types/persist: add AttestationKey (#17281)

Extend Persist with AttestationKey to record a hardware-backed
attestation key for the node's identity.

Add a flag to tailscaled to allow users to control the use of
hardware-backed keys to bind node identity to individual machines.

Updates tailscale/corp#31269


Change-Id: Idcf40d730a448d85f07f1bebf387f086d4c58be3

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>

util/syspolicy/pkey/pkey.go

@@ -141,6 +141,10 @@ const (
 	// It's a noop on other platforms.
 	EncryptState Key = "EncryptState"
 
+	// HardwareAttestation is a boolean key that controls whether to use a
+	// hardware-backed key to bind the node identity to this device.
+	HardwareAttestation Key = "HardwareAttestation"
+
 	// PostureChecking indicates if posture checking is enabled and the client shall gather
 	// posture data.
 	// Key is a string value that specifies an option: "always", "never", "user-decides".

util/syspolicy/policy_keys.go

@@ -43,6 +43,7 @@ var implicitDefinitions = []*setting.Definition{
 	setting.NewDefinition(pkey.PostureChecking, setting.DeviceSetting, setting.PreferenceOptionValue),
 	setting.NewDefinition(pkey.ReconnectAfter, setting.DeviceSetting, setting.DurationValue),
 	setting.NewDefinition(pkey.Tailnet, setting.DeviceSetting, setting.StringValue),
+	setting.NewDefinition(pkey.HardwareAttestation, setting.DeviceSetting, setting.BooleanValue),
 
 	// User policy settings (can be configured on a user- or device-basis):
 	setting.NewDefinition(pkey.AdminConsoleVisibility, setting.UserSetting, setting.VisibilityValue),