Platform KMS (WIP)

[maraino]

This is a first attempt to create a platform KMS. This KMS is supports mackms, tpmkms, softkms, and capikms.

There's a couple of things that I'll like to consider:

1. Is hw the right argument, or should we use ak?
2. Should we fail if hw (or ak) is set for softkms and capikms?

[hslatman]

• Is hw the right argument, or should we use ak?

hw and ak must not be considered to mean the same thing. All AKs are hardware-bound (currently, at least; especially in the context of TPMs); not all hardware-bound keys are AKs. Using those interchangeably will cause confusion. In general I would say hw is thus the right term to use. Only use ak when it's specifically about an attestation key. At the moment, using ak=true implies hw=true, but not vice versa.

• Should we fail if hw (or ak) is set for softkms and capikms?

I think that's OK. In general, when a specific backing KMS doesn't support a certain functionality, and still instructed to do so, it should fail. Technically, the capikms with Microsoft Platform Crypto Provider set as the provider, will have its keys backed by the TPM, so we could take that into account when hw=true is provided to capikms with the provider set. It might also be possible to manage AKs through capikms, but I don't recall having seen functionality related to that before.