qcbor: library to expose Qualcomm Security Package

[jiaxli-QC]

Add a recipe to build qcbor, library to work with security functionality on Qualcomm platforms.

The libqcbor, which are only available through meta-oe, is depended by Qcom-teec and MinkIPC. Thus add libqcbor recipe to the corresponding dynamic-layers subdir.

The qcbor library is used for decoding and encoding data structures.

[jiaxli-QC]

Hi reviewer, this PR has been separated from PR1094. Following our internal discussion, we have decided to share the qcbor, qcom-teec, and minkipc components individually.
Our expected merge order is:

1. qcbor: qcbor: library to expose Qualcomm Security Package #1166
2. qcom-teec: qcom-tee: add a library for security feature support #1167
3. Minkipc: minkipc: Add libraries and applications for security feature support #1094

[vksharma-oss]

qcbor is using the BSD-3-clause license:
ref: https://github.com/laurencelundblade/QCBOR?tab=License-1-ov-file

[lumag]

Isn't it what is stated here?

[jiaxli-QC]

BSD 3-Clause License

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this
   list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its
   contributors may be used to endorse or promote products derived from
   this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

[vksharma-oss]

what is use of -DBUILD_QCBOR_TEST ? enabling this flag means you are generating a unit test client too along with library ?

[vkraleti]

If intention is to build test application along with the libs, use a PACKAGECONFIG check and use the same in installing the test bin as well as to add ${PN}-test to PACAKGES. Otherwise this recipe will end up with an empty test package and do_install failures when user wants to drop BUILD_QCBOR_TEST from OECMAKE.

[lumag]

The question of using PACKAGECONFIG is orthogonal. No, the user will not end up with an empty package, OE handles it internally. None of the recipes I know check PACKAGECONFIG when populating PACKAGES.

[jiaxli-QC]

If intention is to build test application along with the libs, use a PACKAGECONFIG check and use the same in installing the test bin as well as to add ${PN}-test to PACAKGES. Otherwise this recipe will end up with an empty test package and do_install failures when user wants to drop BUILD_QCBOR_TEST from OECMAKE.

Updated. PACKAGECONFIG is a boolean variable, so because we have three options (OFF / LIB / APP), we created a custom variable called QCBOR_TEST_MODE.

[vksharma-oss]

in which package the qcbor.so going ?

[jiaxli-QC]

Hi @lumag , reviewers, what is the recommended way to include qcbor in the image? The build command kas build meta-qcom/ci/qcs6490-rb3gen2-core-kit.yml compiles the core-image-base target, which is defined in the OE-core layer.

[lumag]

Do you mean the library or the test utils?
For the library you don't need to "include" it. Let it be pulled in by the dependencies. For the test utils, please include it into the test image. You had a nice idea of a security-testing packagegroup. I don't understand, why you dropped it .

[jiaxli-QC]

I indecated the test utils. How can we include the qcbortest into the .img file and flash it onto the device?

In this pull request, qcbor is not required as a dependency, so the packagegroup-secure package has been removed to enable faster code merging, we will add this package in the Minkipc pull request.

[lumag]

Please patch the CMakeList to use make install instead. Send the patch upstream

[lumag]

What goes to this package?

[jiaxli-QC]

Updated.

FILES:${PN}-ptest += " ${bindir}/qcbortest"

[lumag]

This package is not defined.

[jiaxli-QC]

Updated.
FILES:${PN}-ptest += " ${bindir}/qcbortest"

[lumag]

One the top of that, please write an appropriate commit subject and message. Please use git log to get some examples.

[lumag]

This is plain wrong. It is not 0.0. There was a 1.8.3 release. Please use the release instead of packaging random git commit (and lying about the version).

[jiaxli-QC]

Alright, Have updated the version as 1.5.3.
ref: https://github.com/laurencelundblade/QCBOR/releases
PV = "1.5.3+git"

[lumag]

What does this mean? Why is it selectable?

[lumag]

Ignoring review will bring you nowhere. Fold this into make install.

[ricardosalveti]

Why Qualcomm? It is just the upstream project.

[ricardosalveti]

There is already a qcbor recipe in meta-oe, can't we just use that one instead (and update to a newer rev if required)?

https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/qcbor/qcbor_1.5.3.bb

[jiaxli-QC]

There is already a qcbor recipe in meta-oe, can't we just use that one instead (and update to a newer rev if required)?

https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/qcbor/qcbor_1.5.3.bb

Yes, the QCbor BB file is already present in the EO layer. However, we do not manage meta-EO. If a new version of QCbor is required in meta-QCOM later on, we will need to update it in meta-EO, but the timing for this is uncertain.

Additionally, when compiling qcbor with OE, only the library is produced, and qcbortest is not generated. This will make debugging qcbor challenging for future products that use the meta-qcom branch.

[jiaxli-QC]

Hi @lumag , @ricardosalveti, @vksharma-oss, @vkraleti , many thanks for your review and support.
I plan to use the current QCBOR from the meta-openembedded, and will submit any required changes to meta-OE.

[vkraleti]

There is already a qcbor recipe in meta-oe, can't we just use that one instead (and update to a newer rev if required)?
https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/qcbor/qcbor_1.5.3.bb

Yes, the QCbor BB file is already present in the EO layer. However, we do not manage meta-EO. If a new version of QCbor is required in meta-QCOM later on, we will need to update it in meta-EO, but the timing for this is uncertain.

Well this is not at all correct and right. Doing a parallel development for open source project can lead to fragmentation, long-term maintenance challenges and may end up in Frankenstein.

We should first prioritize reusing the existing recipe in meta-oe. If enhancements are needed, they should be submitted to upstream meta-oe, get them reviewed and merged. During reviews, if some challenges come up due to misalignment with community then only we should consider adding a bbappend in meta-qcom. Without even attempting to upstream, completely replacing the recipe is not an acceptable solution.

[jiaxli-QC]

There is already a qcbor recipe in meta-oe, can't we just use that one instead (and update to a newer rev if required)?

https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/qcbor/qcbor_1.5.3.bb

There is already a qcbor recipe in meta-oe, can't we just use that one instead (and update to a newer rev if required)?
https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/qcbor/qcbor_1.5.3.bb

Yes, the QCbor BB file is already present in the EO layer. However, we do not manage meta-EO. If a new version of QCbor is required in meta-QCOM later on, we will need to update it in meta-EO, but the timing for this is uncertain.

Well this is not at all correct and right. Doing a parallel development for open source project can lead to fragmentation, long-term maintenance challenges and may end up in Frankenstein.

We should first prioritize reusing the existing recipe in meta-oe. If enhancements are needed, they should be submitted to upstream meta-oe, get them reviewed and merged. During reviews, if some challenges come up due to misalignment with community then only we should consider adding a bbappend in meta-qcom. Without even attempting to upstream, completely replacing the recipe is not an acceptable solution.

Hi @vkraleti @lumag @ricardosalveti
In the meta-qcom, it did not add the dependency on meta-oe. therefore the qcbor cannot be found. How can we use qcbor from https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/qcbor/qcbor_1.5.3.bb.

Build command: kas build meta-qcom/ci/qcs6490-rb3gen2-core-kit.yml --target qcomtee
Error log:

2025-10-30 11:32:36 - INFO     - kas 4.7 started
2025-10-30 11:32:36 - INFO     - Using /local/mnt2/workspace/K2L/upstream/meta-qcom as root for repository meta-qcom
2025-10-30 11:32:36 - INFO     - Repository oe-core already contains master as commit
2025-10-30 11:32:36 - INFO     - Repository bitbake already contains master as commit
2025-10-30 11:32:36 - INFO     - Repository meta-yocto already contains master as commit
2025-10-30 11:32:36 - WARNING  - Repo oe-core is dirty - no checkout
2025-10-30 11:32:36 - INFO     - Repository bitbake checked out to 35a421cdcafb3595b9de5489ffdc567825400d26
2025-10-30 11:32:36 - INFO     - Repository meta-yocto checked out to fe65e142d0d9ba0e51ff9175ffa82e902f982a20
2025-10-30 11:32:37 - INFO     - /local/mnt2/workspace/K2L/upstream/build$ /local/mnt2/workspace/K2L/upstream/bitbake/bin/bitbake -c build qcomtee
Loading cache: 100% |                                                                                                                 | ETA:  --:--:--
Loaded 0 entries from dependency cache.
Parsing recipes: 100% |################################################################################################################| Time: 0:00:14
Parsing of 1048 .bb files complete (0 cached, 1048 parsed). 2060 targets, 66 skipped, 0 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies
ERROR: Nothing PROVIDES 'qcbor' (but /local/mnt2/workspace/K2L/upstream/build/../meta-qcom/recipes-security/qcomtee/qcomtee_git.bb DEPENDS on or otherwise requires it)
ERROR: Required build target 'qcomtee' has no buildable providers.
Missing or unbuildable dependency chain was: ['qcomtee', 'qcbor']

Summary: There were 2 ERROR messages, returning a non-zero exit code.

qcomtee comes from PR1067

[vkraleti]

Being a BSP layer, meta-qcom is expected to be built standalone using oe-core without dependency on any other layers like meta-oe. If QTEE has dependencies on recipes from meta-oe, may be it can be added to dynamic-layers section to conditionally compile.

[ricardosalveti]

Being a BSP layer, meta-qcom is expected to be built standalone using oe-core without dependency on any other layers like meta-oe. If QTEE has dependencies on recipes from meta-oe, may be it can be added to dynamic-layers section to conditionally compile.

Right, let's use it via dynamic-layers for now until we can validate the workflow and the builds, later on we can either propose for oe-core (harder in this scenario as we should have at least a common dependency there), or bring the recipe as part of meta-qcom but syncing it with the recipe available under meta-oe.

What I really want to avoid is multiple versions and variants of the same recipe in multiple layers, because meta-oe is also available with meta-qcom-distro.

[jiaxli-QC]

Being a BSP layer, meta-qcom is expected to be built standalone using oe-core without dependency on any other layers like meta-oe. If QTEE has dependencies on recipes from meta-oe, may be it can be added to dynamic-layers section to conditionally compile.

Hi @lumag , @vkraleti , @ricardosalveti
Updated the qcbor compilation. Move it to dynamic-layers/openembedded-layer/recipes-extended/qcbor/qcbor_1.5.3.bb, and make consistent with https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/qcbor/qcbor_1.5.3.bb.

[jiaxli-QC]

After adding qcbor to the dynamic-layers/openembedded-layer/recipes-extended/qcbor/ directory, I ran into a compilation error: ERROR: Nothing PROVIDES 'qcbor'. Could you provide some suggestions? Many thanks.

Command: $ kas build meta-qcom/ci/qcs6490-rb3gen2-core-kit.yml --target qcbor

2025-10-31 17:39:28 - INFO     - kas 4.7 started
2025-10-31 17:39:28 - INFO     - Using /local/mnt2/workspace/K2L/upstream/meta-qcom as root for repository meta-qcom
2025-10-31 17:39:28 - INFO     - Repository oe-core already contains master as commit
2025-10-31 17:39:28 - INFO     - Repository bitbake already contains master as commit
2025-10-31 17:39:28 - INFO     - Repository meta-yocto already contains master as commit
2025-10-31 17:39:28 - WARNING  - Repo oe-core is dirty - no checkout
2025-10-31 17:39:28 - INFO     - Repository bitbake checked out to 35a421cdcafb3595b9de5489ffdc567825400d26
2025-10-31 17:39:28 - INFO     - Repository meta-yocto checked out to fe65e142d0d9ba0e51ff9175ffa82e902f982a20
2025-10-31 17:39:29 - INFO     - /local/mnt2/workspace/K2L/upstream/build$ /local/mnt2/workspace/K2L/upstream/bitbake/bin/bitbake -c build qcbor
Loading cache: 100% |##################################################################################################################| Time: 0:00:00
Loaded 2060 entries from dependency cache.
Parsing recipes: 100% |################################################################################################################| Time: 0:00:01
Parsing of 1047 .bb files complete (1046 cached, 1 parsed). 2059 targets, 66 skipped, 0 masked, 0 errors.
Removing 1 recipes from the armv8-2a sysroot: 100% |###################################################################################| Time: 0:00:00
Removing 1 recipes from the qcs6490_rb3gen2_core_kit sysroot: 100% |###################################################################| Time: 0:00:00
ERROR: Nothing PROVIDES 'qcbor'

Summary: There was 1 ERROR message, returning a non-zero exit code.

[lumag]

I think Ricardo meant to drop QCBOR from this layer and use qcbor dynamically from meta-oe.

[jiaxli-QC]

Being a BSP layer, meta-qcom is expected to be built standalone using oe-core without dependency on any other layers like meta-oe. If QTEE has dependencies on recipes from meta-oe, may be it can be added to dynamic-layers section to conditionally compile.

I think Ricardo meant to drop QCBOR from this layer and use qcbor dynamically from meta-oe.

Hi @vkraleti , @vksharma-oss , if I use qcbor dynamically from meta-oe, I am unable to build security components standalone with oe-core without relying on other layers such as meta-oe.

Hi @lumag , if I use qcbor dynamically from meta-oe, could you share the compilation command? The README only mentions the kas build meta-qcom/ci/qcs6490-rb3gen2-core-kit.yml command. Many thanks.

[vkraleti]

Being a BSP layer, meta-qcom is expected to be built standalone using oe-core without dependency on any other layers like meta-oe. If QTEE has dependencies on recipes from meta-oe, may be it can be added to dynamic-layers section to conditionally compile.

I think Ricardo meant to drop QCBOR from this layer and use qcbor dynamically from meta-oe.

Hi @vkraleti , @vksharma-oss , if I use qcbor dynamically from meta-oe, I am unable to build security components standalone with oe-core without relying on other layers such as meta-oe.

Hi @lumag , if I use qcbor dynamically from meta-oe, could you share the compilation command? The README only mentions the kas build meta-qcom/ci/qcs6490-rb3gen2-core-kit.yml command. Many thanks.

This is inline with expectations. Security features are typically tied to distributions and are not default offerings in BSP layers.
For example, features like SELinux and kernel module signing are enabled through distribution-level configurations but not by default in BSP.

Similarly for this case, you need to :

1. Remove the qcbor recipe.
2. Add the qcomtee and minkipc recipes under dynamic-layers in meta-qcom.
   To use these, include the meta-qcom-distro layer while building. This will ensure that dependencies from meta-oe are correctly pulled in.

[ricardosalveti]

Hi @lumag , if I use qcbor dynamically from meta-oe, could you share the compilation command? The README only mentions the kas build meta-qcom/ci/qcs6490-rb3gen2-core-kit.yml command. Many thanks.

Meta-oe is added when building with meta-qcom-distro, so you will have to use kas build ci/qcs6490-rb3gen2-core-kit.yml:ci/qcom-distro.yml.

[jiaxli-QC]

Hi @lumag , if I use qcbor dynamically from meta-oe, could you share the compilation command? The README only mentions the kas build meta-qcom/ci/qcs6490-rb3gen2-core-kit.yml command. Many thanks.

Meta-oe is added when building with meta-qcom-distro, so you will have to use kas build ci/qcs6490-rb3gen2-core-kit.yml:ci/qcom-distro.yml.

How can we include minkipc and qcomtee in the image for validation purposes?

[jiaxli-QC]

This is inline with expectations. Security features are typically tied to distributions and are not default offerings in BSP layers. For example, features like SELinux and kernel module signing are enabled through distribution-level configurations but not by default in BSP.

Similarly for this case, you need to :

1. Remove the qcbor recipe.
2. Add the qcomtee and minkipc recipes under dynamic-layers in meta-qcom.
   To use these, include the meta-qcom-distro layer while building. This will ensure that dependencies from meta-oe are correctly pulled in.

Hi @vkraleti @lumag , why we should move the minkipc and qcbor in dynamic-layer? This two repo is owned by qcom, can we create the recipes-security in the same directory as recipes-bsp directory.
Because in the future we will need to manage a whole set of security-related components. Furthermore, in Mete-oe, recipes-security exists independently of recipes-bsp and recipes-core.

[vkraleti]

This is inline with expectations. Security features are typically tied to distributions and are not default offerings in BSP layers. For example, features like SELinux and kernel module signing are enabled through distribution-level configurations but not by default in BSP.
Similarly for this case, you need to :

1. Remove the qcbor recipe.
2. Add the qcomtee and minkipc recipes under dynamic-layers in meta-qcom.
   To use these, include the meta-qcom-distro layer while building. This will ensure that dependencies from meta-oe are correctly pulled in.

Hi @vkraleti @lumag , why we should move the minkipc and qcbor in dynamic-layer? This two repo is owned by qcom, can we create the recipes-security in the same directory as recipes-bsp directory. Because in the future we will need to manage a whole set of security-related components. Furthermore, in Mete-oe, recipes-security exists independently of recipes-bsp and recipes-core.

Ask is to drop qcbor recipe from meta-qcom and use the one in meta-oe. Since qcomtee and minkipc recipes are dependent on qcbor, which would be available only when meta-oe is parsed, enabling them by default will cause build issues. Keeping them under "dynamic-layers/openembedded-layer/recipes-security" allows to skip these when meta-oe is not present.

[jiaxli-QC]

Meta-oe is added when building with meta-qcom-distro, so you will have to use kas build ci/qcs6490-rb3gen2-core-kit.yml:ci/qcom-distro.yml.

Have we confirmed the build target? I'm wondering why the device isn't booting up after flashing the build with no modifications.

[vkraleti]

Meta-oe is added when building with meta-qcom-distro, so you will have to use kas build ci/qcs6490-rb3gen2-core-kit.yml:ci/qcom-distro.yml.

Have we confirmed the build target? I'm wondering why the device isn't booting up after flashing the build with no modifications.

Yes, multimedia-image built with 'qcom-distro' is booting fine on rb3gen2-core-kit. This combination is in CI as well.

[jiaxli-QC]

Thank you for your attention and for reviewing the code. I will close this PR and use the qcbor library from meta-oe.