From 672b1f0e76c074fbf922bc409f8bd1fdfc8057f3 Mon Sep 17 00:00:00 2001
From: Patrick O'Doherty <patrick@tailscale.com>
Date: Thu, 23 Oct 2025 16:48:58 -0700
Subject: [PATCH] feature/tpm: use withSRK to probe TPM availability (#17627)

On some platforms e.g. ChromeOS the owner hierarchy might not always be
available to us. To avoid stale sealing exceptions later we probe to
confirm it's working rather than rely solely on family indicator status.

Updates #17622

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
---
 feature/tpm/tpm.go      | 17 ++++++++++++++++-
 feature/tpm/tpm_test.go | 12 ++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/feature/tpm/tpm.go b/feature/tpm/tpm.go
index 64a702bd9..4b27a241f 100644
--- a/feature/tpm/tpm.go
+++ b/feature/tpm/tpm.go
@@ -59,7 +59,22 @@ func tpmSupported() bool {
 	if hi == nil {
 		return false
 	}
-	return hi.FamilyIndicator == "2.0"
+	if hi.FamilyIndicator != "2.0" {
+		return false
+	}
+
+	tpm, err := open()
+	if err != nil {
+		return false
+	}
+	defer tpm.Close()
+
+	if err := withSRK(logger.Discard, tpm, func(srk tpm2.AuthHandle) error {
+		return nil
+	}); err != nil {
+		return false
+	}
+	return true
 }
 
 var verboseTPM = envknob.RegisterBool("TS_DEBUG_TPM")
diff --git a/feature/tpm/tpm_test.go b/feature/tpm/tpm_test.go
index 5c0fbafb6..afce570fc 100644
--- a/feature/tpm/tpm_test.go
+++ b/feature/tpm/tpm_test.go
@@ -146,6 +146,18 @@ func BenchmarkInfo(b *testing.B) {
 	b.StopTimer()
 }
 
+func BenchmarkTPMSupported(b *testing.B) {
+	b.StopTimer()
+	skipWithoutTPM(b)
+	b.StartTimer()
+	for i := 0; i < b.N; i++ {
+		if !tpmSupported() {
+			b.Fatalf("tpmSupported returned false")
+		}
+	}
+	b.StopTimer()
+}
+
 func BenchmarkStore(b *testing.B) {
 	skipWithoutTPM(b)
 	b.StopTimer()