feature/tpm: check IsZero in clone instead of just nil (#17884)

The key.NewEmptyHardwareAttestationKey hook returns a non-nil empty attestationKey, which means that the nil check in Clone doesn't trigger and proceeds to try and clone an empty key. Check IsZero instead to reduce log spam from Clone. As a drive-by, make tpmAvailable check a sync.Once because the result won't change. Updates #17882 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-12-01 15:32:05 +01:00 · 2025-11-14 13:23:25 -08:00 · 2025-11-14 13:23:25 -08:00 · c5919b4ed1
commit c5919b4ed1
parent 888a5d4812
2 changed files with 7 additions and 4 deletions
--- a/feature/tpm/attestation.go
+++ b/feature/tpm/attestation.go
@ -274,7 +274,7 @@ func (ak *attestationKey) Close() error {
 }

 func (ak *attestationKey) Clone() key.HardwareAttestationKey {
-	if ak == nil {
+	if ak.IsZero() {
 		return nil
 	}

--- a/feature/tpm/tpm.go
+++ b/feature/tpm/tpm.go
@ -35,12 +35,15 @@ import (
 	"tailscale.com/util/testenv"
 )

-var infoOnce = sync.OnceValue(info)
+var (
+	infoOnce         = sync.OnceValue(info)
+	tpmSupportedOnce = sync.OnceValue(tpmSupported)
+)

 func init() {
 	feature.Register("tpm")
-	feature.HookTPMAvailable.Set(tpmSupported)
-	feature.HookHardwareAttestationAvailable.Set(tpmSupported)
+	feature.HookTPMAvailable.Set(tpmSupportedOnce)
+	feature.HookHardwareAttestationAvailable.Set(tpmSupportedOnce)

 	hostinfo.RegisterHostinfoNewHook(func(hi *tailcfg.Hostinfo) {
 		hi.TPM = infoOnce()