From c5919b4ed1f38374d51fe9e92ef57e322c31c875 Mon Sep 17 00:00:00 2001 From: Andrew Lytvynov Date: Fri, 14 Nov 2025 13:23:25 -0800 Subject: [PATCH] feature/tpm: check IsZero in clone instead of just nil (#17884) The key.NewEmptyHardwareAttestationKey hook returns a non-nil empty attestationKey, which means that the nil check in Clone doesn't trigger and proceeds to try and clone an empty key. Check IsZero instead to reduce log spam from Clone. As a drive-by, make tpmAvailable check a sync.Once because the result won't change. Updates #17882 Signed-off-by: Andrew Lytvynov --- feature/tpm/attestation.go | 2 +- feature/tpm/tpm.go | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/feature/tpm/attestation.go b/feature/tpm/attestation.go index 597d4a649..49b80ade1 100644 --- a/feature/tpm/attestation.go +++ b/feature/tpm/attestation.go @@ -274,7 +274,7 @@ func (ak *attestationKey) Close() error { } func (ak *attestationKey) Clone() key.HardwareAttestationKey { - if ak == nil { + if ak.IsZero() { return nil } diff --git a/feature/tpm/tpm.go b/feature/tpm/tpm.go index 4b27a241f..7cbdec088 100644 --- a/feature/tpm/tpm.go +++ b/feature/tpm/tpm.go @@ -35,12 +35,15 @@ import ( "tailscale.com/util/testenv" ) -var infoOnce = sync.OnceValue(info) +var ( + infoOnce = sync.OnceValue(info) + tpmSupportedOnce = sync.OnceValue(tpmSupported) +) func init() { feature.Register("tpm") - feature.HookTPMAvailable.Set(tpmSupported) - feature.HookHardwareAttestationAvailable.Set(tpmSupported) + feature.HookTPMAvailable.Set(tpmSupportedOnce) + feature.HookHardwareAttestationAvailable.Set(tpmSupportedOnce) hostinfo.RegisterHostinfoNewHook(func(hi *tailcfg.Hostinfo) { hi.TPM = infoOnce()