Tailscaled tpm seems to default to /dev/tpm0 not /dev/tpmrm0

[udf2457]

What is the issue?

I am running the service as non-root user, and seeing this in the logs:

tailscaled[10907]: TPM: error opening: open /dev/tpm0: permission denied

Which, of course is to be expected....

crw-rw---- 1 tss root 10, 224 Nov 21 18:16 /dev/tpm0

But the problem is, you see that I have put the tailscale user into the tss group:

$ fgrep tss /etc/group
tss:x:107:tailscale

And so none of this would happen if tailscaled tried tpmrm0 first !

crw-rw---- 1 tss tss 254, 65536 Nov 21 18:16 /dev/tpmrm0

Steps to reproduce

No response

Are there any recent changes that introduced the issue?

No response

OS

Debian

OS version

Trixie

Tailscale version

1.90.8
  tailscale commit: edc9d22455eb839bd411d1b0555da979d1fb4d75
  long version: 1.90.8-tedc9d2245-ged5c52ee2
  other commit: ed5c52ee2e5854e3bf8c3c06229198b17f0d3a77
  go version: go1.25.3

Other software

No response

Bug report

No response

[bradfitz]

/cc @awly @patrickod

[udf2457]

Looking at the source code, if my understanding is correct /dev/tpmrm0 acccess issues are not bubbled up to the logs.

I think found the solution, a missing DeviceAllow=/dev/tpmrm0 rwm was required in my systemd service override.

But I found that more by luck than good judgement, i.e. remembering I had hardening overrides. Because there was nothing in the logs to help.

Not quite sure why tailscaled could see /dev/tpm0 though because I don't have a DeviceAllow for /dev/tpm0 ... but I guess that's one for the systemd people to answer.

[awly]

Yeah, we try both (/dev/tpmrm0 first, then fall back to /dev/tpm0) but only return the last error seen.
#18071 changes it to print both errors, which should hopefully help debug similar situations.

[udf2457]

Super, thanks @awly !

[chennin]

Hi @awly , posting here as it seems to be the most related

I also hardened my Tailscale systemd config following the official documentation, and I ran in to /dev/tpm0: permission denied error. I needed both the DeviceAllow and to add tailscaled to the tss group. (I only put DeviceAllow as rw, I guess m isn't needed, and also I didn't see what the systemd default was either).

So as documented, it won't work to both harden tailscale and enable --encrypt-state.

There's also other issues with that document, that cause tailscale to not work with Ubuntu 24.04, Arch Linux, or anything else with a modern polkit. See #9344.

Could some employee time please be spent on that document?