Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / bd4e48cb23c2215b6017e803da9c9251ce7be650^! / . / authsecret / 1.0 / IAuthSecret.hal
commitbd4e48cb23c2215b6017e803da9c9251ce7be650[log] [tgz]
authorAndrew Scull <ascull@google.com>Fri Jan 19 19:17:56 2018 +0000
committerAndrew Scull <ascull@google.com>Wed Jan 24 18:24:38 2018 +0000
treea0e45e36dc297165ac758990e43ecba4bf0370b7
parent8a03c92df4685088c0a1438ee233a086dfe33ebb [diff] [blame]
authsecret: remove factoryReset()

Factory reset will be handled by each device from recovery or in the
bootloader in response to `fastboot -w`. The requirements of the factory
reset are made explicit. As a result, VTS tests are moving to a host
side test that can factory reset between each test case.

Also clarifies when the remaining method is called.

Test: AuthSecretHidlTest
Bug: 71527305
Change-Id: I9a29568e022eb83061d8db68e1e7971fc53bd823

diff --git a/authsecret/1.0/IAuthSecret.hal b/authsecret/1.0/IAuthSecret.hal
index d2cb5da..6b573b3 100644
--- a/authsecret/1.0/IAuthSecret.hal
+++ b/authsecret/1.0/IAuthSecret.hal

@@ -24,25 +24,23 @@
  */
 interface IAuthSecret {
     /**
-     * When the primary user correctly enters their credential, this method is
-     * passed a secret derived from that credential to prove that their
-     * credential is known.
+     * When the primary user is unlocked, this method is passed a secret to
+     * prove that is has been successfully unlocked. The primary user can either
+     * be unlocked by a person entering their credential or by another party
+     * using an escrow token e.g. a device administrator.
      *
      * The first time this is called, the secret must be used to provision state
-     * that depends on the primary user's credential. The same secret is passed
-     * on each call until a factory reset after which there must be a new
-     * secret.
+     * that depends on the primary user's secret. The same secret must be passed
+     * on each call until the next factory reset.
      *
-     * The secret must be at lesat 16 bytes.
+     * Upon factory reset, any dependence on the secret must be removed as that
+     * secret is now lost and must never be derived again. A new secret must be
+     * created for the new primary user which must be used to newly provision
+     * state the first time this method is called after factory reset.
+     *
+     * The secret must be at least 16 bytes.
      *
      * @param secret blob derived from the primary user's credential.
      */
     primaryUserCredential(vec<uint8_t> secret);
-
-    /**
-     * Called from recovery during factory reset. The secret is now lost and can
-     * no longer be derived. Any data linked to the secret must be destroyed and
-     * any dependence on the secret must be removed.
-     */
-    factoryReset();
 };