feature/tpm: use withSRK to probe TPM availability (#17627)

On some platforms e.g. ChromeOS the owner hierarchy might not always be available to us. To avoid stale sealing exceptions later we probe to confirm it's working rather than rely solely on family indicator status. Updates #17622 Signed-off-by: Patrick O'Doherty <patrick@tailscale.com> (cherry picked from commit 672b1f0e76c074fbf922bc409f8bd1fdfc8057f3)
2026-02-28 11:01:18 +01:00 · 2025-10-23 16:48:58 -07:00 · 2025-10-23 16:48:58 -07:00 · 9fe44b3718
commit 9fe44b3718
parent a8ae316858
2 changed files with 28 additions and 1 deletions
--- a/feature/tpm/tpm.go
+++ b/feature/tpm/tpm.go
@ -59,7 +59,22 @@ func tpmSupported() bool {
 	if hi == nil {
 		return false
 	}
-	return hi.FamilyIndicator == "2.0"
+	if hi.FamilyIndicator != "2.0" {
+		return false
+	}
+
+	tpm, err := open()
+	if err != nil {
+		return false
+	}
+	defer tpm.Close()
+
+	if err := withSRK(logger.Discard, tpm, func(srk tpm2.AuthHandle) error {
+		return nil
+	}); err != nil {
+		return false
+	}
+	return true
 }

 var verboseTPM = envknob.RegisterBool("TS_DEBUG_TPM")
--- a/feature/tpm/tpm_test.go
+++ b/feature/tpm/tpm_test.go
@ -146,6 +146,18 @@ func BenchmarkInfo(b *testing.B) {
 	b.StopTimer()
 }

+func BenchmarkTPMSupported(b *testing.B) {
+	b.StopTimer()
+	skipWithoutTPM(b)
+	b.StartTimer()
+	for i := 0; i < b.N; i++ {
+		if !tpmSupported() {
+			b.Fatalf("tpmSupported returned false")
+		}
+	}
+	b.StopTimer()
+}
+
 func BenchmarkStore(b *testing.B) {
 	skipWithoutTPM(b)
 	b.StopTimer()