Skip to content

Add trusted platform module (TPM) support to TLS package #12801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add trusted platform module (TPM) support to TLS package #12801

wants to merge 2 commits into from
+613 −6

Conversation

pavolloffay
Copy link
Member

@pavolloffay pavolloffay commented Apr 4, 2025
edited
Loading

Description

Add trusted platform module (TPM) support to TLS package.

Link to tracking issue

Resolves open-telemetry/opentelemetry-collector-contrib#38682
Replaces open-telemetry/opentelemetry-collector-contrib#39059

TPM cannot be implemented as extension open-telemetry/opentelemetry-collector-contrib#38682 because it overrides the entire http.transport and therefore invalidates other extensions/authenticators.

Testing

# make otelcorecol 
# sudo ./bin/otelcorecol_linux_amd64 --config ./examples/local/tpm.yaml
#
# CA
#  openssl genrsa -des3 -out ca.key 2048
# openssl req -new -x509 -days 1826 -key ca.key -out ca.crt -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
#
# client
# sudo tpm2tss-genkey -a rsa -s 2048 edge-cert.key
# sudo openssl req -new -provider tpm2  -key edge-cert.key -out edge-cert.csr -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
# openssl x509 -req -in edge-cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out edge-cert.crt -days 1826 -copy_extensions copyall
#
# server
# openssl genrsa -out server.key 2048
# openssl req -new -key server.key -out server.csr  -subj "/C=US/ST=CA/L=Santa Clara/O=Edge/OU=Edge/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360 -copy_extensions copyall
receivers:
  otlp:
    protocols:
      grpc:
        endpoint: localhost:4317
      http:
        endpoint: localhost:4318
  otlp/server:
    protocols:
      grpc:
        endpoint: localhost:4319
        tls:
          client_ca_file: ca.crt
          cert_file: server.crt
          key_file: server.key
exporters:
  otlp:
    endpoint: https://localhost:4319
    tls:
      key_file: edge-cert.key
      cert_file: edge-cert.crt
      ca_file: ca.crt
      tpm:
        enabled: true
        path: /dev/tpmrm0
  debug:
    verbosity: normal
service:
  telemetry:
    metrics:
      address: localhost:8889
  pipelines:
    metrics/client:
      receivers: [otlp]
      exporters: [otlp]
    metrics/server:
      receivers: [otlp/server]
      exporters: [debug]

Documentation

@pavolloffay pavolloffay requested a review from a team as a code owner April 4, 2025 10:00
@pavolloffay pavolloffay requested a review from songy23 April 4, 2025 10:00
@codecov Codecov
Copy link

codecov bot commented Apr 4, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 93.75000% with 3 lines in your changes missing coverage. Please review.

Project coverage is 91.43%. Comparing base (e7bbf16) to head (3f1b039).

Files with missing lines Patch % Lines
config/configtls/tpm.go 88.00% 2 Missing and 1 partial ⚠️

❌ Your patch check has failed because the patch coverage (93.75%) is below the target coverage (95.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #12801   +/-   ##
=======================================
  Coverage   91.43%   91.43%           
=======================================
  Files         487      489    +2     
  Lines       26811    26855   +44     
=======================================
+ Hits        24514    24555   +41     
- Misses       1814     1816    +2     
- Partials      483      484    +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@pavolloffay pavolloffay mentioned this pull request Apr 4, 2025
Closed
@songy23 songy23 requested a review from atoulme April 4, 2025 14:58
codeboten
codeboten reviewed Apr 7, 2025
View reviewed changes
config/configtls/configtls.go
certificate, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
return tls.Certificate{}, fmt.Errorf("failed to load TLS cert and key PEMs: %w", err)
if c.TPMConfig.Enabled {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does TPM configuration need to be accounted for in the list of cases at the top of this function that returns an error if multiple certs are configured?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no

@jmacd
Copy link
Contributor

jmacd commented Apr 7, 2025

I was interested in the statement

TPM cannot be implemented as extension open-telemetry/opentelemetry-collector-contrib#38682 because it overrides the entire http.transport and therefore invalidates other extensions/authenticators.

It looks like the code just needs to modify the certificate used with TLS. In theory, we could define some kind of TLS-extension API, if we wanted the TPM dependency to be an optional one. 🤷 I'm not sure what process this repo uses to manage SBOM.

@pavolloffay pavolloffay force-pushed the tls-tpm branch 3 times, most recently from 70746d5 to 9917ad1 Compare April 8, 2025 14:13
@pavolloffay
Copy link
Member Author

@codeboten thanks for the review. I have fixed the build but I am not able to get 95% code coverage without making the code a bit odd. Could you please re-review?

@pavolloffay
Fix
3f1b039 
Signed-off-by: Pavol Loffay <[email protected]>
@pavolloffay
Copy link
Member Author

There are conflicts in go.mod I have already resolved them once. I will wait for reviews and resolve the conflicts then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codeboten codeboten codeboten left review comments

@jmacd jmacd jmacd approved these changes

@songy23 songy23 Awaiting requested review from songy23 songy23 is a code owner automatically assigned from open-telemetry/collector-approvers

@atoulme atoulme Awaiting requested review from atoulme

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

New component: tpmextesion - trusted platform module
3 participants
@pavolloffay @jmacd @codeboten