| Ilya Matyukhin | 69d1d66 | 2020-03-25 17:14:12 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2019 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package android.hardware.biometrics.face@1.1; |
| Ilya Matyukhin | 35e8d37 | 2020-03-25 17:17:56 -0700 | [diff] [blame] | 18 | |
| Ilya Matyukhin | 69d1d66 | 2020-03-25 17:14:12 -0700 | [diff] [blame] | 19 | import @1.0::IBiometricsFace; |
| 20 | import @1.0::Status; |
| 21 | import @1.0::Feature; |
| 22 | |
| 23 | /** |
| 24 | * The HAL interface for biometric face authentication. |
| 25 | */ |
| 26 | interface IBiometricsFace extends @1.0::IBiometricsFace { |
| 27 | /** |
| 28 | * Enrolls a user's face for a remote client, for example Android Auto. |
| 29 | * |
| 30 | * The HAL implementation is responsible for creating a secure communication |
| 31 | * channel and receiving the enrollment images from a mobile device with |
| 32 | * face authentication hardware. |
| 33 | * |
| 34 | * Note that the Hardware Authentication Token must be valid for the |
| 35 | * duration of enrollment and thus should be explicitly invalidated by a |
| 36 | * call to revokeChallenge() when enrollment is complete, to reduce the |
| 37 | * window of opportunity to re-use the challenge and HAT. For example, |
| 38 | * Settings calls generateChallenge() once to allow the user to enroll one |
| 39 | * or more faces or toggle secure settings without having to re-enter the |
| 40 | * PIN/pattern/password. Once the user completes the operation, Settings |
| 41 | * invokes revokeChallenge() to close the transaction. If the HAT is expired, |
| 42 | * the implementation must invoke onError with UNABLE_TO_PROCESS. |
| 43 | * |
| 44 | * Requirements for using this API: |
| 45 | * - Mobile devices MUST NOT delegate enrollment to another device by calling |
| 46 | * this API. This feature is intended only to allow enrollment on devices |
| 47 | * where it is impossible to enroll locally on the device. |
| 48 | * - The path MUST be protected by a secret key with rollback protection. |
| 49 | * - Synchronizing between devices MUST be accomplished by having both |
| 50 | * devices agree on a secret PIN entered by the user (similar to BT |
| 51 | * pairing procedure) and use a salted version of that PIN plus other secret |
| 52 | * to encrypt traffic. |
| 53 | * - All communication to/from the remote device MUST be encrypted and signed |
| 54 | * to prevent image injection and other man-in-the-middle type attacks. |
| 55 | * - generateChallenge() and revokeChallenge() MUST be implemented on both |
| 56 | * remote and local host (e.g. hash the result of the remote host with a |
| 57 | * local secret before responding to the API call) and any transmission of |
| 58 | * the challenge between hosts MUST be signed to prevent man-in-the-middle |
| 59 | * attacks. |
| 60 | * - In the event of a lost connection, the result of the last |
| 61 | * generateChallenge() MUST be invalidated and the process started over. |
| 62 | * - Both the remote and local host MUST honor the timeout and invalidate the |
| 63 | * challenge. |
| 64 | * |
| 65 | * This method triggers the IBiometricsFaceClientCallback#onEnrollResult() |
| 66 | * method. |
| 67 | * |
| 68 | * @param hat A valid Hardware Authentication Token, generated as a result |
| 69 | * of a generateChallenge() challenge being wrapped by the gatekeeper |
| 70 | * after a successful strong authentication request. |
| 71 | * @param timeoutSec A timeout in seconds, after which this enroll |
| 72 | * attempt is cancelled. Note that the framework can continue |
| 73 | * enrollment by calling this again with a valid HAT. This timeout is |
| 74 | * expected to be used to limit power usage if the device becomes idle |
| 75 | * during enrollment. The implementation is expected to send |
| 76 | * ERROR_TIMEOUT if this happens. |
| 77 | * @param disabledFeatures A list of features to be disabled during |
| 78 | * enrollment. Note that all features are enabled by default. |
| 79 | * @return status The status of this method call. |
| 80 | */ |
| Ilya Matyukhin | 35e8d37 | 2020-03-25 17:17:56 -0700 | [diff] [blame] | 81 | enrollRemotely(vec<uint8_t> hat, uint32_t timeoutSec, vec<Feature> disabledFeatures) |
| 82 | generates (Status status); |
| 83 | |
| 84 | /** |
| 85 | * Enrolls a user's face. |
| 86 | * |
| 87 | * Note that the Hardware Authentication Token must be valid for the |
| 88 | * duration of enrollment and thus should be explicitly invalidated by a |
| 89 | * call to revokeChallenge() when enrollment is complete, to reduce the |
| 90 | * window of opportunity to re-use the challenge and HAT. For example, |
| 91 | * Settings calls generateChallenge() once to allow the user to enroll one |
| 92 | * or more faces or toggle secure settings without having to re-enter the |
| 93 | * PIN/pattern/password. Once the user completes the operation, Settings |
| 94 | * invokes revokeChallenge() to close the transaction. If the HAT is expired, |
| 95 | * the implementation must invoke onError with UNABLE_TO_PROCESS. |
| 96 | * |
| 97 | * This method triggers the IBiometricsFaceClientCallback#onEnrollResult() |
| 98 | * method. |
| 99 | * |
| 100 | * @param hat A valid Hardware Authentication Token, generated as a result |
| 101 | * of a generateChallenge() challenge being wrapped by the gatekeeper |
| 102 | * after a successful strong authentication request. |
| 103 | * @param timeoutSec A timeout in seconds, after which this enroll |
| 104 | * attempt is cancelled. Note that the framework can continue |
| 105 | * enrollment by calling this again with a valid HAT. This timeout is |
| 106 | * expected to be used to limit power usage if the device becomes idle |
| 107 | * during enrollment. The implementation is expected to send |
| 108 | * ERROR_TIMEOUT if this happens. |
| 109 | * @param disabledFeatures A list of features to be disabled during |
| 110 | * enrollment. Note that all features are enabled by default. |
| 111 | * @param windowId optional ID of a camera preview window for a |
| 112 | * single-camera device. Must be null if not used. |
| 113 | * @return status The status of this method call. |
| 114 | */ |
| 115 | enroll_1_1(vec<uint8_t> hat, uint32_t timeoutSec, vec<Feature> disabledFeatures, |
| 116 | handle windowId) generates (Status status); |
| Ilya Matyukhin | 69d1d66 | 2020-03-25 17:14:12 -0700 | [diff] [blame] | 117 | }; |