From f2b8d37436d047e444efa6d728961664f0d5009b Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <awly@tailscale.com>
Date: Fri, 26 Sep 2025 08:39:02 -0700
Subject: [PATCH] feature/tpm: only register HardwareAttestationKey on
 linux/windows (#17293)

We can only register one key implementation per process. When running on
macOS or Android, trying to register a separate key implementation from
feature/tpm causes a panic.

Updates #15830

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
---
 feature/tpm/tpm.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/feature/tpm/tpm.go b/feature/tpm/tpm.go
index 019224738..e4c2b29e9 100644
--- a/feature/tpm/tpm.go
+++ b/feature/tpm/tpm.go
@@ -14,6 +14,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"runtime"
 	"slices"
 	"strings"
 	"sync"
@@ -40,10 +41,12 @@ func init() {
 		hi.TPM = infoOnce()
 	})
 	store.Register(store.TPMPrefix, newStore)
-	key.RegisterHardwareAttestationKeyFns(
-		func() key.HardwareAttestationKey { return &attestationKey{} },
-		func() (key.HardwareAttestationKey, error) { return newAttestationKey() },
-	)
+	if runtime.GOOS == "linux" || runtime.GOOS == "windows" {
+		key.RegisterHardwareAttestationKeyFns(
+			func() key.HardwareAttestationKey { return &attestationKey{} },
+			func() (key.HardwareAttestationKey, error) { return newAttestationKey() },
+		)
+	}
 }
 
 func info() *tailcfg.TPMInfo {