_remote_prov_support",
"libkeymint_support",
+ ],
+}
+
+cc_test {
+ name: "VtsAidlKeyMintTargetTest",
+ defaults: [
+ "keymint_vts_defaults",
+ ],
+ srcs: [
+ "AttestKeyTest.cpp",
+ "DeviceUniqueAttestationTest.cpp",
+ "KeyMintTest.cpp",
+ ],
+ static_libs: [
"libkeymint_vts_test_utils",
],
test_suites: [
@@ -57,8 +67,7 @@
cc_test_library {
name: "libkeymint_vts_test_utils",
defaults: [
- "VtsHalTargetTestDefaults",
- "use_libaidlvintf_gtest_helper_static",
+ "keymint_vts_defaults",
],
srcs: [
"KeyMintAidlTestBase.cpp",
@@ -66,45 +75,22 @@
export_include_dirs: [
".",
],
- shared_libs: [
- "libbinder_ndk",
- "libcrypto",
- ],
static_libs: [
- "android.hardware.security.keymint-V1-ndk_platform",
- "android.hardware.security.secureclock-V1-ndk_platform",
- "libcppbor_external",
- "libcppcose_rkp",
"libgmock_ndk",
- "libkeymint",
- "libkeymint_remote_prov_support",
- "libkeymint_support",
],
}
cc_test {
name: "VtsHalRemotelyProvisionedComponentTargetTest",
defaults: [
- "VtsHalTargetTestDefaults",
- "use_libaidlvintf_gtest_helper_static",
+ "keymint_vts_defaults",
],
srcs: [
"VtsRemotelyProvisionedComponentTests.cpp",
],
- shared_libs: [
- "libbinder_ndk",
- "libcrypto",
- ],
static_libs: [
- "android.hardware.security.keymint-V1-ndk_platform",
- "android.hardware.security.secureclock-V1-ndk_platform",
- "libcppbor_external",
- "libcppcose_rkp",
"libgmock_ndk",
"libkeymaster_portable",
- "libkeymint",
- "libkeymint_support",
- "libkeymint_remote_prov_support",
"libkeymint_vts_test_utils",
"libpuresoftkeymasterdevice",
],
diff --git a/security/keymint/support/Android.bp b/security/keymint/support/Android.bp
index c2dba04..9e218b6 100644
--- a/security/keymint/support/Android.bp
+++ b/security/keymint/support/Android.bp
@@ -57,9 +57,11 @@
"include",
],
shared_libs: [
+ "libbase",
"libcppbor_external",
"libcppcose_rkp",
"libcrypto",
+ "libjsoncpp",
],
}
@@ -71,9 +73,11 @@
"libgtest_main",
],
shared_libs: [
+ "libbase",
"libcppbor_external",
"libcppcose_rkp",
"libcrypto",
+ "libjsoncpp",
"libkeymaster_portable",
"libkeymint_remote_prov_support",
],
diff --git a/security/keymint/support/include/remote_prov/remote_prov_utils.h b/security/keymint/support/include/remote_prov/remote_prov_utils.h
index b02d273..406b7a9 100644
--- a/security/keymint/support/include/remote_prov/remote_prov_utils.h
+++ b/security/keymint/support/include/remote_prov/remote_prov_utils.h
@@ -87,4 +87,26 @@
*/
ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc);
+struct JsonOutput {
+ static JsonOutput Ok(std::string json) { return {std::move(json), ""}; }
+ static JsonOutput Error(std::string error) { return {"", std::move(error)}; }
+
+ std::string output;
+ std::string error; // if non-empty, this describes what went wrong
+};
+
+/**
+ * Take a given certificate request and output a JSON blob containing both the
+ * build fingerprint and certificate request. This data may be serialized, then
+ * later uploaded to the remote provisioning service. The input csr is not
+ * validated, only encoded.
+ *
+ * Output format:
+ * {
+ * "build_fingerprint": <string>
+ * "csr": <base64 CBOR CSR>
+ * }
+ */
+JsonOutput jsonEncodeCsrWithBuild(const cppbor::Array& csr);
+
} // namespace aidl::android::hardware::security::keymint::remote_prov
diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index 982a1eb..0cbee51 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@@ -14,13 +14,15 @@
* limitations under the License.
*/
+#include <iterator>
#include <tuple>
-#include <remote_prov/remote_prov_utils.h>
-
-#include <openssl/rand.h>
-
+#include <android-base/properties.h>
#include <cppbor.h>
+#include <json/json.h>
+#include <openssl/base64.h>
+#include <openssl/rand.h>
+#include <remote_prov/remote_prov_utils.h>
namespace aidl::android::hardware::security::keymint::remote_prov {
@@ -180,4 +182,36 @@
return result;
}
+JsonOutput jsonEncodeCsrWithBuild(const cppbor::Array& csr) {
+ const std::string kFingerprintProp = "ro.build.fingerprint";
+
+ if (!::android::base::WaitForPropertyCreation(kFingerprintProp)) {
+ return JsonOutput::Error("Unable to read build fingerprint");
+ }
+
+ bytevec csrCbor = csr.encode();
+ size_t base64Length;
+ int rc = EVP_EncodedLength(&base64Length, csrCbor.size());
+ if (!rc) {
+ return JsonOutput::Error("Error getting base64 length. Size overflow?");
+ }
+
+ std::vector<char> base64(base64Length);
+ rc = EVP_EncodeBlock(reinterpret_cast<uint8_t*>(base64.data()), csrCbor.data(), csrCbor.size());
+ ++rc; // Account for NUL, which BoringSSL does not for some reason.
+ if (rc != base64Length) {
+ return JsonOutput::Error("Error writing base64. Expected " + std::to_string(base64Length) +
+ " bytes to be written, but " + std::to_string(rc) +
+ " bytes were actually written.");
+ }
+
+ Json::Value json(Json::objectValue);
+ json["build_fingerprint"] = ::android::base::GetProperty(kFingerprintProp, /*default=*/"");
+ json["csr"] = base64.data(); // Boring writes a NUL-terminated c-string
+
+ Json::StreamWriterBuilder factory;
+ factory["indentation"] = ""; // disable pretty formatting
+ return JsonOutput::Ok(Json::writeString(factory, json));
+}
+
} // namespace aidl::android::hardware::security::keymint::remote_prov
diff --git a/security/keymint/support/remote_prov_utils_test.cpp b/security/keymint/support/remote_prov_utils_test.cpp
index c360c06..8697c51 100644
--- a/security/keymint/support/remote_prov_utils_test.cpp
+++ b/security/keymint/support/remote_prov_utils_test.cpp
@@ -14,6 +14,7 @@
* limitations under the License.
*/
+#include <android-base/properties.h>
#include <cppbor_parse.h>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
@@ -23,6 +24,7 @@
#include <openssl/curve25519.h>
#include <remote_prov/remote_prov_utils.h>
#include <cstdint>
+#include "cppbor.h"
#include "keymaster/cppcose/cppcose.h"
namespace aidl::android::hardware::security::keymint::remote_prov {
@@ -80,5 +82,20 @@
EXPECT_THAT(eekPub, ElementsAreArray(geek->getBstrValue(CoseKey::PUBKEY_X).value_or(empty)));
}
+TEST(RemoteProvUtilsTest, JsonEncodeCsr) {
+ cppbor::Array array;
+ array.add(1);
+
+ auto [json, error] = jsonEncodeCsrWithBuild(array);
+
+ ASSERT_TRUE(error.empty()) << error;
+
+ std::string expected = R"({"build_fingerprint":")" +
+ ::android::base::GetProperty("ro.build.fingerprint", /*default=*/"") +
+ R"(","csr":"gQE="})";
+
+ ASSERT_EQ(json, expected);
+}
+
} // namespace
} // namespace aidl::android::hardware::security::keymint::remote_prov
diff --git a/security/sharedsecret/aidl/vts/functional/SharedSecretAidlTest.cpp b/security/sharedsecret/aidl/vts/functional/SharedSecretAidlTest.cpp
index 919f882..51938ba 100644
--- a/security/sharedsecret/aidl/vts/functional/SharedSecretAidlTest.cpp
+++ b/security/sharedsecret/aidl/vts/functional/SharedSecretAidlTest.cpp
@@ -268,10 +268,16 @@
<< "Shared secret service that provided tweaked param should fail to compute "
"shared secret";
} else {
- EXPECT_EQ(ErrorCode::OK, responses[i].error) << "Others should succeed";
- EXPECT_NE(correct_response, responses[i].sharing_check)
- << "Others should calculate a different shared secret, due to the tweaked "
- "nonce.";
+ // Other services *may* succeed, or may notice the invalid size for the nonce.
+ // However, if another service completes the computation, it should get the 'wrong'
+ // answer.
+ if (responses[i].error == ErrorCode::OK) {
+ EXPECT_NE(correct_response, responses[i].sharing_check)
+ << "Others should calculate a different shared secret, due to the tweaked "
+ "nonce.";
+ } else {
+ EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, responses[i].error);
+ }
}
}
}
@@ -348,10 +354,16 @@
<< "Shared secret service that provided tweaked param should fail to compute "
"shared secret";
} else {
- EXPECT_EQ(ErrorCode::OK, responses[i].error) << "Others should succeed";
- EXPECT_NE(correct_response, responses[i].sharing_check)
- << "Others should calculate a different shared secret, due to the tweaked "
- "nonce.";
+ // Other services *may* succeed, or may notice the invalid size for the seed.
+ // However, if another service completes the computation, it should get the 'wrong'
+ // answer.
+ if (responses[i].error == ErrorCode::OK) {
+ EXPECT_NE(correct_response, responses[i].sharing_check)
+ << "Others should calculate a different shared secret, due to the tweaked "
+ "seed.";
+ } else {
+ EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, responses[i].error);
+ }
}
}
}
diff --git a/wifi/1.5/default/android.hardware.wifi@1.0-service-lazy.rc b/wifi/1.5/default/android.hardware.wifi@1.0-service-lazy.rc
index 061689d..bc6bb6a 100644
--- a/wifi/1.5/default/android.hardware.wifi@1.0-service-lazy.rc
+++ b/wifi/1.5/default/android.hardware.wifi@1.0-service-lazy.rc
@@ -4,6 +4,7 @@
interface android.hardware.wifi@1.2::IWifi default
interface android.hardware.wifi@1.3::IWifi default
interface android.hardware.wifi@1.4::IWifi default
+ interface android.hardware.wifi@1.5::IWifi default
oneshot
disabled
class hal