TCG TPM license issue

TCG TPM license issue

[Stefano Garzarella]

Hi all,
it seems the license of the TCG TPM reference implementation that we
are using to emulate the vTPM in SVSM is not exactly BSD but a variant
of it.

For some distro, like Fedora, this could be an issue. See
https://gitlab.com/fedora/legal/fedora-license-data/-/issues/716

Thanks,
Stefano

Re: TCG TPM license issue

[James Bottomley]

On Fri, 2026-01-23 at 11:02 +0100, Stefano Garzarella wrote:
> Hi all,
> it seems the license of the TCG TPM reference implementation that we
> are using to emulate the vTPM in SVSM is not exactly BSD but a
> variant of it.
> 
> For some distro, like Fedora, this could be an issue. See
> https://gitlab.com/fedora/legal/fedora-license-data/-/issues/716

The problem clause is a conditional statement about the origin of the
code and not part of the licence, so I don't believe it modifies the
BSD-2-Clause nature of the implementation in any way.

Additionally, just in the interest of fair dealing Fedora can't
disapprove of this this disclaimer in coconut, but perfectly fine with
it in another project they're already shipping:

https://packages.fedoraproject.org/pkgs/libtpms/libtpms/index.html

which has a slightly different form of the disclaimer (inherited
directly from the TCG) which seems to be a bit stronger in terms of
modifying the licence:

https://github.com/stefanberger/libtpms/blob/master/LICENSE

---
THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF
LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH
RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)
THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR
OTHERWISE. Contact TCG Administration
(admin@trustedcomputinggroup.org) for information on specification
licensing rights available through TCG membership agreements.
---

However, I did ask and got word that apparently the TCG has already
modified its copyright IP policy not to require the patent disclaimer
in the code, so it's going to remove the language from the TPM
repository anyway.  I'm guessing that would mean the same problematic
clause can be removed from libtpms but you'll need to take that up with
upstream.

Regards,

James

Re: TCG TPM license issue

[Daniel P. Berrangé]

On Fri, Jan 23, 2026 at 02:15:49PM -0500, James Bottomley wrote:
> On Fri, 2026-01-23 at 11:02 +0100, Stefano Garzarella wrote:
> > Hi all,
> > it seems the license of the TCG TPM reference implementation that we
> > are using to emulate the vTPM in SVSM is not exactly BSD but a
> > variant of it.
> > 
> > For some distro, like Fedora, this could be an issue. See
> > https://gitlab.com/fedora/legal/fedora-license-data/-/issues/716
> 
> The problem clause is a conditional statement about the origin of the
> code and not part of the licence, so I don't believe it modifies the
> BSD-2-Clause nature of the implementation in any way.

That feels too convenient as a rationalization. Why would it not have 
been left as an unmodified BSD-2-Clause license document without this
extra language added ? There's some intent behind including it. It
comes across like a attempt to make a new BSD variant, similar in style
to the BSD-3-Clause-Clear (also forbidden in Fedora).

> Additionally, just in the interest of fair dealing Fedora can't
> disapprove of this this disclaimer in coconut, but perfectly fine with
> it in another project they're already shipping:
> 
> https://packages.fedoraproject.org/pkgs/libtpms/libtpms/index.html
> 
> which has a slightly different form of the disclaimer (inherited
> directly from the TCG) which seems to be a bit stronger in terms of
> modifying the licence:
> 
> https://github.com/stefanberger/libtpms/blob/master/LICENSE

FWIW, that is referred to as the "TCGL" license in Fedora terminology
and that is also denoted as forbidden for further usage. The libtpms
package was accepted into Fedora some 15 years ago, and after the
change in rules, it was decided to grant it an exception to allow it
to remain

  https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/data/LicenseRef-TCGL.toml

Yes, that is somewhat unfair to other packages that have the same or similar
license, but that's the tradeoff Fedora has chosen to make in this tricky
scenario.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: TCG TPM license issue

[James Bottomley]

On Fri, 2026-01-23 at 22:06 +0000, Daniel P. Berrangé wrote:
> On Fri, Jan 23, 2026 at 02:15:49PM -0500, James Bottomley wrote:
> > On Fri, 2026-01-23 at 11:02 +0100, Stefano Garzarella wrote:
> > > Hi all,
> > > it seems the license of the TCG TPM reference implementation that
> > > we are using to emulate the vTPM in SVSM is not exactly BSD but a
> > > variant of it.
> > > 
> > > For some distro, like Fedora, this could be an issue. See
> > > https://gitlab.com/fedora/legal/fedora-license-data/-/issues/716
> > 
> > The problem clause is a conditional statement about the origin of
> > the code and not part of the licence, so I don't believe it
> > modifies the BSD-2-Clause nature of the implementation in any way.
> 
> That feels too convenient as a rationalization. Why would it not have
> been left as an unmodified BSD-2-Clause license document without this
> extra language added ? There's some intent behind including it. It
> comes across like a attempt to make a new BSD variant, similar in
> style to the BSD-3-Clause-Clear (also forbidden in Fedora).

I give a scenario based illustration of my point below.  Since you're
imputing intent, can you come up with a scenario where removing the
warning actually leads to a different outcome?

> > Additionally, just in the interest of fair dealing Fedora can't
> > disapprove of this this disclaimer in coconut, but perfectly fine
> > with it in another project they're already shipping:
> > 
> > https://packages.fedoraproject.org/pkgs/libtpms/libtpms/index.html
> > 
> > which has a slightly different form of the disclaimer (inherited
> > directly from the TCG) which seems to be a bit stronger in terms of
> > modifying the licence:
> > 
> > https://github.com/stefanberger/libtpms/blob/master/LICENSE
> 
> FWIW, that is referred to as the "TCGL" license in Fedora terminology
> and that is also denoted as forbidden for further usage. The libtpms
> package was accepted into Fedora some 15 years ago, and after the
> change in rules, it was decided to grant it an exception to allow it
> to remain

But neither Fedora nor Red Hat has done anything to help upstream
remove the clause you claim to be a problem?
  
> https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/data/LicenseRef-TCGL.toml
> 
> Yes, that is somewhat unfair to other packages that have the same or
> similar license, but that's the tradeoff Fedora has chosen to make in
> this tricky scenario.

What Fedora is saying by this action is that they're happy to complain
about it but they don't think the issue is important enough to actually
bother fixing ... I can certainly agree with the latter.

However, to illustrate the point I made above about the clause being
merely a warning let's assume BSD-2-Clause does contain a patent grant
(big assumption since most lawyers believe it doesn't), the TCG removes
the wording for the reference TPM and, by some miracle (since Fedora is
doing nothing about it), libtpms also removes the disclaimer.  Lets
also assume there is a patent problem in the code and EvilCorp, a
former TCG member and Rambus wannabe, owns the patent and sues Red Hat
for infringement by shipping TPM and libtpms.  You can say "Red Hat has
a licence" but if you inspect the git history of both projects you'll
not find anything from EvilCorp employees.  In fact the problem code
will have been committed by different people in each project because
they scooped it out of the standard.  Even if you manage to get the
minutes of the TCG meeting where the feature was coded, you'll find
that EvilCorp may have suggested the feature, but engineers from
another company wrote the code.  Result: Red Hat has no licence and
lose the case.

Back to my original point: the clause is a warning about the origins of
the code.  The TCG can remove the warning, if you insist, but that
doesn't remove the problem that's actually being warned about.

Regards,

James

Re: TCG TPM license issue

[Stefano Garzarella]

On Fri, 23 Jan 2026 at 20:15, James Bottomley
<James.Bottomley@hansenpartnership.com> wrote:
>
> On Fri, 2026-01-23 at 11:02 +0100, Stefano Garzarella wrote:
> > Hi all,
> > it seems the license of the TCG TPM reference implementation that we
> > are using to emulate the vTPM in SVSM is not exactly BSD but a
> > variant of it.
> >
> > For some distro, like Fedora, this could be an issue. See
> > https://gitlab.com/fedora/legal/fedora-license-data/-/issues/716
>
> The problem clause is a conditional statement about the origin of the
> code and not part of the licence, so I don't believe it modifies the
> BSD-2-Clause nature of the implementation in any way.
>
> Additionally, just in the interest of fair dealing Fedora can't
> disapprove of this this disclaimer in coconut, but perfectly fine with
> it in another project they're already shipping:
>
> https://packages.fedoraproject.org/pkgs/libtpms/libtpms/index.html
>
> which has a slightly different form of the disclaimer (inherited
> directly from the TCG) which seems to be a bit stronger in terms of
> modifying the licence:
>
> https://github.com/stefanberger/libtpms/blob/master/LICENSE
>
> ---
> THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF
> LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH
> RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)
> THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR
> OTHERWISE. Contact TCG Administration
> (admin@trustedcomputinggroup.org) for information on specification
> licensing rights available through TCG membership agreements.
> ---
>
> However, I did ask and got word that apparently the TCG has already
> modified its copyright IP policy not to require the patent disclaimer
> in the code, so it's going to remove the language from the TPM
> repository anyway.

So basically, the next TCG TPM version should have a LICENSE file with
only BSD-2-Clause, right?

That should solve the problem I guess.

> I'm guessing that would mean the same problematic
> clause can be removed from libtpms but you'll need to take that up with
> upstream.

Yeah, I'll do.

Thanks,
Stefano