fpsensor: Enable positive match secret and positive match salt on enrollment.

On enrollment success, generate new positive_match_salt and send it as part
of the encrypted blob. Also enable positive match secret to be read.
The positive_match_salt is used to derive positive_match_secret and
is different from the encryption salt for encrypting the templates.
The positive_match_salt needs to be sent to biod and stored with templates
because it needs to be re-uploaded to FPMCU the next time the user logs in.
The positive match secret needs to be sent to biod so that it knows what to
compare against at a match.

BRANCH=nocturne
BUG=chromium:927095
TEST=make -j buildall
TEST=tested enrollment, matching and multifinger on DUT nocturne

Change-Id: I3e44a972ee17c5a93bddd52340f8f2249836463a
Signed-off-by: Yicheng Li <yichengli@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1828058
Reviewed-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: Tom Hughes <tomhughes@chromium.org>

1 files changed, 2 insertions, 1 deletions

diff --git a/common/fpsensor/fpsensor_crypto.c b/common/fpsensor/fpsensor_crypto.c
index 4a2b31c411..73d7aca681 100644
--- a/common/fpsensor/fpsensor_crypto.c
+++ b/common/fpsensor/fpsensor_crypto.c
@@ -200,7 +200,8 @@ int derive_encryption_key(uint8_t *out_key, const uint8_t *salt)
 	}
 
 	/* "Extract step of HKDF. */
-	hkdf_extract(prk, salt, FP_CONTEXT_SALT_BYTES, ikm, sizeof(ikm));
+	hkdf_extract(prk, salt, FP_CONTEXT_ENCRYPTION_SALT_BYTES, ikm,
+		     sizeof(ikm));
 	always_memset(ikm, 0, sizeof(ikm));
 
 	/*