feature/tpm: implement ipn.StateStore using TPM sealing (#16030)

Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-08-14 23:17:29 +00:00 · 2025-06-18 14:17:12 -07:00
parent ad0dfcb185
commit 4979ce7a94
7 changed files with 500 additions and 23 deletions
--- a/ipn/store/stores.go
+++ b/ipn/store/stores.go
@@ -45,6 +45,8 @@ var knownStores map[string]Provider
 //     the suffix an AWS ARN for an SSM.
 //   - (Linux-only) if the string begins with "kube:",
 //     the suffix is a Kubernetes secret name
+//   - (Linux or Windows) if the string begins with "tpmseal:", the suffix is
+//     filepath that is sealed with the local TPM device.
 //   - In all other cases, the path is treated as a filepath.
 func New(logf logger.Logf, path string) (ipn.StateStore, error) {
 	for prefix, sf := range knownStores {