[coreboot] How to properly conform with GPLv2 for Coreboot and SeaBIOS on an embedded system

Lewis, Ian (Microstar Laboratories) ilewis at mstarlabs.com
Sun Dec 24 07:46:40 CET 2017 

I am looking at using a processor module that initializes using Coreboot
and SeaBIOS to make an embedded hardware product. Assuming we move
forward, Coreboot/SeaBIOS will load our (proprietary) OS. Our OS
contains no GPL licensed code. 

 

We have never used GPL licensed code in our products before. And, I am
having a hard time seeing how we can do so and comply with GPLv2, or
GPLv3 for that matter.

 

I have read this page
https://www.softwarefreedom.org/resources/2008/compliance-guide.html
several times, a number of other sites, as well as reading the GPLv2
itself.

 

I do not want to impose a GPLv2 requirement on our customers if they use
our product.  I want GPLv2 compliance to be fully our responsibility. If
we do have to impose a GPLv2 requirement on our customers to use a
Coreboot/SeaBIOS initialized platform, we probably cannot use such a
platform in any product, which would be quite unfortunate from my point
of view. 

 

A large fraction of our customers are OEMs or VARs and they make
products of their own that use our products as a part. Unless they pull
the system apart, the end-use customer often does not even know one of
our products is part of the system they buy, though our licensing to our
customer (OEM) does require that the reseller maintain our copyright
notice in their system documentation or software copyright notice or
they do not have a right to distribute our software. The copyright for
the hardware is printed on the hardware itself, as is customary. The OEM
who uses our product configures our product before it ships to the
end-use customer, and they often build additional hardware of their own
as part of the system. The OEM (our customer) almost always includes a
PC and custom software of their own as part of the end-use system. The
end use customer may later re-sell their system to yet another end-use
customer or even pull our product out of the system and resell that
separately (on eBay, say). 

 

If I have understood correctly, all of these owners of our product must
have access to exactly the Coreboot/SeaBIOS source used to produce the
binary in the copy of our product they own.

 

Based on my understanding so far (highly limited), the only way that
looks like it might be possible to avoid propagating a GPLv2 requirement
to our customers - and thus making the compliance fully our
responsibility - would be if we distribute a copy of the exact source
code used to build the module's Coreboot/SeaBIOS configuration as an
integral part of our product. If there is any way to do it, we would
actually rather not develop the expertise to set up such a build, but I
see no way around being able to build our own version of the system
image if we are to comply with GPLv2. My understanding is that we have
to know exactly how to build the exact binary we distribute and we have
to be able to tell a technically competent recipient of the binary how
to do that build themselves, as well as how to incorporate the new build
into our product. We do not have to support any changes whatsoever, but
we do have to support the initial process of re-configuring our product
with a newly built binary that came from the sources we supply as long
as there are no changes made to those sources. 

 

One idea I had is to put the source on a microSD drive and
semi-permanently attach that drive to the product. That way the
Coreboot/SeaBIOS code would go along for the ride any time our product
changed hands (as long as no one lost it). The microSD would not be
part of our product. So, an owner of our product (and so a recipient of
the binary distribution of Coreboot/SeaBIOS) would have the code on the
microSD, but we have no easy way to provide them access to its content.
But, they could remove the microSD from the product and read it from any
machine that can read a microSD. That means almost any machine.

 

That seems to me like it might cover the source distribution requirement
of GPLv2, though I am not quite certain it is good enough. 

 

However, so far, it looks impossible to me to meet the GPLv2
notification requirements. And, I do not understand at all how the likes
of network routers that use GPL licensed code can possibly comply
either.

 

I can imagine fitting a URL, such as www.mstarlabs.com/GPL (not a real
URL) on to the product to point any owner of the product to an
explanation of where to find the license text and source for
Coreboot/SeaBIOS. The microSD would have everything needed to comply on
it, but I do not think that comes close to meeting the notice
requirements of GPL. 

 

Under Windows, where we sell the vast majority of our systems, we do
have a control panel application that every user could potentially get
to. And, it could include a screen that explains the owner's GPL rights
and where to find the source microSD on the product. But, we have no
means to force the user to look at the control panel application, and
most users would never have any reason to do so. 

 

Do you have any written guidelines that explain how to properly - and
legally - distribute a commercial hardware product that incorporates
Coreboot/SeaBIOS? In particular, how can we meet the notification
requirements when the user never even physically handles the product,
sees any output from the device, or installs any software on it? I am
having a hard time figuring out how to do this, if it is possible at
all.

 

If this is the wrong forum for this kind of question, I apologies. And,
I would appreciate if someone could point me to an appropriate forum.

 

Ian Lewis

www.mstarlabs.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20171223/b2bec8ed/attachment-0001.html>

More information about the coreboot mailing list