From 2363c937faebcd9f0b17c7fdf2366a632ead1c8b Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Thu, 17 Oct 2024 11:10:04 -0300
Subject: [PATCH] Check bounds of tpm.EKs() slice before indexing

---
 lib/tpm/tpm.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/tpm/tpm.go b/lib/tpm/tpm.go
index b720df596a82..6175efdedb01 100644
--- a/lib/tpm/tpm.go
+++ b/lib/tpm/tpm.go
@@ -125,6 +125,11 @@ func QueryWithTPM(
 	if err != nil {
 		return nil, trace.Wrap(err, "querying EKs")
 	}
+	// Be a good citizen and check the slice bounds. This is not expected to
+	// happen.
+	if len(eks) == 0 {
+		return nil, trace.BadParameter("no endorsement keys found in tpm")
+	}
 
 	// The first EK returned by `go-attestation` will be an RSA based EK key or
 	// EK cert. On Windows, ECC certs may also be returned following this. At