Hi, Arm is planning to upstream tests that are being developed as part of the Confidential Compute Architecture [1]. Some of the tests target the attestation part of creating and managing a confidential compute VM, which requires the manipulation of messages in the Concise Binary Object Representation (CBOR) format [2]. I would like to ask if it would be acceptable from a license perspective to include the QCBOR library [3] into kvm-unit-tests, which will be used for encoding and decoding of CBOR messages. The library is licensed under the 3-Clause BSD license, which is compatible with GPLv2 [4]. Some of the files that were created inside Qualcomm before the library was open-sourced have a slightly modified 3-Clause BSD license, where a NON-INFRINGMENT clause is added to the disclaimer: "THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE **AND NON-INFRINGEMENT** ARE DISCLAIMED" (emphasis by me on the added clause). The files in question include the core files that implement the encode/decode functionality, and thus would have to be included in kvm-unit-tests. I believe that the above modification does not affect the compatibility with GPLv2. I would also like to mention that the QCBOR library is also used in Trusted Firmware-M [5], which is licensed under BSD 3-Clause. [1] https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture [2] https://datatracker.ietf.org/doc/html/rfc8949 [3] https://github.com/laurencelundblade/QCBOR [4] https://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses [5] https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/lib/ext/qcbor Thanks, Alex
