diff options
-rw-r--r-- | include/hardware/fingerprint.h | 109 | ||||
-rw-r--r-- | include/hardware/keymaster.h | 22 | ||||
-rw-r--r-- | include/hardware/keymaster_defs.h | 25 | ||||
-rw-r--r-- | modules/fingerprint/fingerprint.c | 24 |
4 files changed, 132 insertions, 48 deletions
diff --git a/include/hardware/fingerprint.h b/include/hardware/fingerprint.h index 458ca2d..69307fe 100644 --- a/include/hardware/fingerprint.h +++ b/include/hardware/fingerprint.h @@ -18,6 +18,7 @@ #define ANDROID_INCLUDE_HARDWARE_FINGERPRINT_H #define FINGERPRINT_MODULE_API_VERSION_1_0 HARDWARE_MODULE_API_VERSION(1, 0) +#define FINGERPRINT_MODULE_API_VERSION_2_0 HARDWARE_MODULE_API_VERSION(2, 0) #define FINGERPRINT_HARDWARE_MODULE_ID "fingerprint" typedef enum fingerprint_msg_type { @@ -25,7 +26,8 @@ typedef enum fingerprint_msg_type { FINGERPRINT_ACQUIRED = 1, FINGERPRINT_PROCESSED = 2, FINGERPRINT_TEMPLATE_ENROLLING = 3, - FINGERPRINT_TEMPLATE_REMOVED = 4 + FINGERPRINT_TEMPLATE_REMOVED = 4, + FINGERPRINT_AUTHENTICATED = 5 } fingerprint_msg_type_t; typedef enum fingerprint_error { @@ -39,36 +41,53 @@ typedef enum fingerprint_acquired_info { FINGERPRINT_ACQUIRED_GOOD = 0, FINGERPRINT_ACQUIRED_PARTIAL = 1, FINGERPRINT_ACQUIRED_INSUFFICIENT = 2, - FINGERPRINT_ACQUIRED_IMAGER_DIRTY = 4, - FINGERPRINT_ACQUIRED_TOO_SLOW = 8, - FINGERPRINT_ACQUIRED_TOO_FAST = 16 + FINGERPRINT_ACQUIRED_IMAGER_DIRTY = 3, + FINGERPRINT_ACQUIRED_TOO_SLOW = 4, + FINGERPRINT_ACQUIRED_TOO_FAST = 5, + FINGERPRINT_ACQUIRED_VENDOR_DEFINED = 6 } fingerprint_acquired_info_t; +typedef struct fingerprint_finger_id { + uint32_t gid; + uint32_t fid; +} fingerprint_finger_id_t; + +/* The progress indication may be augmented by a bitmap encoded indication +* of what finger area is considered as collected. +* Bit numbers mapped to physical location: +* +* distal +* +--+--+--+--+--+ +* | 4| 3| 2| 1| 0| +* | 9| 8| 7| 6| 5| +* medial |14|13|12|11|10| lateral +* |19|18|17|16|15| +* |24|23|22|21|20| +* +--+--+--+--+--+ +* proximal +* +*/ +typedef uint32_t finger_map_bmp; + +typedef enum fingerprint_enroll_msg_type { + FINGERPRINT_ENROLL_MSG_NONE = 0, + FINGERPRINT_ENROLL_MSG_PREDEFINED = 1, /* TODO: define standard enroll cues */ + FINGERPRINT_ENROLL_MSG_BITMAP = 2, /* typeof(fingerprint_enroll.msg) == *finger_map_bmp */ + FINGERPRINT_ENROLL_MSG_VENDOR = 3 +} fingerprint_enroll_msg_type_t; + typedef struct fingerprint_enroll { - uint32_t id; + fingerprint_finger_id_t finger; + uint32_t samples_remaining; /* samples_remaining goes from N (no data collected, but N scans needed) - * to 0 (no more data is needed to build a template). - * The progress indication may be augmented by a bitmap encoded indication - * of finger area that needs to be presented by the user. - * Bit numbers mapped to physical location: - * - * distal - * +-+-+-+ - * |2|1|0| - * |5|4|3| - * medial |8|7|6| lateral - * |b|a|9| - * |e|d|c| - * +-+-+-+ - * proximal - * - */ - uint16_t data_collected_bmp; - uint16_t samples_remaining; + * to 0 (no more data is needed to build a template). */ + fingerprint_enroll_msg_type_t msg_type; + size_t msg_size; + void *msg; } fingerprint_enroll_t; typedef struct fingerprint_removed { - uint32_t id; + fingerprint_finger_id_t finger; } fingerprint_removed_t; typedef struct fingerprint_acquired { @@ -76,18 +95,29 @@ typedef struct fingerprint_acquired { } fingerprint_acquired_t; typedef struct fingerprint_processed { - uint32_t id; /* 0 is a special id and means no match */ + fingerprint_finger_id_t finger; /* all 0s is a special case and means no match */ } fingerprint_processed_t; +typedef struct fingerprint_authenticated { + uint32_t user_id; + uint32_t auth_id; + uint32_t timestamp; + uint32_t app_id; + uint64_t crypto_op_id; + uint8_t hmac[16]; /* 128-bit */ + uint32_t auth_token_size; + uint8_t *auth_token; +} fingerprint_authenticated_t; + typedef struct fingerprint_msg { fingerprint_msg_type_t type; union { - uint64_t raw; fingerprint_error_t error; fingerprint_enroll_t enroll; fingerprint_removed_t removed; fingerprint_acquired_t acquired; fingerprint_processed_t processed; + fingerprint_authenticated_t authenticated; } data; } fingerprint_msg_t; @@ -111,12 +141,14 @@ typedef struct fingerprint_device { * (fingerprint_msg.type == FINGERPRINT_TEMPLATE_ENROLLING && * fingerprint_msg.data.enroll.samples_remaining == 0) * or after timeout_sec seconds. + * The fingerprint template will be assigned to the group gid. User has a choice + * to supply the gid or set it to 0 in which case a unique group id will be generated. * * Function return: 0 if enrollment process can be successfully started * -1 otherwise. A notify() function may be called * indicating the error condition. */ - int (*enroll)(struct fingerprint_device *dev, uint32_t timeout_sec); + int (*enroll)(struct fingerprint_device *dev, uint32_t gid, uint32_t timeout_sec); /* * Cancel fingerprint enroll request: @@ -133,7 +165,9 @@ typedef struct fingerprint_device { /* * Fingerprint remove request: * deletes a fingerprint template. - * If the fingerprint id is 0 the entire template database will be removed. + * If the fingerprint id is 0 and the group is 0 then the entire template + * database will be removed. A combinaiton of fingerprint id 0 and a valid + * group id deletes all fingreprints in that group. * notify() will be called for each template deleted with * fingerprint_msg.type == FINGERPRINT_TEMPLATE_REMOVED and * fingerprint_msg.data.removed.id indicating each template id removed. @@ -141,7 +175,24 @@ typedef struct fingerprint_device { * Function return: 0 if fingerprint template(s) can be successfully deleted * -1 otherwise. */ - int (*remove)(struct fingerprint_device *dev, uint32_t fingerprint_id); + int (*remove)(struct fingerprint_device *dev, fingerprint_finger_id_t finger); + + /* + * Restricts the HAL operation to a set of fingerprints belonging to a + * group provided. Gid of 0 signals global operation. + * + * Function return: 0 on success + * -1 if the group does not exist. + */ + int (*set_active_group)(struct fingerprint_device *dev, uint32_t gid); + + /* + * Authenticates an operation identifed by operation_id + * + * Function return: 0 on success + * -1 if the size is out of bounds. + */ + int (*authenticate)(struct fingerprint_device *dev, uint64_t operation_id); /* * Set notification callback: diff --git a/include/hardware/keymaster.h b/include/hardware/keymaster.h index 40380ad..db66a74 100644 --- a/include/hardware/keymaster.h +++ b/include/hardware/keymaster.h @@ -534,8 +534,8 @@ struct keymaster_device { * \param[in] params Additional parameters for the operation. This is typically used to provide * client ID information, with tags KM_TAG_APPLICATION_ID and KM_TAG_APPLICATION_DATA. If the * client information associated with the key is not provided, begin() will fail and return - * KM_ERROR_INVALID_KEY_BLOB. Less commonly, \params can be used to provide AEAD additional - * data and chunk size with KM_TAG_ADDITIONAL_DATA or KM_TAG_CHUNK_SIZE respectively. + * KM_ERROR_INVALID_KEY_BLOB. For operations that require a nonce or IV, this must contain a + * tag KM_TAG_NONCE. For AEAD operations KM_TAG_CHUNK_SIZE is specified here. * * \param[in] params_count The number of entries in \p params. * @@ -569,6 +569,11 @@ struct keymaster_device { * * \param[in] operation_handle The operation handle returned by begin(). * + * \param[in] params Additional parameters for the operation. For AEAD modes, this is used to + * specify KM_TAG_ADDITIONAL_DATA. + * + * \param[in] params_count Length of \p params. + * * \param[in] input Data to be processed, per the parameters established in the call to begin(). * Note that update() may or may not consume all of the data provided. See \p data_consumed. * @@ -589,9 +594,10 @@ struct keymaster_device { * *output may be either NULL or zero-length (so the caller should always free() it). */ keymaster_error_t (*update)(const struct keymaster_device* dev, - keymaster_operation_handle_t operation_handle, const uint8_t* input, - size_t input_length, size_t* input_consumed, uint8_t** output, - size_t* output_length); + keymaster_operation_handle_t operation_handle, + const keymaster_key_param_t* params, size_t params_count, + const uint8_t* input, size_t input_length, size_t* input_consumed, + uint8_t** output, size_t* output_length); /** * Finalizes a cryptographic operation begun with begin() and invalidates operation_handle @@ -602,6 +608,11 @@ struct keymaster_device { * \param[in] operation_handle The operation handle returned by begin(). This handle will be * invalidated. * + * \param[in] params Additional parameters for the operation. For AEAD modes, this is used to + * specify KM_TAG_ADDITIONAL_DATA. + * + * \param[in] params_count Length of \p params. + * * \param[in] signature The signature to be verified if the purpose specified in the begin() * call was KM_PURPOSE_VERIFY. * @@ -617,6 +628,7 @@ struct keymaster_device { */ keymaster_error_t (*finish)(const struct keymaster_device* dev, keymaster_operation_handle_t operation_handle, + const keymaster_key_param_t* params, size_t params_count, const uint8_t* signature, size_t signature_length, uint8_t** output, size_t* output_length); diff --git a/include/hardware/keymaster_defs.h b/include/hardware/keymaster_defs.h index 770c66e..9c6ad9d 100644 --- a/include/hardware/keymaster_defs.h +++ b/include/hardware/keymaster_defs.h @@ -102,15 +102,16 @@ typedef enum { */ /* Crypto parameters */ - KM_TAG_PURPOSE = KM_ENUM_REP | 1, /* keymaster_purpose_t. */ - KM_TAG_ALGORITHM = KM_ENUM | 2, /* keymaster_algorithm_t. */ - KM_TAG_KEY_SIZE = KM_INT | 3, /* Key size in bits. */ - KM_TAG_BLOCK_MODE = KM_ENUM | 4, /* keymaster_block_mode_t. */ - KM_TAG_DIGEST = KM_ENUM | 5, /* keymaster_digest_t. */ - KM_TAG_MAC_LENGTH = KM_INT | 6, /* MAC length in bits. */ - KM_TAG_PADDING = KM_ENUM | 7, /* keymaster_padding_t. */ - KM_TAG_CHUNK_LENGTH = KM_INT | 8, /* AEAD mode minimum decryption chunk size, in bytes. */ - KM_TAG_CALLER_NONCE = KM_BOOL | 9, /* Allow caller to specify nonce or IV. */ + KM_TAG_PURPOSE = KM_ENUM_REP | 1, /* keymaster_purpose_t. */ + KM_TAG_ALGORITHM = KM_ENUM | 2, /* keymaster_algorithm_t. */ + KM_TAG_KEY_SIZE = KM_INT | 3, /* Key size in bits. */ + KM_TAG_BLOCK_MODE = KM_ENUM | 4, /* keymaster_block_mode_t. */ + KM_TAG_DIGEST = KM_ENUM | 5, /* keymaster_digest_t. */ + KM_TAG_MAC_LENGTH = KM_INT | 6, /* MAC length in bits. */ + KM_TAG_PADDING = KM_ENUM | 7, /* keymaster_padding_t. */ + KM_TAG_RETURN_UNAUTHED = KM_BOOL | 8, /* Allow AEAD decryption to return plaintext before it has + been authenticated. WARNING: Not recommended. */ + KM_TAG_CALLER_NONCE = KM_BOOL | 9, /* Allow caller to specify nonce or IV. */ /* Other hardware-enforced. */ KM_TAG_RESCOPING_ADD = KM_ENUM_REP | 101, /* Tags authorized for addition via rescoping. */ @@ -173,9 +174,11 @@ typedef enum { KM_TAG_ROOT_OF_TRUST = KM_BYTES | 704, /* Root of trust ID. Empty array means usable by all roots. */ - /* Tags used only to provide data to operations */ - KM_TAG_ADDITIONAL_DATA = KM_BYTES | 1000, /* Used to provide additional data for AEAD modes. */ + /* Tags used only to provide data to or receive data from operations */ + KM_TAG_ASSOCIATED_DATA = KM_BYTES | 1000, /* Used to provide associated data for AEAD modes. */ KM_TAG_NONCE = KM_BYTES | 1001, /* Nonce or Initialization Vector */ + KM_TAG_CHUNK_LENGTH = KM_INT | 1002, /* AEAD mode chunk size, in bytes. 0 means no limit, + which requires KM_TAG_RETURN_UNAUTHED. */ } keymaster_tag_t; /** diff --git a/modules/fingerprint/fingerprint.c b/modules/fingerprint/fingerprint.c index 0346518..091d7ba 100644 --- a/modules/fingerprint/fingerprint.c +++ b/modules/fingerprint/fingerprint.c @@ -33,12 +33,27 @@ static int fingerprint_close(hw_device_t *dev) } static int fingerprint_enroll(struct fingerprint_device __unused *dev, + uint32_t __unused gid, uint32_t __unused timeout_sec) { return FINGERPRINT_ERROR; } +static int fingerprint_enroll_cancel(struct fingerprint_device __unused *dev) { + return FINGERPRINT_ERROR; +} + static int fingerprint_remove(struct fingerprint_device __unused *dev, - uint32_t __unused fingerprint_id) { + fingerprint_finger_id_t __unused fingerprint_id) { + return FINGERPRINT_ERROR; +} + +static int fingerprint_set_active_group(struct fingerprint_device __unused *dev, + uint32_t __unused gid) { + return FINGERPRINT_ERROR; +} + +static int fingerprint_authenticate(struct fingerprint_device __unused *dev, + uint64_t __unused operation_id) { return FINGERPRINT_ERROR; } @@ -61,12 +76,15 @@ static int fingerprint_open(const hw_module_t* module, const char __unused *id, memset(dev, 0, sizeof(fingerprint_device_t)); dev->common.tag = HARDWARE_DEVICE_TAG; - dev->common.version = HARDWARE_MODULE_API_VERSION(1, 0); + dev->common.version = FINGERPRINT_MODULE_API_VERSION_2_0; dev->common.module = (struct hw_module_t*) module; dev->common.close = fingerprint_close; dev->enroll = fingerprint_enroll; + dev->enroll_cancel = fingerprint_enroll_cancel; dev->remove = fingerprint_remove; + dev->set_active_group = fingerprint_set_active_group; + dev->authenticate = fingerprint_authenticate; dev->set_notify = set_notify_callback; dev->notify = NULL; @@ -81,7 +99,7 @@ static struct hw_module_methods_t fingerprint_module_methods = { fingerprint_module_t HAL_MODULE_INFO_SYM = { .common = { .tag = HARDWARE_MODULE_TAG, - .module_api_version = FINGERPRINT_MODULE_API_VERSION_1_0, + .module_api_version = FINGERPRINT_MODULE_API_VERSION_2_0, .hal_api_version = HARDWARE_HAL_API_VERSION, .id = FINGERPRINT_HARDWARE_MODULE_ID, .name = "Demo Fingerprint HAL", |