webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests 3 Packages Projects Releases Wiki Activity

feature/tpm: check TPM family data for compatibility (#17624)

Browse Source 
Check that the TPM we have opened is advertised as a 2.0 family device
before using it for state sealing / hardware attestation.

Updates #17622

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
This commit is contained in:
Patrick O'Doherty
2025-10-23 14:56:56 -07:00
committed by GitHub
parent afaa23c3b4
commit 36ad24b20f
4 changed files with 22 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
feature/tpm/tpm.go
+4 -4
View File
@@ -55,12 +55,11 @@ func init() {
} }
func tpmSupported() bool { func tpmSupported() bool {
tpm, err := open() hi := infoOnce()
if err != nil { if hi == nil {
return false return false
} }
tpm.Close() return hi.FamilyIndicator == "2.0"
return true
} }
var verboseTPM = envknob.RegisterBool("TS_DEBUG_TPM") var verboseTPM = envknob.RegisterBool("TS_DEBUG_TPM")
@@ -104,6 +103,7 @@ func info() *tailcfg.TPMInfo {
{tpm2.TPMPTVendorTPMType, func(info *tailcfg.TPMInfo, value uint32) { info.Model = int(value) }}, {tpm2.TPMPTVendorTPMType, func(info *tailcfg.TPMInfo, value uint32) { info.Model = int(value) }},
{tpm2.TPMPTFirmwareVersion1, func(info *tailcfg.TPMInfo, value uint32) { info.FirmwareVersion += uint64(value) << 32 }}, {tpm2.TPMPTFirmwareVersion1, func(info *tailcfg.TPMInfo, value uint32) { info.FirmwareVersion += uint64(value) << 32 }},
{tpm2.TPMPTFirmwareVersion2, func(info *tailcfg.TPMInfo, value uint32) { info.FirmwareVersion += uint64(value) }}, {tpm2.TPMPTFirmwareVersion2, func(info *tailcfg.TPMInfo, value uint32) { info.FirmwareVersion += uint64(value) }},
{tpm2.TPMPTFamilyIndicator, toStr(&info.FamilyIndicator)},
} { } {
resp, err := tpm2.GetCapability{ resp, err := tpm2.GetCapability{
Capability: tpm2.TPMCapTPMProperties, Capability: tpm2.TPMCapTPMProperties,
feature/tpm/tpm_test.go
+13
View File
@@ -133,6 +133,19 @@ func TestStore(t *testing.T) {
}) })
} }
func BenchmarkInfo(b *testing.B) {
b.StopTimer()
skipWithoutTPM(b)
b.StartTimer()
for i := 0; i < b.N; i++ {
hi := info()
if hi == nil {
b.Fatalf("tpm info error")
}
}
b.StopTimer()
}
func BenchmarkStore(b *testing.B) { func BenchmarkStore(b *testing.B) {
skipWithoutTPM(b) skipWithoutTPM(b)
b.StopTimer() b.StopTimer()
ipn/ipnlocal/c2n_test.go
+1
View File
@@ -384,6 +384,7 @@ func TestRedactNetmapPrivateKeys(t *testing.T) {
f(tailcfg.Service{}, "Port"): false, f(tailcfg.Service{}, "Port"): false,
f(tailcfg.Service{}, "Proto"): false, f(tailcfg.Service{}, "Proto"): false,
f(tailcfg.Service{}, "_"): false, f(tailcfg.Service{}, "_"): false,
f(tailcfg.TPMInfo{}, "FamilyIndicator"): false,
f(tailcfg.TPMInfo{}, "FirmwareVersion"): false, f(tailcfg.TPMInfo{}, "FirmwareVersion"): false,
f(tailcfg.TPMInfo{}, "Manufacturer"): false, f(tailcfg.TPMInfo{}, "Manufacturer"): false,
f(tailcfg.TPMInfo{}, "Model"): false, f(tailcfg.TPMInfo{}, "Model"): false,
tailcfg/tailcfg.go
+4
View File
@@ -928,6 +928,10 @@ type TPMInfo struct {
// https://trustedcomputinggroup.org/resource/tpm-library-specification/. // https://trustedcomputinggroup.org/resource/tpm-library-specification/.
// Before revision 184, TCG used the "01.83" format for revision 183. // Before revision 184, TCG used the "01.83" format for revision 183.
SpecRevision int `json:",omitempty"` SpecRevision int `json:",omitempty"`
// FamilyIndicator is the TPM spec family, like "2.0".
// Read from TPM_PT_FAMILY_INDICATOR.
FamilyIndicator string `json:",omitempty"`
} }
// Present reports whether a TPM device is present on this machine. // Present reports whether a TPM device is present on this machine.