Skip to content

Implement SearchKeys on tpmkms #927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
maraino wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Implement SearchKeys on tpmkms #927

maraino wants to merge 3 commits into from
+207 −6

Conversation

@maraino
Copy link
Contributor

@maraino maraino commented Jan 8, 2026

This commit implements the experimental SearchKeys method on the tpmkms. With this method.

@maraino
Implement SearchKeys on tpmkms
e7161d0 
This commit implements the experimental SearchKeys method on the tpmkms.
With this method.
@maraino maraino requested a review from hslatman January 8, 2026 23:05
maraino added 2 commits January 8, 2026 15:09
@maraino
Fix linter errors
f2b09db
@maraino
Fix nil results on unsigned binaries
e630a84 
This commit fixes empty results on unsigned binaries when we search for
keys in the secure enclave.
@maraino maraino mentioned this pull request Jan 9, 2026
Draft
1 task
hslatman
hslatman reviewed Jan 15, 2026
View reviewed changes
kms/tpmkms/tpmkms.go
}

// SearchKeys searches for keys according to the query URI in the request. By
// default, with the query "tpmkms:", it will return all keys and attestation
Copy link
Member

@hslatman hslatman Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor, but this makes the distinction a little bit clearer:

Suggested change
// default, with the query "tpmkms:", it will return all keys and attestation
// default, with the query "tpmkms:", it will return all application and attestation

kms/tpmkms/tpmkms.go
// - "tpmkms:" will return all keys and AKs managed by the KMS
// - "tpmkms:ak=true" will return all AKs managed by the KMS
// - "tpmkms:ak=false" will return all the keys managed by the KMS
// - "tpmkms:name=my-name" will only return the key with the selected name
Copy link
Member

@hslatman hslatman Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means it defaults to the behavior of ak=false? If so, that sounds OK.

kms/tpmkms/tpmkms.go
Comment on lines +1287 to +1288
// - "tpmkms:name=my-name;ak=false" will only return the key with the selected name
//
Copy link
Member

@hslatman hslatman Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be an option to include support for searching application keys by the AK they were attested by. Not a blocker, though.

kms/tpmkms/tpmkms_simulator_test.go
}},
},
}, assert.NoError},
{"ok enpty", fields{sim, nil, nil}, args{&apiv1.SearchKeysRequest{Query: "tpmkms:name=not-found"}}, &apiv1.SearchKeysResponse{}, assert.NoError},
Copy link
Member

@hslatman hslatman Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{"ok enpty", fields{sim, nil, nil}, args{&apiv1.SearchKeysRequest{Query: "tpmkms:name=not-found"}}, &apiv1.SearchKeysResponse{}, assert.NoError},
{"ok empty", fields{sim, nil, nil}, args{&apiv1.SearchKeysRequest{Query: "tpmkms:name=not-found"}}, &apiv1.SearchKeysResponse{}, assert.NoError},

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hslatman hslatman hslatman left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@maraino maraino

Labels

needs triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maraino @hslatman