Use EverCBOR (EverParse v2025.12.10) in uvm_endorsements

[tahina-pro]

This PR replaces QCBOR with EverCBOR from EverParse v2025.12.10 in uvm_endorsements.

EverCBOR is a formally verified C implementation of parsers and serializers for CBOR. EverCBOR is part of EverParse, an open-source toolchain for formally verified secure binary data parsing and serialization, developed by the RiSE (Research in Software Engineering) team at Microsoft Research.

EverCBOR is proven:

• memory safe (no dangling pointers, no buffer overflow, etc.)
• arithmetically safe (no integer overflow/underflow)
• functionally correct wrt. a formal specification of the CBOR format. To this respect, EverCBOR automatically checks and rejects maps with duplicate keys.

Regarding performance:

• EverCBOR runtime performance is in the same ballpark as QCBOR. More details in our ACM CCS 2025 paper.
• EverCBOR validates data using an amount of stack proportional to the nesting of maps in map keys, for which the user can provide a bound. (For COSE, since keys can only be integers or strings, this bound can be 0.)
• EverCBOR provides zero-copy parsing and does not perform any heap allocations.

As of EverParse v2025.12.10, EverCBOR supports definite-length CBOR objects without floating-point values, which is enough for COSE.

[Copilot]

Pull request overview

This PR replaces the QCBOR library with EverCBOR from EverParse v2025.12.10 for parsing and validating CBOR data in UVM endorsements. EverCBOR is a formally verified C implementation that provides memory safety, arithmetic safety, and functional correctness guarantees, including automatic validation of CBOR maps for duplicate keys.

Key changes:

• Migration from QCBOR API to EverCBOR API in COSE_Sign1 parsing logic
• Integration of EverCBOR library as a new third-party dependency
• Updated error handling to use EverCBOR's validation approach

Reviewed changes

Copilot reviewed 20 out of 22 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
src/node/uvm_endorsements.h	Removed QCBOR and t_cose header includes
src/node/uvm_endorsements.cpp	Migrated CBOR parsing logic from QCBOR to EverCBOR API with new error handling patterns
cmake/evercbor.cmake	Added CMake build configuration for EverCBOR static library
CMakeLists.txt	Integrated evercbor library into ccf_node and endorsements_test targets
3rdparty/exported/evercbor/*	Added EverCBOR v2025.12.10 source files, headers, examples, and tests

[achamayou]

@tahina-pro thank you for making this change, this is a very welcome upgrade from what we use for CBOR today!

Would it be possible to only add the necessary files for evercbor, and not the additional samples etc. I am hoping it's a small number of them (3?) which reduces the churn on updates, the amount of copilot-generated distraction etc.

Could you also add an entry in https://github.com/microsoft/CCF/blob/main/cgmanifest.json with the repo name, sha and release tag please.