May 1, 2013 1

Open Source Compliance in Embedded Systems

Eli GreenbaumYigal Arnon & Co.elig@arnon.co.il

May 1, 2013

May 1, 2013 2

Embedded Devices

• Network devices (Router, DSL Modem)• Mobile Phones• Televisions• STBs, Digital Media Players• Automobiles• Aircraft

2

May 1, 2013 3

The BusyBox Cases

2007: Erik Anderson and Rob Landley vs. Monsoon Media, Inc.

(Hava products, time and place shifting)

May 1, 2013 4

Busybox

• “Swiss Army Knife” of embedded Linux• Lightweight set of standard utilities • Optimized for smaller computing platforms• Licensed under GPLv2

4

May 1, 2013 5

General Public License (GPL)

• Most popular open source license• Depends on copyright• Licensee can use, modify and distribute so long as:

- source code is also provided- the GPL always applies

• Philosophy is to preserve the freedom of the user to modify the software and run modified versions.

5

May 1, 2013 6

General Public License (GPL)

• Licensee must provide source code upon any distribution, including

- distribution of a physical device with software embedded in flash- download of firmware update - even if software was not modified

• Derivative works

6

May 1, 2013 7

Monsoon Media Claims

• Brought by BusyBox developers• BusyBox is licensed under version 2 of the GPL• BusyBox was included in firmware of Monsoon Media’s device• Device was distributed without the BusyBox source code or a

written offer to receive source code.• Copyright holders seek damages, litigation costs, injunction

against further use of the BusyBox software

7

May 1, 2013 8

2007: High Gain Antennas, LLC(wireless router)

Xterasys Corp(networking products)

Verizon Communications(Actiontec Wireless Routers)

2008: Bell Microproducts(Network attached storage device)

Super Micro Computer(IPMI card)

8

May 1, 2013 9

2009: Best Buy (Blu-ray DVD player)Samsung (HDTV)Westinghouse (HDTV)JVC (HDTV and network camera)Western Digital (Media player)Robert Bosch (Security system DVR)Phoebe Micro (Wireless routers)Humax (HDTV DVR)Comtrend (ADSL modems)Dobbs-Stanford (Digital media player) Versa Technology (Outdoor WAP)Zyxel (ADSL router)Astak (Security camera system)GCI (Digital music controller)

9

May 1, 2013 10

#1 :Supply Chain

• SoC manufacturer• ODM building circuit board• SDK for SoC/board• Application programs• OEM selling product to end users• Distributors/Retailers

10

May 1, 2013 11

#2 :Build Scripts

• Source code includes:“ scripts used to control compilation and installation of the executable” (GPLv2); or“all the source code needed to generate, install, and … run the object code and to modify the work, including scripts to

control those activities” (GPLv3)

11

May 1, 2013 12

#3 :Installation Information

• Express requirement in GPLv3• DRM to prevent users from running modified

versions of the software• Cryptographic checks

of the bootloader or kernel

12

May 1, 2013 13

ComplianceTechnical

• USE open source software• License compliance is a management and

engineering problem• License compliance is relatively easy if done

during development• Have a compliance policy!

13

May 1, 2013 14

Legal Compliance

• Warranties• Indemnification

- Verizon was indemnified by Actiontec.- Actiontec assumed obligations of the

settlement• Due Diligence for both suppliers and OEMs

14

May 1, 2013 15

Open Source Compliance in Embedded Systems

Eli GreenbaumYigal Arnon & Co.elig@arnon.co.il

May 1, 2013