[client][management] feat: TPM/Secure Enclave certificate-based device authentication

.devcontainer/Dockerfile

@@ -1,12 +1,12 @@
 FROM golang:1.25-bookworm
 
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
-    && apt-get -y install --no-install-recommends\
-        gettext-base=0.21-12 \
-        iptables=1.8.9-2 \
-        libgl1-mesa-dev=22.3.6-1+deb12u1 \
-        xorg-dev=1:7.7+23 \
-        libayatana-appindicator3-dev=0.5.92-1 \
+    && apt-get -y install --no-install-recommends \
+        gettext-base \
+        iptables \
+        libgl1-mesa-dev \
+        xorg-dev \
+        libayatana-appindicator3-dev \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
     && go install -v golang.org/x/tools/gopls@latest

.github/workflows/device-auth-tests.yml

@@ -0,0 +1,44 @@
+name: Device Auth Tests
+
+on:
+  push:
+    branches: [feature/tpm-cert-auth]
+  pull_request:
+    branches: [main]
+    paths:
+      - 'management/server/deviceauth/**'
+      - 'management/server/devicepki/**'
+      - 'management/server/http/handlers/device_auth/**'
+      - 'management/internals/shared/grpc/**'
+      - 'client/internal/enrollment/**'
+      - 'client/internal/tpm/**'
+      - 'shared/management/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  device-auth-tests:
+    name: Device Auth Tests (no sudo required)
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: true
+
+      - name: Run device auth unit tests
+        run: |
+          go test -count=1 -timeout 300s -race \
+            ./management/server/deviceauth/... \
+            ./management/server/devicepki/... \
+            ./management/server/http/handlers/device_auth/... \
+            ./management/internals/shared/grpc/... \
+            ./client/internal/enrollment/... \
+            ./client/internal/tpm/... \
+            ./shared/management/...

.github/workflows/e2e-device-auth.yml

@@ -0,0 +1,51 @@
+name: E2E Device Auth Tests
+
+on:
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'management/**'
+      - 'client/**'
+      - 'netbird-stand/**'
+      - 'scripts/e2e-*.sh'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  e2e-device-auth:
+    name: E2E Device Auth (docker-compose stand)
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Build management server
+        run: go build -o bin/management ./management/cmd/management
+
+      # TODO: Start management server - requires testdata/mgmt-e2e.json
+      # Uncomment when mgmt-e2e.json config is available:
+      # - name: Start management server
+      #   run: |
+      #     ./bin/management --config testdata/mgmt-e2e.json --port 8080 &
+      #     echo "Management server started (PID $!)"
+      #   env:
+      #     NETBIRD_STORE_ENGINE: sqlite
+
+      - name: Validate E2E scripts
+        run: |
+          chmod +x scripts/e2e-lib.sh scripts/e2e-device-auth.sh
+          bash -n scripts/e2e-lib.sh
+          bash -n scripts/e2e-device-auth.sh
+          echo "Script syntax OK"
+          # Note: Full E2E requires management server with testdata/mgmt-e2e.json
+          # Run manually: NETBIRD_API_URL=http://localhost:8080 bash scripts/e2e-device-auth.sh

.github/workflows/tpm-tests.yml

@@ -0,0 +1,128 @@
+name: TPM Integration Tests
+
+on:
+  push:
+    branches:
+      - main
+      - feature/tpm-cert-auth
+    paths:
+      - 'client/internal/tpm/**'
+      - 'client/internal/enrollment/**'
+      - 'management/server/devicepki/**'
+      - 'management/server/deviceinventory/**'
+  pull_request:
+    paths:
+      - 'client/internal/tpm/**'
+      - 'client/internal/enrollment/**'
+      - 'management/server/devicepki/**'
+      - 'management/server/deviceinventory/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  tpm-integration:
+    name: "TPM 2.0 Integration (swtpm)"
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: Install swtpm and tpm2-tools
+        run: |
+          sudo apt-get update -q
+          sudo apt-get install -y --no-install-recommends \
+            swtpm \
+            tpm2-tools \
+            libtpms-dev \
+            netcat-openbsd
+
+      - name: Start swtpm (TCP socket mode)
+        run: |
+          mkdir -p /tmp/swtpm-state
+          swtpm socket \
+            --tpmstate dir=/tmp/swtpm-state \
+            --tpm2 \
+            --flags not-need-init \
+            --server type=tcp,port=2321 \
+            --ctrl type=tcp,port=2322 \
+            --daemon
+          # Wait for swtpm to be ready on the command port.
+          for i in $(seq 1 15); do
+            nc -z localhost 2321 2>/dev/null && break
+            sleep 1
+          done
+          echo "NETBIRD_TPM_SIMULATOR=localhost:2321" >> $GITHUB_ENV
+          echo "swtpm ready on localhost:2321"
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-tpm-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-tpm-
+
+      - name: Run TPM unit tests (mock provider)
+        env:
+          NETBIRD_TPM_SIMULATOR: ${{ env.NETBIRD_TPM_SIMULATOR }}
+        run: go test ./client/internal/tpm/... -v -count=1 -timeout 60s
+
+      - name: Run TPM integration tests (swtpm TCP or /dev/tpmrm0)
+        env:
+          NETBIRD_TPM_SIMULATOR: ${{ env.NETBIRD_TPM_SIMULATOR }}
+        run: |
+          go test ./client/internal/tpm/... \
+            -v \
+            -count=1 \
+            -timeout 120s \
+            -tags integration
+
+      - name: Run enrollment manager tests
+        run: go test ./client/internal/enrollment/... -v -count=1 -timeout 60s
+
+      - name: Run devicepki tests
+        run: go test ./management/server/devicepki/... -v -count=1 -timeout 60s
+
+      - name: Run deviceinventory tests
+        run: go test ./management/server/deviceinventory/... -v -count=1 -timeout 60s
+
+  attestation-verification:
+    name: "Attestation Verification Unit Tests"
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-attestation-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-attestation-
+
+      - name: Run attestation verification tests
+        run: |
+          go test ./management/server/devicepki/... \
+            -v \
+            -count=1 \
+            -run TestVerifyAttestation \
+            -timeout 30s

.gitignore

@@ -14,6 +14,11 @@ infrastructure_files/**/zitadel.env
 infrastructure_files/**/management.json
 infrastructure_files/**/management-*.json
 infrastructure_files/**/docker-compose.yml
+# Stand-dex is a versioned dev stand — its config files must be tracked
+!infrastructure_files/stand-dex/Caddyfile
+!infrastructure_files/stand-dex/dashboard.env
+!infrastructure_files/stand-dex/management.json
+!infrastructure_files/stand-dex/docker-compose.yml
 infrastructure_files/**/openid-configuration.json
 infrastructure_files/**/turnserver.conf
 infrastructure_files/**/management.json.bkp.**
@@ -33,3 +38,7 @@ infrastructure_files/setup-*.env
 vendor/
 /netbird
 client/netbird-electron/
+/dev-stand-init
+/enroll-demo
+/mtls-demo
+infrastructure_files/stand/

Makefile

@@ -25,3 +25,15 @@ setup-hooks:
 	@git config core.hooksPath .githooks
 	@chmod +x .githooks/pre-push
 	@echo "✅ Git hooks configured! Pre-push will now run 'make lint'"
+
+MANAGEMENT_DEV_IMAGE ?= netbird/management:tpm-dev
+
+# Build management Docker image from source for local testing with netbird-stand.
+# Uses management/Dockerfile.multistage which does a full Go build.
+.PHONY: docker-management-dev
+docker-management-dev:
+	@echo "Building $(MANAGEMENT_DEV_IMAGE) from feature/tpm-cert-auth..."
+	docker build -f management/Dockerfile.multistage -t $(MANAGEMENT_DEV_IMAGE) .
+	@echo ""
+	@echo "Image ready: $(MANAGEMENT_DEV_IMAGE)"
+	@echo "Next: cd /path/to/netbird-stand && bash scripts/up-device-auth.sh"

client/internal/connect.go

@@ -2,6 +2,7 @@ package internal
 
 import (
 	"context"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"net"
@@ -22,12 +23,14 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/enrollment"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/metrics"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/client/internal/tpm"
 	"github.com/netbirdio/netbird/client/internal/updater"
 	"github.com/netbirdio/netbird/client/internal/updater/installer"
 	nbnet "github.com/netbirdio/netbird/client/net"
@@ -258,6 +261,50 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		mgmNotifier := statusRecorderToMgmConnStateNotifier(c.statusRecorder)
 		mgmClient.SetConnStateListener(mgmNotifier)
 
+		// Device certificate enrollment — runs idempotently on each connection attempt.
+		// Skipped on platforms without TPM/Secure Enclave support (iOS, Android, WASM, etc.)
+		// to avoid noisy "not supported" log warnings on every reconnect.
+		stateDir := profilemanager.DefaultConfigPathDir
+		tpmProv := tpm.NewPlatformProvider(stateDir)
+		if tpmProv.Available() {
+			enrollMgr := enrollment.NewManager(tpmProv, mgmClient, stateDir, myPrivateKey.PublicKey().String())
+
+			enrollCtx, enrollCancel := context.WithTimeout(engineCtx, 30*time.Second)
+			defer enrollCancel()
+			if _, certErr := enrollMgr.EnsureCertificate(enrollCtx); certErr != nil {
+				log.Warnf("device cert enrollment: %v — continuing without certificate", certErr)
+			} else if tlsCert, buildErr := enrollMgr.BuildTLSCertificate(engineCtx); buildErr != nil && !errors.Is(buildErr, enrollment.ErrNotEnrolled) {
+				log.Warnf("device cert: build TLS cert: %v — continuing without", buildErr)
+			} else if tlsCert != nil && mgmTlsEnabled {
+				// Reconnect with the device certificate as mTLS client cert.
+				certMgmClient, dialErr := mgm.NewClientWithCert(engineCtx, c.config.ManagementURL.Host, myPrivateKey, tlsCert)
+				if dialErr != nil {
+					log.Warnf("device cert: mTLS reconnect failed: %v — continuing without certificate", dialErr)
+				} else {
+					// Swap plain → cert client. The existing defer mgmClient.Close() will
+					// now close certMgmClient (Go closures capture the variable, not the value).
+					if closeErr := mgmClient.Close(); closeErr != nil {
+						log.Warnf("close plain mgm client before cert upgrade: %v", closeErr)
+					}
+					mgmClient = certMgmClient
+					mgmClient.SetConnStateListener(mgmNotifier)
+					cn := "<unknown>"
+					if tlsCert.Leaf != nil {
+						cn = tlsCert.Leaf.Subject.CommonName
+					}
+					log.Infof("device cert: management connection upgraded to mTLS (cert CN=%s)", cn)
+
+					// Start the certificate renewal loop. When the cert is approaching expiry
+					// and a fresh one is issued, cancel the engine context so the connection
+					// restarts with the new certificate.
+					enrollMgr.StartRenewalLoop(engineCtx, func(_ *x509.Certificate) {
+						log.Info("device cert: certificate renewed — reconnecting to apply new cert")
+						cancel()
+					})
+				}
+			}
+		}
+
 		// Update metrics with actual deployment type after connection
 		deploymentType := metrics.DetermineDeploymentType(mgmClient.GetServerURL())
 		agentInfo := metrics.AgentInfo{