cmd/tailscaled: default --encrypt-state to true if TPM is available (#17376)

Whenever running on a platform that has a TPM (and tailscaled can access it), default to encrypting the state. The user can still explicitly set this flag to disable encryption. Updates https://github.com/tailscale/corp/issues/32909 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-12-24 17:47:30 +00:00 · 2025-10-01 20:18:58 -07:00
parent 78af49dd1a
commit cca70ddbfc
7 changed files with 65 additions and 20 deletions
--- a/feature/tpm/tpm.go
+++ b/feature/tpm/tpm.go
@@ -39,6 +39,7 @@ var infoOnce = sync.OnceValue(info)

 func init() {
 	feature.Register("tpm")
+	feature.HookTPMAvailable.Set(tpmSupported)
 	hostinfo.RegisterHostinfoNewHook(func(hi *tailcfg.Hostinfo) {
 		hi.TPM = infoOnce()
 	})
@@ -51,6 +52,15 @@ func init() {
 	}
 }

+func tpmSupported() bool {
+	tpm, err := open()
+	if err != nil {
+		return false
+	}
+	tpm.Close()
+	return true
+}
+
 var verboseTPM = envknob.RegisterBool("TS_DEBUG_TPM")

 func info() *tailcfg.TPMInfo {