[TRACKING] Fingerprint scanner compatibility with linux (ubuntu, fedora, etc)

Just wanted to explain what is going on here. Finger print readers do have their own onboard storage. In most cases they take a black and white 256x288 resolution picture of your finger when you present it. When you present your finger multiple times during the enrolling process it’s actually taking another, and another, and another picture of your finger from different angles. So it’s actually storing anywhere 10x256x288@8bit pictures each finger you enroll. That’s ~74kB for each picture 10 times for a total of around ~750kB for each person. Each scanner has about ~150 slots available for around ~11059200bytes of memory (~11MB).

The 256x288 is enough resolution to give a 1 in 100,000 incidental access. The different angles help is so when you place your finger on the scanner as long as it’s close to how you enrolled it it should accept it. So, pretty good. Depending on the time out of the sensor, it would take many, years to get into a device unless someone had a finger print that was fairly close to yours.

Now there are commands that can be sent directly to the fingerprint sensor itself. Indeed the sensor has a microcontroller that runs the whole show. It’s very much like an RP2040, just beefed up to handle image processing so it might be an M3 core and not an M0 core like the RP2040. This little bit of extra processing power and Instruction Set Architecture extensions makes is so the sensor isn’t painfully slow when processing your finger print.

When you enroll your finger, the OS sends the enroll command to the device. Normally for safes, 1 finger gets one image and that’s it. There is ether custom firmware or custom software sitting on top of this whole software stack that’s assigning 10 images to one person. When you present your finger to the scanner, it will send a message to the system saying that the finger matched this image ID and it’s confidence in that match, or it didn’t match at all. It’s up to the OS to accept a threshold of confidence as well as the firmware. For example it could be programmed so that the currently logged in user would allow for a lower level of confidence on their finger print acquisitions because that user is already signed into the computer. It makes for a better user experience without much cost to security. Whereas a threshold of confidence might be 99% that it’s the same image for logins, it only needs to be 90% for re-acquisitions and privilege escalations for the current user.

It should be noted that unless the finger print messages are signed to the host, they can be spoofed. The hardware that is acquiring the finger prints really must also have a hardware root of trust and be able to attest that "I am the same device that you’ve been talking to all along and you can prove that by checking my signature attached to this report with my public key. Otherwise replay attacks may occur.

If you are more interested in the topic, you can checkout Adafruit’s website where they sell some finger print scanners to play around with on Microcontrollers as well as including guides on how to get up and running with it.

I take it you enrolled different fingers on each OS? If you enrolled the same finger it might just be a lucky happenstance that you clobbered the same IDs that the other OS was using. I’d be intrested to see what order you enrolled in on what OS. Maybe windows sets the tone sand say "This is the first finger print image, and so you finger print scanner ARE going to put this into fingerPrintImageSlot 1. As the other OS was also using finger print image slot one for it’s print of you on it’s side the fact that it clobbered the image with another image of your same finger it didn’t actually matter.

Kind of yes. As Craig’s report where multiple OSes are using the same finger print database it clearly can be done, but the quirks of implementations are what it comes down to. Whereas fingerprintd will reject a similar enrollment as it seems to always want to use the next available slot and not clobber previous items. It’s being a kind citizen. I have a theory that Craig enrolled on Linux (Or “Other OS”) first and Windows said “Oh, Surely I’m the only OS that wants to use this hardware, and I don’t see any fingerprints enrolled in my database, so we are going to start indexing these finger prints from one all over again, previous images be damned.”

8 Likes

Thanks for contributing this. I’d reinstalled Fedora 36 after messing up initial install. Only thing not working was fingerprint reader. Ran your scipt. Now all works.

Should be ‘Framework official guide’ for this.

(12th Gen Batch 1)

1 Like

Thank you for your detailed explanation! I understand how it works a lot better now.

When I first got my Framework I dual-booted between Windows and Ubuntu. I first enrolled on Windows, and it worked fine. I was unable to enroll on Ubuntu – it just couldn’t seem to initialize the fingerprint reader.

Later I scrapped my Ubuntu partition and gave the whole SSD to Windows. I bought a 256GB expansion card and loaded the same version of Ubuntu on it. When I booted to Ubuntu from the card, I was able to enroll with the fingerprint scanner and now it works fine on both OSs.

So it seems my guess about an OS “owning” the scanner was wrong. But I don’t have any other explanation for the behavior. :man_shrugging:

Thanks again for explaining how it works! It was a really interesting read.

Craig

1 Like

Thank you good sir! This did the trick!

1 Like

Like many other thank yous, this worked for me - even when the other Python script wouldn’t. I’m on Arch Linux, with standard installs of fprintd / libfprint - but the Goodix reader had fingerprints from prior OSes saved. After running your AppImage I was able to use GNOME settings and add fingerprints thru the user accounts section of settings.

THANKS.

For those on nixos, you can use the python script below (Found in a post by Kani on framework discord)

#!/usr/bin/env python3

import gi
gi.require_version('FPrint', '2.0')
from gi.repository import FPrint

ctx = FPrint.Context()

for dev in ctx.get_devices():
    print(dev)
    print(dev.get_driver())
    print(dev.props.device_id);

    dev.open_sync()

    dev.clear_storage_sync()
    print("All prints deleted.")

    dev.close_sync()

Run it as root via

nix-shell -p gobject-introspection -p libfprint -p gusb -p 'python3.withPackages (p: with p; [pygobject3])' --run ./fprintclear.py

Note there are no args/options. It will immediately delete all other OS fingerprints

6 Likes

Thanks a lot for posting this here. I was close to just going back to Arch after two days of NixOS until I tried this. Never got the python script to work with flake/shell.nix & this magically worked!

@Shy_Guy I’m not an expert in Python, and tried execute your script in Fedora and this is what I got.


[auser@fedora ~]$ sudo ./fprintclear.py 
[sudo] password for auser: 
<__gi__.FpiDeviceElanmoc object at 0x7f059f1d7080 (FpiDeviceElanmoc at 0x556ee70611b0)>
elanmoc
0
libusb: error [udev_hotplug_event] ignoring udev action change
libusb: error [udev_hotplug_event] ignoring udev action change
Traceback (most recent call last):
  File "/home/auser/./fprintclear.py", line 16, in <module>
    dev.clear_storage_sync()
gi.repository.GLib.GError: fp - device - error - quark: Device doesn't support clearing storage. (1)
libusb: warning [libusb_exit] device 3.4 still referenced
libusb: warning [libusb_exit] device 3.1 still referenced
libusb: warning [libusb_exit] application left some devices open

(process:11227): libfprint-device-WARNING **: 10:07:14.612: User destroyed open device! Not cleaning up properly!
[auser@fedora ~]$ 

The fingerprint device I have is Elan

[auser@fedora ~]$ lsusb | grep -i elan
Bus 003 Device 004: ID xxxx:xxxx Elan Microelectronics Corp. ELAN:ARM-M4
[auser@fedora ~]$ 

I have tried to make fingerprint in Ubuntu 22.04, Ubuntu 22.10 and Fedora 37 it doesn’t work anywhere. The python script provided by @Shy_Guy only tried in Fedora.

apt list fprintd -a

Listing... Done

fprintd/jammy-updates,now 1.94.2-1ubuntu0.22.04.1 amd64 [installed]

fprintd/jammy 1.94.2-1 amd64
root@alaptop:/home/auser# apt-get install fprintd=1.94.2-1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libfprint-2-2
The following NEW packages will be installed:
  fprintd libfprint-2-2
0 to upgrade, 2 to newly install, 0 to remove and 1 not to upgrade.
Need to get 386 kB of archives.
After this operation, 1,507 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://au.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libfprint-2-2 amd64 1:1.94.3+tod1-0ubuntu2~22.04.03 [288 kB]
Get:2 http://au.archive.ubuntu.com/ubuntu jammy/main amd64 fprintd amd64 1.94.2-1 [98.3 kB]
Fetched 386 kB in 0s (1,275 kB/s) 
Selecting previously unselected package libfprint-2-2:amd64.
(Reading database ... 198491 files and directories currently installed.)
Preparing to unpack .../libfprint-2-2_1%3a1.94.3+tod1-0ubuntu2~22.04.03_amd64.deb ...
Unpacking libfprint-2-2:amd64 (1:1.94.3+tod1-0ubuntu2~22.04.03) ...
Selecting previously unselected package fprintd.
Preparing to unpack .../fprintd_1.94.2-1_amd64.deb ...
Unpacking fprintd (1.94.2-1) ...
Setting up libfprint-2-2:amd64 (1:1.94.3+tod1-0ubuntu2~22.04.03) ...
Setting up fprintd (1.94.2-1) ...
fprintd.service is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Processing triggers for udev (249.11-0ubuntu3.6) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
root@alaptop:/home/auser# 
root@alaptop:/home/auser# 
root@alaptop:/home/auser# fprintd-enroll
Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-unknown-error
root@alaptop:/home/auser# 

In Fedora

[root@fedora ~]# fprintd-enroll
Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-unknown-error
[root@fedora ~]# 

What do I do?

Clean install of Fedora 37, fingerprint reader works well. Cannot speak for previous releases or any tweaks made to existing installations.

@Matt_Hartley I also did a clean install of Fedora 37 and it doesn’t work. May be we have different definition of clean install. I have 2 M2 slots. I have installed on one of the slots having Erase of the disk. It is not a dual boot drive but again I was booting into ubuntu 2204 from time to time which was on another M2 SSD drive.

I tend to believe this is kinda hardware/software issue as potentially different fingerprint scanners have different APIs. Some of them supporting different calls some of them not.
If you read my post above see the error which says

gi.repository.GLib.GError: fp - device - error - quark: Device doesn't support clearing storage. (1)

I tend to believe that Elan Microelectronics Corp. ELAN:ARM-M4 doesn’t support wiping, instead I have option in BIOS to wipe fingerprint data. I probably should try wipe out all fingerprints via BIOS and then repeat install Fedora 37 without booting Ubuntu or Windows.

@Matt_Hartley I wonder what finger print scanner you’ve got? Could you share what lsusb returns for you? BTW, may I ask you to do a favour ? To execute py script in Fedora 37 provided by Shy_Guy? if you run the script which was privided by @Shy_Guy the same way as I did what is your output?

FYI, this is the lsusb -v for my working fingerprint scanner on my 12th Gen Batch 1 DIY (using fprintd on Arch). It’s a Goodix, not an Elan device:


Bus 003 Device 002: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd. Goodix USB2.0 MISC
Couldn't open device, some information will be missing
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          239 Miscellaneous Device
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x27c6 Shenzhen Goodix Technology Co.,Ltd.
  idProduct          0x609c 
  bcdDevice            1.00
  iManufacturer           1 Goodix Technology Co., Ltd.
  iProduct                2 Goodix USB2.0 MISC
  iSerial                 3 UID00000000_XXXX_MOC_B0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0020
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          3 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              4 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0

Give this a try:

sudo dnf upgrade
sudo dnf install fprintd fprintd-pam

Make sure the service is enabled and running

systemclt status fprintd.service

If it needs to be enabled or started

systemclt enable fprintd.service
systemclt start fprintd.service

Erase any old prints
fprintd-delete

Let’s enroll your prints
fprintd-enroll

Reboot

1 Like

@Alex_K - what hardware are you installing on? Two m2 slots and an elan fingerprint reader does not sound like a framework laptop.

1 Like

Sorry guys. I came here with a wrong laptop. I have HP G9 laptop which I bough just because I wanted a single cable solution(can charge and TypeC or Thunderbol) with 2 M2 slots and I could extend RAM to 64Gb. Thats the only reasons I bough it.

This may help you to get things sorted out: https://fprint.freedesktop.org/

1 Like

@lbkNhubert Many thanks for the link. I found out that my device Bus 003 Device 004: ID 04f3:0c7e Elan Microelectronics Corp. ELAN:ARM-M4 is supported, but for some reason when I executed lsusb -v it says Couldn't open device, some information will be missing. I wonder what is so special in HP G9 Zbook Laptop so that finger print device doesn’t work in Ubuntu 22.04.1 / 22.10 & Fedora. Actually it also complaints it can’t open next Bus 003 Device 067: ID 14cd:1212 Super Top microSD card reader (SY-T18) device.

lsusb -v | grep -A110 04f3
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Bus 003 Device 004: ID 04f3:0c7e Elan Microelectronics Corp. ELAN:ARM-M4
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x04f3 Elan Microelectronics Corp.
  idProduct          0x0c7e 
  bcdDevice            3.04
  iManufacturer           1 ELAN
  iProduct                2 ELAN:ARM-M4
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0053
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          3 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           8
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
      ** UNRECOGNIZED:  09 21 10 01 00 01 22 15 00
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
Couldn't open device, some information will be missing
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x03  EP 3 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1

Bus 003 Device 067: ID 14cd:1212 Super Top microSD card reader (SY-T18)
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing

@Alex_K you might have better luck w/ HP support (or their forums) or r/linuxhardware for additional help. I’m assuming you came here through an internet search, but this community forum is actually dedicated to Framework laptops. Fingerprint sensors are notorious for having poor Linux compatibility and HP often has dodgy firmware/BIOS issues with Linux so the issues you have are probably very specific to your particular laptop hardware. Good luck!

3 Likes

@lhl Sorry 3 days ago I did not know anything about framework laptops.

I went to HP but once I posted my question their bot provided some links and I find out the HP is useless for Linux. They do not do any support.
Please do a frame.work laptop with 2 or more m2 slots and I will drop HP laptop and buy yours. I really like the flexibility to have 2 M2 slots. Ideally I’d like to have 4 M2 Slots.

Appreciate the feedback, do keep us in mind in the future - we’re always evolving! :slight_smile: (Marking resolved as our guides indicate which distro provide fingerprint support)

2 Likes