Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / af5d0a6d1d143900216f5369cf84b4412f23227a / . / biometrics / face / 1.0 / IBiometricsFace.hal
blob: f39eaeb2fd089f0925e349adf5112aa8cf49060e [file] [log] [blame]
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]1/*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.hardware.biometrics.face@1.0;
18
19import IBiometricsFaceClientCallback;
20
21// TODO(b/78538290): Update comments with state machine transitions when ready.
22// TODO(b/78537981): Update comments with callback interaction contract.
23// TODO(b/79496983): Update comments with status returns fully enumerated.
24/**
25 * The HAL interface for biometric face authentication.
26 */
27interface IBiometricsFace {
28
29 /**
30 * Sets the current client callback.
31 *
32 * Registers a user function that must receive notifications from the HAL.
33 * There is usually only one client (FaceService). This call must block
34 * if the HAL state machine is in busy state until the HAL leaves the
35 * busy state.
36 *
37 * All callback methods pass a deviceId to differentiate callback
38 * invocations in the case where multiple sensors exist.
39 *
40 * @param clientCallback The client defined callback to register.
41 * @return result, with its "value" parameter representing a "deviceId",
42 * which must be unique for a given sensor.
43 */
44 @callflow(next={"setActiveUser"})
45 @entry
46 setCallback(IBiometricsFaceClientCallback clientCallback)
47 generates (OptionalUint64 result);
48
49 /**
50 * Sets the active user, which all subsequent HAL operations are applied to.
51 *
52 * HAL service implementors must ensure that operations are restricted to
53 * the given user. Clients must not call any part of this interface, except
54 * for setCallback(), without first having set an active user. The
55 * implementation is responsible for cancelling the current operation and
56 * returning to the idle state. Calling this method with the same userId
57 * should have no effect on the state machine.
58 *
59 * @param userId A non-negative user identifier that must be unique and
60 * persistent for a given user.
61 * @param storePath filesystem path to the template storage directory.
62 */
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]63 @callflow(next={"authenticate", "generateChallenge", "enumerate", "remove"})
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]64 setActiveUser(int32_t userId, string storePath) generates (Status status);
65
66 /**
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]67 * Begins a secure transaction request, e.g. enrollment.
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]68 *
69 * Generates a unique and cryptographically secure random token used to
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]70 * indicate the start of a secure transaction. generateChallenge() and
71 * revokeChallenge() specify a pin/pattern/password cleared time window where
72 * the secure transaction is allowed.
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]73 *
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]74 * generateChallenge() generates a challenge which must then be wrapped by the
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]75 * gatekeeper after verifying a successful strong authentication attempt,
76 * which generates a Hardware Authentication Token. The challenge prevents
77 * spoofing and replay attacks and ensures that we only update a user’s face
78 * template if the operation was preceded by some kind of strong credential
79 * confirmation (e.g. device password).
80 *
81 * @return result, with its "value" parameter representing a "challenge": a
82 * unique and cryptographically secure random token.
83 */
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]84 @callflow(next={"enroll", "revokeChallenge", "setRequireAttention"})
85 generateChallenge() generates (OptionalUint64 result);
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]86
87 /**
88 * Enrolls a user's face.
89 *
90 * Note that this interface permits implementations where multiple faces can
91 * be enrolled for a single user. However, allowing multiple faces to be
92 * enrolled can be a severe security vulnerability and hence, most
93 * implementations must ensure that only a single face be enrolled at a
94 * given time. Multi-enrollment must only be used where there is a clear
95 * necessity for a shared use case, e.g. TVs or cars.
96 *
97 * Note that the Hardware Authentication Token must still be valid after
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]98 * this call, and must be explicitly invalidated by a call to
99 * revokeChallenge(). This allows clients to immediately reattempt
100 * enrollment (for example, if a user wasn’t satisfied with their enrollment)
101 * without having to go through another strong authentication flow.
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]102 *
103 * This method triggers the IBiometricsFaceClientCallback#onEnrollResult()
104 * method.
105 *
106 * @param hat A valid Hardware Authentication Token, generated as a result
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]107 * of a generateChallenge() challenge being wrapped by the gatekeeper
108 * after a sucessful strong authentication request.
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]109 * @param timeoutSec A timeout in seconds, after which this enrollment
110 * attempt is cancelled. Note that the client still needs to
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]111 * call revokeChallenge() to terminate the enrollment session.
Kevin Chyn57acf972018-08-31 15:10:03 -0700[diff] [blame]112 * @param requireAttention When set to true, requires user attention (e.g.
113 * eyes open and looking at the device) for enrollment to complete, as
114 * well as subsequent authentication. This is expected to be enabled by
115 * default to improve security and decrease falsing (unintentional face
116 * detection). This feature can be disabled at the user's request
117 * during enrollment, e.g. for accessibility reasons. When enabled,
118 * the FaceAcquiredInfo#POOR_GAZE message must be sent when the user's
119 * attention has not been established. The UI should inform the user
120 * to look at the device.
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]121 * @return status The status of this method call.
122 */
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]123 @callflow(next={"cancel", "enroll", "revokeChallenge", "remove"})
Kevin Chyn57acf972018-08-31 15:10:03 -0700[diff] [blame]124 enroll(vec<uint8_t> hat, uint32_t timeoutSec, bool requireAttention)
125 generates (Status status);
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]126
127 /**
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]128 * Finishes the secure transaction by invalidating the challenge generated
129 * by generateChallenge().
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]130 *
131 * Clients must call this method once enrollment is complete, and the user's
132 * face template no longer needs to be updated.
133 *
134 * @return status The status of this method call.
135 */
136 @callflow(next={"authenticate", "setActiveUser", "enumerate", "remove"})
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]137 revokeChallenge() generates (Status status);
138
139 /**
140 * Requires that all subsequent authenticate calls to first have the
141 * user's attention. This method does not affect enroll, which has its
142 * own requireAttention parameter.
143 *
144 * Changes the state of previous enrollment setting. Because this may
145 * decrease security, the user must enter their password before this method
146 * is invoked (see @param HAT). The driver must verify the HAT before
147 * changing the requireAttention state.
148 * Note: In some cases it may not be possible to change the state of this
149 * flag without re-enrolling. For example, if the user didn't provide
150 * attention during the original enrollment. This flag reflects the same
151 * persistent state as the one passed to enroll().
152 *
153 * @param requireAttention When set to true, requires user attention for
154 * authentication to succeed.
155 * @param hat A valid Hardware Authentication Token, generated as a result
156 * of getChallenge().
157 * @return status The status of this method call.
158 */
159 setRequireAttention(bool requireAttention, vec<uint8_t> hat)
160 generates(Status status);
161
162 /**
163 * Retrieves the current requireAttention state.
164 *
165 * @return result, with its value parameter representing the current
166 * requireAttention state.
167 */
168 getRequireAttention(vec<uint8_t> hat) generates (OptionalBool result);
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]169
170 /**
171 * Returns an identifier associated with the current face set.
172 *
173 * The authenticator ID must change whenever a new face is enrolled. The
174 * authenticator ID must not be changed when a face is deleted. The
175 * authenticator ID must be an entropy-encoded random number which all
176 * current templates are tied to. The authenticator ID must be immutable
177 * outside of an active enrollment window to prevent replay attacks.
178 *
179 * @return result, with its value parameter representing an
180 * "authenticatorId": an identifier associated to the user's current
181 * face enrollment.
182 */
183 @callflow(next={"authenticate"})
184 getAuthenticatorId() generates (OptionalUint64 result);
185
186 /**
187 * Cancels a pending enrollment or authentication request.
188 *
189 * @return status The status of this method call.
190 */
191 @callflow(next={"authenticate", "enroll", "enumerate", "remove",
192 "setActiveUser"})
193 cancel() generates (Status status);
194
195 /**
196 * Enumerates all face templates associated with the active user.
197 *
198 * The onEnumerate() callback method is invoked once for each face template
199 * found.
200 *
201 * @return status The status of this method call.
202 */
203 @callflow(next={"remove", "enroll", "authenticate", "setActiveUser"})
204 enumerate() generates (Status status);
205
206 /**
207 * Removes a face template or all face templates associated with the active
208 * user.
209 *
210 * This method triggers the IBiometricsFaceClientCallback#onRemoved() method.
211 *
212 * @param faceId The id correpsonding to the face to be removed; or 0 if all
213 * faces are to be removed.
214 * @return status The status of this method call.
215 */
216 @callflow(next={"enumerate", "authenticate", "cancel", "getAuthenticatorId",
217 "setActiveUser"})
218 remove(uint32_t faceId) generates (Status status);
219
220 /**
221 * Authenticates the active user.
222 *
223 * An optional operationId can be specified as a token from the transaction
224 * being authorized.
225 *
226 * @param operationId A non-zero operation id associated with a crypto
227 * object instance; or 0 if not being used.
228 * @return status The status of this method call.
229 */
Kevin Chynaf5d0a62018-08-31 16:06:43 -0700[diff] [blame^]230 @callflow(next={"cancel", "generateChallenge", "remove"})
Zachary Iqbal1f700742018-04-24 23:42:21 -0700[diff] [blame]231 authenticate(uint64_t operationId) generates (Status status);
232};