fpsensor: Prepare derivation of positive match secret.

Implement derivation of positive match secret for a template. This
derivation will be used when biod sends a command to ask for
positive match secret and the secret readable bit is set. Also add
unit tests for this derivation.

BRANCH=nocturne
BUG=chromium:927095
TEST=make -j buildall
TEST=tested enrollment, matching and multifinger on DUT nocturne

Change-Id: Ife477a98573284f69c5fb07e814d9a3d09f92127
Signed-off-by: Yicheng Li <yichengli@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1639440
Reviewed-by: Nicolas Norvez <norvez@chromium.org>

1 files changed, 13 insertions, 0 deletions

diff --git a/include/fpsensor_crypto.h b/include/fpsensor_crypto.h
index e01a38799d..b6252b3fd2 100644
--- a/include/fpsensor_crypto.h
+++ b/include/fpsensor_crypto.h
@@ -41,6 +41,19 @@ int hkdf_expand(uint8_t *out_key, size_t out_key_size, const uint8_t *prk,
 int derive_encryption_key(uint8_t *out_key, const uint8_t *salt);
 
 /**
+ * Derive positive match secret from |input_positive_match_salt| and
+ * SBP_Src_Key.
+ *
+ * @param output buffer to store positive match secret, must be at least
+ * FP_POSITIVE_MATCH_SECRET_BYTES in size.
+ * @param input_positive_match_salt the salt for deriving secret, must be at
+ * least FP_POSITIVE_MATCH_SALT_BYTES in size.
+ * @return EC_SUCCESS on success and error code otherwise.
+ */
+int derive_positive_match_secret(uint8_t *output,
+				 const uint8_t *input_positive_match_salt);
+
+/**
  * Encrypt |plaintext| using AES-GCM128.
  *
  * @param key the key to use in AES.