Hi Andrew, Alexandru,
On 16/03/2022 10:42, Alexandru Elisei wrote:
Hi,
On Tue, Mar 15, 2022 at 04:25:28PM +0100, Andrew Jones wrote:
On Tue, Mar 15, 2022 at 01:33:57PM +0000, Alexandru Elisei wrote:
Hi,
Arm is planning to upstream tests that are being developed as part of the
Confidential Compute Architecture [1]. Some of the tests target the
attestation part of creating and managing a confidential compute VM, which
requires the manipulation of messages in the Concise Binary Object
Representation (CBOR) format [2].
I would like to ask if it would be acceptable from a license perspective to
include the QCBOR library [3] into kvm-unit-tests, which will be used for
encoding and decoding of CBOR messages.
The library is licensed under the 3-Clause BSD license, which is compatible
with GPLv2 [4]. Some of the files that were created inside Qualcomm before
the library was open-sourced have a slightly modified 3-Clause BSD license,
where a NON-INFRINGMENT clause is added to the disclaimer:
"THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE **AND NON-INFRINGEMENT**
ARE DISCLAIMED" (emphasis by me on the added clause).
The files in question include the core files that implement the
encode/decode functionality, and thus would have to be included in
kvm-unit-tests. I believe that the above modification does not affect the
compatibility with GPLv2.
I would also like to mention that the QCBOR library is also used in Trusted
Firmware-M [5], which is licensed under BSD 3-Clause.
[1] https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture
[2] https://datatracker.ietf.org/doc/html/rfc8949
[3] https://github.com/laurencelundblade/QCBOR
[4] https://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses
[5] https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/lib/ext/qcbor
Thanks,
Alex
Assuming the license is OK (I'm not educated in that stuff enough to give
an opinion), then the next question is how do we want to integrate it?
Bring it all in, like we did libfdt? Or use a git submodule?
Thanks for your feedback.
This is still a work in progress and at this time I'm not sure how it will
end up looking. Do you have a preference for one or the other?
My two cents. With the submodule approach, we can move to the later
versions of the QCBOR library (if needed, in the future) without much
noise in the history.
Cheers
Suzuki
Thanks,
Alex
_______________________________________________
kvmarm mailing list
kvmarm@xxxxxxxxxxxxxxxxxxxxx
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
