License review: what code is covered by IBM copyright?

[jas4711]

Hi! I'm working on packaging this for Debian, and we are doing a license review of the code. Your LICENSE file claims:

IBM simulator code (in tpm2-simulator/) uses the following license:

however there is and has never been any tpm2-simulator sub-directory as far as I can tell, and I cannot find any files in the repository that claims to originate from IBM. To the contrary, simulator/simulator.go says:

// Simulator represents a go-tpm compatible interface to the IBM TPM2 simulator.

So maybe the IBM simulator was never included in this repository, but you are doing a compatible implementation of it?

There is a simulator sub-directory but the README.md says the following about that code:

Microsoft's TPM simulator
code is licensed under a [3-clause BSD license](https://opensource.org/licenses/BSD-3-Clause) and the [TCG software license](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf). See the [`LICENSE`](LICENSE) file for more information.

Do you know the history or can explain more about the situation?

Maybe Microsoft's TPM simulator was derived from IBM's simulator originally? If so, can you explain lack of IBM-related copyright notices?

I also found that several files under simulator has an Intel copyright, such as ./simulator/ms-tpm-20-ref/TPMCmd/configure.ac which contains the quote below. Maybe you ought to mention that in README.md?

dnl Copyright (c) Intel Corporation
dnl
dnl All rights reserved.
dnl
dnl BSD License
dnl
dnl Redistribution and use in source and binary forms, with or without modification,
dnl are permitted provided that the following conditions are met:
dnl
dnl Redistributions of source code must retain the above copyright notice, this list
dnl of conditions and the following disclaimer.
dnl
dnl Redistributions in binary form must reproduce the above copyright notice, this
dnl list of conditions and the following disclaimer in the documentation and/or
dnl other materials provided with the distribution.
dnl
dnl THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ""AS IS""
dnl AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
dnl IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
dnl DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
dnl ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
dnl (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
dnl LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
dnl ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
dnl (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
dnl SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Thanks,
/Simon

[chrisfenner]

+CC @josephlr @alexmwu @jkl73

Hi Simon, thank you for the license review and the question.

I believe the embedded TPM simulator is actually from Microsoft (1614c14). I think this repo's LICENSE file is incorrect and should be updated to match the code. I also agree that Intel's contributions need to be reflected as well.

I think @josephlr knows the history of the go-tpm-tools embedded simulator implementation and could comment further. It might be that he started out prototyping based on the IBM package of the simulator and then moved over to the Microsoft one.

I don't think any IBM code is currently used by this project, so I think we should remove references to IBM from our READMEs and LICENSE files.

Microsoft originally contributed the reference code for TPM 2.0. IBM maintains an unattributed copy of the Microsoft code in their projects (e.g., ibmswtpm2). The IBM simulator code is about 93% identical (by Levenshtein distance after normalizing formatting) to the code from Microsoft (which is now maintained by Trusted Computing Group). I have reported this possible copyright issue to Microsoft and TCG to let them decide what they want to do about it (if anything).

[jas4711]

Thank you for taking this seriously and your thorough response!

I compared your simulator/ms-tpm-20-ref/ sub-directory with the latest https://github.com/microsoft/ms-tpm-20-ref and there is a bunch of code changes not reflected. There is also some licensing/copyright changes made.

I found another TPM software implementation -- https://github.com/stefanberger/libtpms -- which seems somewhat similar, and it is already packaged in Debian which may make it easier (or harder..) to re-use. Did you evaluate options to ship your vendored local fork?