Skip to content

Commit 045488f

Browse files
authored
Add trusted platform module (TPM) support to TLS package (open-telemetry#12801)
<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description Add trusted platform module (TPM) support to TLS package. <!-- Issue number if applicable --> #### Link to tracking issue Resolves open-telemetry/opentelemetry-collector-contrib#38682 Replaces open-telemetry/opentelemetry-collector-contrib#39059 TPM cannot be implemented as extension open-telemetry/opentelemetry-collector-contrib#38682 because it overrides the entire `http.transport` and therefore invalidates other extensions/authenticators. <!--Describe what testing was performed and which tests were added.--> #### Testing ```yaml # make otelcorecol # sudo ./bin/otelcorecol_linux_amd64 --config ./examples/local/tpm.yaml # # CA # openssl genrsa -des3 -out ca.key 2048 # openssl req -new -x509 -days 1826 -key ca.key -out ca.crt -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" # # client # sudo tpm2tss-genkey -a rsa -s 2048 edge-cert.key # sudo openssl req -new -provider tpm2 -key edge-cert.key -out edge-cert.csr -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" # openssl x509 -req -in edge-cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out edge-cert.crt -days 1826 -copy_extensions copyall # # server # openssl genrsa -out server.key 2048 # openssl req -new -key server.key -out server.csr -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" # openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360 -copy_extensions copyall receivers: otlp: protocols: grpc: endpoint: localhost:4317 http: endpoint: localhost:4318 otlp/server: protocols: grpc: endpoint: localhost:4319 tls: client_ca_file: ca.crt cert_file: server.crt key_file: server.key exporters: otlp: endpoint: https://localhost:4319 tls: key_file: edge-cert.key cert_file: edge-cert.crt ca_file: ca.crt tpm: enabled: true path: /dev/tpmrm0 debug: verbosity: normal service: telemetry: metrics: address: localhost:8889 pipelines: metrics/client: receivers: [otlp] exporters: [otlp] metrics/server: receivers: [otlp/server] exporters: [debug] ``` <!--Describe the documentation added.--> #### Documentation <!--Please delete paragraphs that you did not use before submitting.--> Signed-off-by: Pavol Loffay <[email protected]>
1 parent 2ecd0b7 commit 045488f

File tree

33 files changed

+613
-6
lines changed

33 files changed

+613
-6
lines changed

.chloggen/tls-tpm.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
# Use this changelog template to create an entry for release notes.
2+
3+
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
4+
change_type: enhancement
5+
6+
# The name of the component, or a single word describing the area of concern, (e.g. otlpreceiver)
7+
component: tls
8+
9+
# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
10+
note: Add trusted platform module (TPM) support to TLS authentication.
11+
12+
# One or more tracking issues or pull requests related to the change
13+
issues: [12801]
14+
15+
# (Optional) One or more lines of additional information to render under the primary note.
16+
# These lines will be padded with 2 spaces and then inserted directly into the document.
17+
# Use pipe (|) for multiline entries.
18+
subtext: |
19+
Now the TLS allows the use of TPM for loading private keys (e.g. in TSS2 format).
20+
21+
# Optional: The change log or logs in which this entry should be included.
22+
# e.g. '[user]' or '[user, api]'
23+
# Include 'user' if the change is relevant to end users.
24+
# Include 'api' if there is a change to a library API.
25+
# Default: '[user]'
26+
change_logs: [user]

.github/workflows/utils/cspell.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -431,6 +431,7 @@
431431
"testprovider",
432432
"testutil",
433433
"tocstop",
434+
"tpmrm",
434435
"tracecontext",
435436
"traceid",
436437
"tracesonmemory",

cmd/otelcorecol/go.mod

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,13 +42,15 @@ require (
4242
github.com/davecgh/go-spew v1.1.1 // indirect
4343
github.com/ebitengine/purego v0.8.2 // indirect
4444
github.com/felixge/httpsnoop v1.0.4 // indirect
45+
github.com/foxboron/go-tpm-keyfiles v0.0.0-20250323135004-b31fac66206e // indirect
4546
github.com/fsnotify/fsnotify v1.9.0 // indirect
4647
github.com/go-logr/logr v1.4.2 // indirect
4748
github.com/go-logr/stdr v1.2.2 // indirect
4849
github.com/go-ole/go-ole v1.2.6 // indirect
4950
github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
5051
github.com/gogo/protobuf v1.3.2 // indirect
5152
github.com/golang/snappy v1.0.0 // indirect
53+
github.com/google/go-tpm v0.9.3 // indirect
5254
github.com/google/uuid v1.6.0 // indirect
5355
github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
5456
github.com/hashicorp/go-version v1.7.0 // indirect
@@ -158,6 +160,7 @@ require (
158160
go.opentelemetry.io/proto/otlp v1.5.0 // indirect
159161
go.uber.org/multierr v1.11.0 // indirect
160162
go.uber.org/zap v1.27.0 // indirect
163+
golang.org/x/crypto v0.37.0 // indirect
161164
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
162165
golang.org/x/net v0.39.0 // indirect
163166
golang.org/x/text v0.24.0 // indirect

cmd/otelcorecol/go.sum

Lines changed: 10 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/configgrpc/go.mod

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,11 +29,13 @@ require (
2929

3030
require (
3131
github.com/davecgh/go-spew v1.1.1 // indirect
32+
github.com/foxboron/go-tpm-keyfiles v0.0.0-20250323135004-b31fac66206e // indirect
3233
github.com/fsnotify/fsnotify v1.9.0 // indirect
3334
github.com/go-logr/logr v1.4.2 // indirect
3435
github.com/go-logr/stdr v1.2.2 // indirect
3536
github.com/gogo/protobuf v1.3.2 // indirect
3637
github.com/golang/snappy v0.0.4 // indirect
38+
github.com/google/go-tpm v0.9.3 // indirect
3739
github.com/google/uuid v1.6.0 // indirect
3840
github.com/hashicorp/go-version v1.7.0 // indirect
3941
github.com/json-iterator/go v1.1.12 // indirect
@@ -53,6 +55,7 @@ require (
5355
go.opentelemetry.io/otel/trace v1.35.0 // indirect
5456
go.uber.org/multierr v1.11.0 // indirect
5557
go.uber.org/zap v1.27.0 // indirect
58+
golang.org/x/crypto v0.37.0 // indirect
5659
golang.org/x/net v0.39.0 // indirect
5760
golang.org/x/sys v0.32.0 // indirect
5861
golang.org/x/text v0.24.0 // indirect

config/configgrpc/go.sum

Lines changed: 10 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/confighttp/go.mod

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,10 +31,12 @@ require (
3131
require (
3232
github.com/davecgh/go-spew v1.1.1 // indirect
3333
github.com/felixge/httpsnoop v1.0.4 // indirect
34+
github.com/foxboron/go-tpm-keyfiles v0.0.0-20250323135004-b31fac66206e // indirect
3435
github.com/fsnotify/fsnotify v1.9.0 // indirect
3536
github.com/go-logr/logr v1.4.2 // indirect
3637
github.com/go-logr/stdr v1.2.2 // indirect
3738
github.com/gogo/protobuf v1.3.2 // indirect
39+
github.com/google/go-tpm v0.9.3 // indirect
3840
github.com/google/uuid v1.6.0 // indirect
3941
github.com/hashicorp/go-version v1.7.0 // indirect
4042
github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -49,6 +51,7 @@ require (
4951
go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
5052
go.opentelemetry.io/otel/trace v1.35.0 // indirect
5153
go.uber.org/multierr v1.11.0 // indirect
54+
golang.org/x/crypto v0.37.0 // indirect
5255
golang.org/x/sys v0.32.0 // indirect
5356
golang.org/x/text v0.24.0 // indirect
5457
google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect

config/confighttp/go.sum

Lines changed: 10 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/confighttp/xconfighttp/go.mod

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,13 @@ require (
1414
require (
1515
github.com/davecgh/go-spew v1.1.1 // indirect
1616
github.com/felixge/httpsnoop v1.0.4 // indirect
17+
github.com/foxboron/go-tpm-keyfiles v0.0.0-20250323135004-b31fac66206e // indirect
1718
github.com/fsnotify/fsnotify v1.9.0 // indirect
1819
github.com/go-logr/logr v1.4.2 // indirect
1920
github.com/go-logr/stdr v1.2.2 // indirect
2021
github.com/gogo/protobuf v1.3.2 // indirect
2122
github.com/golang/snappy v1.0.0 // indirect
23+
github.com/google/go-tpm v0.9.3 // indirect
2224
github.com/google/uuid v1.6.0 // indirect
2325
github.com/hashicorp/go-version v1.7.0 // indirect
2426
github.com/klauspost/compress v1.18.0 // indirect
@@ -45,6 +47,7 @@ require (
4547
go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
4648
go.uber.org/multierr v1.11.0 // indirect
4749
go.uber.org/zap v1.27.0 // indirect
50+
golang.org/x/crypto v0.37.0 // indirect
4851
golang.org/x/net v0.39.0 // indirect
4952
golang.org/x/sys v0.32.0 // indirect
5053
golang.org/x/text v0.24.0 // indirect

config/confighttp/xconfighttp/go.sum

Lines changed: 10 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)