modules: trusted-firmware-m: Update QCBOR with acceptable license #54742
Description
Problem
As explained in #54017, TF-M includes the source code in tree for t_cose, which is tightly coupled with QCBOR. QCBOR, unfortunately, has a non-standard, and non-OSI-compliant license, meaning that we are unable to commit the code to zephyrproejct-rtos, and downloading the code at build time is forbidden by Zephyr's project policy.
#54690 works around this situation in a provisional manner by disabling the initial attestation service in TF-M, which is where the t_cose dependency comes from. If attestation tokens are required by the end user, and the QCBOR license is acceptable, you can optionally set CONFIG_TFM_QCBOR_PATH to a pre-download copy of QCBOR, or set the stirng to DOWNLOAD and it will be downloaded at compile time.
Longer term, resolving the licensing issues around QCBOR is the better solution so that initial attestation can be enabled by default.
Solution(s)
There are several possible solutions here:
- Ask the TSC and board for a license exception for QCBOR
- Rewrite the problematic code and try to contribute that upstream
- Work with Qualcomm and the 20 or so authors to change the license terms
- Refactor t_cose to support multiple CBOR backends and point it to zcbor (this was proposed to the t_cose maintainer, and there was some understandable resistance from a maintenance point of view, but it may still be possible if a case can be made that it will be actively maintained by the contributors).
License Differences
