To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun’s guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://github.com/Mbed-TLS/mbedtls?tab=readme-ov-file#licensehttps://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=readme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://mbed-tls.readthedocs.io/en/latest/kb/licensing/https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmw...https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5oPs_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://www.trustedfirmware.org/join/https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun’s guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://github.com/Mbed-TLS/mbedtls?tab=readme-ov-file#licensehttps://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=readme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://mbed-tls.readthedocs.io/en/latest/kb/licensing/https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmw...https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5oPs_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://www.trustedfirmware.org/join/https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
Hi Janos,
Thank you for the confirmation. Our SW team will make sure to adhere to the licensing terms.
Thank you
Carina
From: Janos Follath Janos.Follath@arm.com Sent: Friday, October 17, 2025 4:37 PM To: Carina Tsai Carina.Tsai@netgear.com; mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com; MH Cheng mh.cheng@netgear.com Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org>, shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Cc: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com>, MH Cheng <mh.cheng@netgear.commailto:mh.cheng@netgear.com> Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun's guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://github.com/Mbed-TLS/mbedtls?tab=readme-ov-file#licensehttps://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=readme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://mbed-tls.readthedocs.io/en/latest/kb/licensing/https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmw...https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5oPs_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://www.trustedfirmware.org/join/https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
I looked up the licensing terms and on the face of it it basically says that you must preserve copyright notices and such like
Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code. GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL. Contribution requirements Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
However, it is not clear how much of the source code of the rest of your product you need to make open source.
I would expect the requirement to extend to code like e.g. interface to LWIP (which itself is also open source) but does it extend beyond that?
Regards,
Peter
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shauns guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://github.com/Mbed-TLS/mbedtls?tab=readme-ov-file#licensehttps://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=readme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://mbed-tls.readthedocs.io/en/latest/kb/licensing/https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmw...https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5oPs_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://www.trustedfirmware.org/join/https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
Hi Peter,
The section you quote is about contributing. Contributors have to agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is necessary for the library to be distributed under dual Apache-2.0 OR GPL-2.0-or-later licenses: https://github.com/Mbed-TLS/mbedtls/blob/development/LICENSE
As a user of the library, you can take the licence that fits your purposes better and use that and ignore the other. For example, you can pick Apache-2.0 and use it like any other Apache-2.0 software.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Friday, 17 October 2025 at 11:45 To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
I looked up the licensing terms and on the face of it it basically says that you must preserve copyright notices and such like
Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code. GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL. Contribution requirements Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
However, it is not clear how much of the source code of the rest of your product you need to make open source.
I would expect the requirement to extend to code like e.g. interface to LWIP (which itself is also open source) but does it extend beyond that?
Regards,
Peter
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun’s guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://github.com/Mbed-TLS/mbedtls?tab=readme-ov-file#licensehttps://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=readme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://mbed-tls.readthedocs.io/en/latest/kb/licensing/https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmw...https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5oPs_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://www.trustedfirmware.org/join/https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
Hello Janos,
Thank you.
What does a *user* of the library need to do, beyond preserving the copyright notices?
The other angle is that MbedTLS is distributed with Cube IDE by STM, and they must have done their licensing deal. The whole of Cube IDE is free to use for any commercial purpose, AFAICT.
But if you create a product, how are you going to preserve copyright notices? Not in the binary code :) Perhaps you have to set up a website and post the open source code there. I recall seeing some Linksys product, years ago, which was like that. The source code posted was just a useless fragment, with a load of copyright notices.
Regards,
Peter
Hi Peter,
The section you quote is about contributing. Contributors have to agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is necessary for the library to be distributed under dual Apache-2.0 OR GPL-2.0-or-later licenses: https://github.com/Mbed-TLS/mbedtls/blob/development/LICENSE
As a user of the library, you can take the licence that fits your purposes better and use that and ignore the other. For example, you can pick Apache-2.0 and use it like any other Apache-2.0 software.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Friday, 17 October 2025 at 11:45 To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
I looked up the licensing terms and on the face of it it basically says that you must preserve copyright notices and such like
Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code. GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL. Contribution requirements Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
However, it is not clear how much of the source code of the rest of your product you need to make open source.
I would expect the requirement to extend to code like e.g. interface to LWIP (which itself is also open source) but does it extend beyond that?
Regards,
Peter
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shauns guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://github.com/Mbed-TLS/mbedtls?tab=readme-ov-file#licensehttps://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=readme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://mbed-tls.readthedocs.io/en/latest/kb/licensing/https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmw...https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3/lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5oPs_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://www.trustedfirmware.org/join/https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
+ Ken / MH
Please allow me to add our SW team in the loop to ensure we adhere to the license terms and requirements correctly.
Thank you Peter, and Janos for the details and guidance.
Carina
-----Original Message----- From: Peter peter@peter2000.co.uk Sent: Friday, October 17, 2025 7:30 PM To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com; mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com.
Hello Janos,
Thank you.
What does a *user* of the library need to do, beyond preserving the copyright notices?
The other angle is that MbedTLS is distributed with Cube IDE by STM, and they must have done their licensing deal. The whole of Cube IDE is free to use for any commercial purpose, AFAICT.
But if you create a product, how are you going to preserve copyright notices? Not in the binary code :) Perhaps you have to set up a website and post the open source code there. I recall seeing some Linksys product, years ago, which was like that. The source code posted was just a useless fragment, with a load of copyright notices.
Regards,
Peter
Hi Peter,
The section you quote is about contributing. Contributors have to agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is necessary for the library to be distributed under dual Apache-2.0 OR GPL-2.0-or-later licenses: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls/blob/de velopment/LICENSE__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR- WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFmljJ29A$
As a user of the library, you can take the licence that fits your purposes better and use that and ignore the other. For example, you can pick Apache-2.0 and use it like any other Apache-2.0 software.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Friday, 17 October 2025 at 11:45 To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
I looked up the licensing terms and on the face of it it basically says that you must preserve copyright notices and such like
Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code. GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL. Contribution requirements Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
However, it is not clear how much of the source code of the rest of your product you need to make open source.
I would expect the requirement to extend to code like e.g. interface to LWIP (which itself is also open source) but does it extend beyond that?
Regards,
Peter
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun's guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tV qOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiHKChFs4g$ https://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47 wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://urldefense.com/v3/__https://mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR-WBw -Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFce8JxgQ$ https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqS AY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://urldefense.com/v3/__https://lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!3MXub7er1tWIbR b7ChOnIByZhgRqHIZ5tVqOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFL1Ji9 iQ$ https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKL P5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5o Ps_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://urldefense.com/v3/__https://www.trustedfirmware.org/join/__%3B%21%21... https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
Hi Carina, Peter,
I'd like to point out that the Apache 2.0 License is a very standard open source license whose features are extensively documented online. (Same for the GPL 2.0 and later versions.) Just because Mbed TLS uses those licenses doesn't make our development team experts on those licenses.
Except perhaps for the bit about dual-licensing (Apache 2.0 OR GPLv2-or-later at the user's option) which Janos has clarified, I don't think there's anything unusual about the way we use these licenses.
I would suggest consulting existing sources about common open-source licenses in general and Apache 2.0 in particular if you want a general overview or its features and requirements, and how to use Apache 2.0 software in compliance with the licence. If you wanted to go further that what can be found online, I think the right people to consult would be IP lawyers, not a bunch of engineers.
Thank you for your interest in Mbed TLS and your care in making sure you comply with the license!
Regards, Manuel.
________________________________ From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 17 October 2025 13:57 To: Peter peter@peter2000.co.uk; Janos Follath Janos.Follath@arm.com Cc: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org shaun.longhorn@linaro.org; Ken Chen Ken.Chen@netgear.com; MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
+ Ken / MH
Please allow me to add our SW team in the loop to ensure we adhere to the license terms and requirements correctly.
Thank you Peter, and Janos for the details and guidance.
Carina
-----Original Message----- From: Peter peter@peter2000.co.uk Sent: Friday, October 17, 2025 7:30 PM To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com; mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com.
Hello Janos,
Thank you.
What does a *user* of the library need to do, beyond preserving the copyright notices?
The other angle is that MbedTLS is distributed with Cube IDE by STM, and they must have done their licensing deal. The whole of Cube IDE is free to use for any commercial purpose, AFAICT.
But if you create a product, how are you going to preserve copyright notices? Not in the binary code :) Perhaps you have to set up a website and post the open source code there. I recall seeing some Linksys product, years ago, which was like that. The source code posted was just a useless fragment, with a load of copyright notices.
Regards,
Peter
Hi Peter,
The section you quote is about contributing. Contributors have to agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is necessary for the library to be distributed under dual Apache-2.0 OR GPL-2.0-or-later licenses: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls/blob/de velopment/LICENSE__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR- WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFmljJ29A$
As a user of the library, you can take the licence that fits your purposes better and use that and ignore the other. For example, you can pick Apache-2.0 and use it like any other Apache-2.0 software.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Friday, 17 October 2025 at 11:45 To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
I looked up the licensing terms and on the face of it it basically says that you must preserve copyright notices and such like
Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code. GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL. Contribution requirements Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
However, it is not clear how much of the source code of the rest of your product you need to make open source.
I would expect the requirement to extend to code like e.g. interface to LWIP (which itself is also open source) but does it extend beyond that?
Regards,
Peter
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun's guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tV qOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiHKChFs4g$ https://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47 wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://urldefense.com/v3/__https://mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR-WBw -Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFce8JxgQ$ https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqS AY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://urldefense.com/v3/__https://lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!3MXub7er1tWIbR b7ChOnIByZhgRqHIZ5tVqOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFL1Ji9 iQ$ https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKL P5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5o Ps_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://urldefense.com/v3/__https://www.trustedfirmware.org/join/__%3B%21%21... https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
Hello All,
AFAICS nobody has actually answered the question :)
"the right people to consult would be IP lawyers"
For sure, if you want to spend a few k to find out how to sell a product which runs *binary* code and is not supplied with the sources on a CD :)
If you have a product using this code, on the face of it you need to preserve the license text, but how do you do that in practice? Do you put a URL on the label, pointing to a website with the relevant text on it?
Regards,
Peter
Hi Carina, Peter,
I'd like to point out that the Apache 2.0 License is a very standard open source license whose features are extensively documented online. (Same for the GPL 2.0 and later versions.) Just because Mbed TLS uses those licenses doesn't make our development team experts on those licenses.
Except perhaps for the bit about dual-licensing (Apache 2.0 OR GPLv2-or-later at the user's option) which Janos has clarified, I don't think there's anything unusual about the way we use these licenses.
I would suggest consulting existing sources about common open-source licenses in general and Apache 2.0 in particular if you want a general overview or its features and requirements, and how to use Apache 2.0 software in compliance with the licence. If you wanted to go further that what can be found online, I think the right people to consult would be IP lawyers, not a bunch of engineers.
Thank you for your interest in Mbed TLS and your care in making sure you comply with the license!
Regards, Manuel.
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 17 October 2025 13:57 To: Peter peter@peter2000.co.uk; Janos Follath Janos.Follath@arm.com Cc: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org shaun.longhorn@linaro.org; Ken Chen Ken.Chen@netgear.com; MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
- Ken / MH
Please allow me to add our SW team in the loop to ensure we adhere to the license terms and requirements correctly.
Thank you Peter, and Janos for the details and guidance.
Carina
-----Original Message----- From: Peter peter@peter2000.co.uk Sent: Friday, October 17, 2025 7:30 PM To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com; mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com.
Hello Janos,
Thank you.
What does a *user* of the library need to do, beyond preserving the copyright notices?
The other angle is that MbedTLS is distributed with Cube IDE by STM, and they must have done their licensing deal. The whole of Cube IDE is free to use for any commercial purpose, AFAICT.
But if you create a product, how are you going to preserve copyright notices? Not in the binary code :) Perhaps you have to set up a website and post the open source code there. I recall seeing some Linksys product, years ago, which was like that. The source code posted was just a useless fragment, with a load of copyright notices.
Regards,
Peter
Hi Peter,
The section you quote is about contributing. Contributors have to agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is necessary for the library to be distributed under dual Apache-2.0 OR GPL-2.0-or-later licenses: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls/blob/de velopment/LICENSE__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR- WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFmljJ29A$
As a user of the library, you can take the licence that fits your purposes better and use that and ignore the other. For example, you can pick Apache-2.0 and use it like any other Apache-2.0 software.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Friday, 17 October 2025 at 11:45 To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
I looked up the licensing terms and on the face of it it basically says that you must preserve copyright notices and such like
Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code. GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL. Contribution requirements Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
However, it is not clear how much of the source code of the rest of your product you need to make open source.
I would expect the requirement to extend to code like e.g. interface to LWIP (which itself is also open source) but does it extend beyond that?
Regards,
Peter
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun's guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tV qOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiHKChFs4g$ https://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47 wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://urldefense.com/v3/__https://mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR-WBw -Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFce8JxgQ$ https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqS AY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://urldefense.com/v3/__https://lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!3MXub7er1tWIbR b7ChOnIByZhgRqHIZ5tVqOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFL1Ji9 iQ$ https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKL P5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5o Ps_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://urldefense.com/v3/__https://www.trustedfirmware.org/join/__%3B%21%21... https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
Hi Peter,
As Manuel mentioned, we (developers and maintainers of Mbed TLS) are engineers and can’t give legal advice. We don’t have much experience with distributing physical products and thus unfortunately we don’t have much to share from that angle either.
I am sorry we can’t help, I hope that some of the list members have experience in this area and can offer some helpful thoughts.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Monday, 20 October 2025 at 12:10 To: Manuel Pegourie-Gonnard Manuel.Pegourie-Gonnard@arm.com Cc: Janos Follath Janos.Follath@arm.com, Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org, Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
Hello All,
AFAICS nobody has actually answered the question :)
"the right people to consult would be IP lawyers"
For sure, if you want to spend a few k to find out how to sell a product which runs *binary* code and is not supplied with the sources on a CD :)
If you have a product using this code, on the face of it you need to preserve the license text, but how do you do that in practice? Do you put a URL on the label, pointing to a website with the relevant text on it?
Regards,
Peter
Hi Carina, Peter,
I'd like to point out that the Apache 2.0 License is a very standard open source license whose features are extensively documented online. (Same for the GPL 2.0 and later versions.) Just because Mbed TLS uses those licenses doesn't make our development team experts on those licenses.
Except perhaps for the bit about dual-licensing (Apache 2.0 OR GPLv2-or-later at the user's option) which Janos has clarified, I don't think there's anything unusual about the way we use these licenses.
I would suggest consulting existing sources about common open-source licenses in general and Apache 2.0 in particular if you want a general overview or its features and requirements, and how to use Apache 2.0 software in compliance with the licence. If you wanted to go further that what can be found online, I think the right people to consult would be IP lawyers, not a bunch of engineers.
Thank you for your interest in Mbed TLS and your care in making sure you comply with the license!
Regards, Manuel.
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 17 October 2025 13:57 To: Peter peter@peter2000.co.uk; Janos Follath Janos.Follath@arm.com Cc: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org shaun.longhorn@linaro.org; Ken Chen Ken.Chen@netgear.com; MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
- Ken / MH
Please allow me to add our SW team in the loop to ensure we adhere to the license terms and requirements correctly.
Thank you Peter, and Janos for the details and guidance.
Carina
-----Original Message----- From: Peter peter@peter2000.co.uk Sent: Friday, October 17, 2025 7:30 PM To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com; mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com.
Hello Janos,
Thank you.
What does a *user* of the library need to do, beyond preserving the copyright notices?
The other angle is that MbedTLS is distributed with Cube IDE by STM, and they must have done their licensing deal. The whole of Cube IDE is free to use for any commercial purpose, AFAICT.
But if you create a product, how are you going to preserve copyright notices? Not in the binary code :) Perhaps you have to set up a website and post the open source code there. I recall seeing some Linksys product, years ago, which was like that. The source code posted was just a useless fragment, with a load of copyright notices.
Regards,
Peter
Hi Peter,
The section you quote is about contributing. Contributors have to agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is necessary for the library to be distributed under dual Apache-2.0 OR GPL-2.0-or-later licenses: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls/blob/de velopment/LICENSE__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR- WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFmljJ29A$
As a user of the library, you can take the licence that fits your purposes better and use that and ignore the other. For example, you can pick Apache-2.0 and use it like any other Apache-2.0 software.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Friday, 17 October 2025 at 11:45 To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
I looked up the licensing terms and on the face of it it basically says that you must preserve copyright notices and such like
Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code. GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL. Contribution requirements Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
However, it is not clear how much of the source code of the rest of your product you need to make open source.
I would expect the requirement to extend to code like e.g. interface to LWIP (which itself is also open source) but does it extend beyond that?
Regards,
Peter
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun's guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tV qOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiHKChFs4g$ https://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47 wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://urldefense.com/v3/__https://mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR-WBw -Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFce8JxgQ$ https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqS AY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://urldefense.com/v3/__https://lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!3MXub7er1tWIbR b7ChOnIByZhgRqHIZ5tVqOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFL1Ji9 iQ$ https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKL P5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5o Ps_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://urldefense.com/v3/__https://www.trustedfirmware.org/join/__%3B%21%21... https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
Hello Janos,
Sure, but *somebody* at MbedTLS made the decision to release the code under whatever license. So they must have been thinking something...
Unless they looked at various licenses and picked the longest one :)
I have seen only bits of the sources for MbedTLS and those were either very old open source stuff which has been all over the internet for decades (like DES, AES, various hashes) or the "X509" code written by you guys.
Releasing the former under any license is meaningless, and for releasing the latter you need to decide whether to allow commercial use *without* the user paying you. And clearly you have decided affirmatively on that one.
Everything else is legally meaningless. Is anyone going to enforce the preservation of 100 lines of some license text, especially given that a commercial product is obviously 100% binary.
Then you have STM bundling MbedTLS with Cube IDE and there is yet more license text in there, which every Cube user will totally ignore otherwise the tool is useless except to hobbyists.
The overriding principle in creative work is that the author retains copyright (unless assigned, which I am sure you have not done) and nobody has any problem with that, but in "open source" software anybody is free to use it for any purpose whatsoever. One can have a license stipulating that the author is credited but how do you do that on a commercially sold "box"? Obviously, you can't. One can have a note in the user manual that Product X contains open source code "MbedTLS" and then anyone interested can google the terms.
One can also have funny license terms e.g. prohibiting modification of the software. Exactly nobody is going to respect that IF they want a working product! Most devs spend weeks or months on google (Claude is a "better google" nowadays) looking for bug fixes. Or just "essential" functional fixes like parsing cacert.pem one certificate at a time (that one is on github somewhere) otherwise one needs to malloc ~250k of RAM which would render MbedTLS useless in a lot of applications.
The above is especially relevant given the version increment frequency of MbedTLS which makes it impossible to release a product with the latest version. At best one will be a year or two behind.
IANAL (I am not a lawyer) but have been in business since 1978 and seen a lot of this stuff.
Regards,
Peter
Hi Peter,
As Manuel mentioned, we (developers and maintainers of Mbed TLS) are engineers and cant give legal advice. We dont have much experience with distributing physical products and thus unfortunately we dont have much to share from that angle either.
I am sorry we cant help, I hope that some of the list members have experience in this area and can offer some helpful thoughts.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Monday, 20 October 2025 at 12:10 To: Manuel Pegourie-Gonnard Manuel.Pegourie-Gonnard@arm.com Cc: Janos Follath Janos.Follath@arm.com, Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org, Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
Hello All,
AFAICS nobody has actually answered the question :)
"the right people to consult would be IP lawyers"
For sure, if you want to spend a few k to find out how to sell a product which runs *binary* code and is not supplied with the sources on a CD :)
If you have a product using this code, on the face of it you need to preserve the license text, but how do you do that in practice? Do you put a URL on the label, pointing to a website with the relevant text on it?
Regards,
Peter
Hi Carina, Peter,
I'd like to point out that the Apache 2.0 License is a very standard open source license whose features are extensively documented online. (Same for the GPL 2.0 and later versions.) Just because Mbed TLS uses those licenses doesn't make our development team experts on those licenses.
Except perhaps for the bit about dual-licensing (Apache 2.0 OR GPLv2-or-later at the user's option) which Janos has clarified, I don't think there's anything unusual about the way we use these licenses.
I would suggest consulting existing sources about common open-source licenses in general and Apache 2.0 in particular if you want a general overview or its features and requirements, and how to use Apache 2.0 software in compliance with the licence. If you wanted to go further that what can be found online, I think the right people to consult would be IP lawyers, not a bunch of engineers.
Thank you for your interest in Mbed TLS and your care in making sure you comply with the license!
Regards, Manuel.
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 17 October 2025 13:57 To: Peter peter@peter2000.co.uk; Janos Follath Janos.Follath@arm.com Cc: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org shaun.longhorn@linaro.org; Ken Chen Ken.Chen@netgear.com; MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
- Ken / MH
Please allow me to add our SW team in the loop to ensure we adhere to the license terms and requirements correctly.
Thank you Peter, and Janos for the details and guidance.
Carina
-----Original Message----- From: Peter peter@peter2000.co.uk Sent: Friday, October 17, 2025 7:30 PM To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com; mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com.
Hello Janos,
Thank you.
What does a *user* of the library need to do, beyond preserving the copyright notices?
The other angle is that MbedTLS is distributed with Cube IDE by STM, and they must have done their licensing deal. The whole of Cube IDE is free to use for any commercial purpose, AFAICT.
But if you create a product, how are you going to preserve copyright notices? Not in the binary code :) Perhaps you have to set up a website and post the open source code there. I recall seeing some Linksys product, years ago, which was like that. The source code posted was just a useless fragment, with a load of copyright notices.
Regards,
Peter
Hi Peter,
The section you quote is about contributing. Contributors have to agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is necessary for the library to be distributed under dual Apache-2.0 OR GPL-2.0-or-later licenses: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls/blob/de velopment/LICENSE__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR- WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFmljJ29A$
As a user of the library, you can take the licence that fits your purposes better and use that and ignore the other. For example, you can pick Apache-2.0 and use it like any other Apache-2.0 software.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Friday, 17 October 2025 at 11:45 To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
I looked up the licensing terms and on the face of it it basically says that you must preserve copyright notices and such like
Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code. GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL. Contribution requirements Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
However, it is not clear how much of the source code of the rest of your product you need to make open source.
I would expect the requirement to extend to code like e.g. interface to LWIP (which itself is also open source) but does it extend beyond that?
Regards,
Peter
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun's guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tV qOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiHKChFs4g$ https://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47 wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://urldefense.com/v3/__https://mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR-WBw -Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFce8JxgQ$ https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqS AY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://urldefense.com/v3/__https://lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!3MXub7er1tWIbR b7ChOnIByZhgRqHIZ5tVqOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFL1Ji9 iQ$ https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKL P5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5o Ps_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://urldefense.com/v3/__https://www.trustedfirmware.org/join/__%3B%21%21... https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
I posted a question on EEVBLOG on this very topic and I think the responses are quite illuminating
https://www.eevblog.com/forum/microcontrollers/mbedtls-licensing-terms/
Regards,
Peter
Hi Peter,
As Manuel mentioned, we (developers and maintainers of Mbed TLS) are engineers and cant give legal advice. We dont have much experience with distributing physical products and thus unfortunately we dont have much to share from that angle either.
I am sorry we cant help, I hope that some of the list members have experience in this area and can offer some helpful thoughts.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Monday, 20 October 2025 at 12:10 To: Manuel Pegourie-Gonnard Manuel.Pegourie-Gonnard@arm.com Cc: Janos Follath Janos.Follath@arm.com, Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org, Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
Hello All,
AFAICS nobody has actually answered the question :)
"the right people to consult would be IP lawyers"
For sure, if you want to spend a few k to find out how to sell a product which runs *binary* code and is not supplied with the sources on a CD :)
If you have a product using this code, on the face of it you need to preserve the license text, but how do you do that in practice? Do you put a URL on the label, pointing to a website with the relevant text on it?
Regards,
Peter
Hi Carina, Peter,
I'd like to point out that the Apache 2.0 License is a very standard open source license whose features are extensively documented online. (Same for the GPL 2.0 and later versions.) Just because Mbed TLS uses those licenses doesn't make our development team experts on those licenses.
Except perhaps for the bit about dual-licensing (Apache 2.0 OR GPLv2-or-later at the user's option) which Janos has clarified, I don't think there's anything unusual about the way we use these licenses.
I would suggest consulting existing sources about common open-source licenses in general and Apache 2.0 in particular if you want a general overview or its features and requirements, and how to use Apache 2.0 software in compliance with the licence. If you wanted to go further that what can be found online, I think the right people to consult would be IP lawyers, not a bunch of engineers.
Thank you for your interest in Mbed TLS and your care in making sure you comply with the license!
Regards, Manuel.
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 17 October 2025 13:57 To: Peter peter@peter2000.co.uk; Janos Follath Janos.Follath@arm.com Cc: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org shaun.longhorn@linaro.org; Ken Chen Ken.Chen@netgear.com; MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
- Ken / MH
Please allow me to add our SW team in the loop to ensure we adhere to the license terms and requirements correctly.
Thank you Peter, and Janos for the details and guidance.
Carina
-----Original Message----- From: Peter peter@peter2000.co.uk Sent: Friday, October 17, 2025 7:30 PM To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com; mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com.
Hello Janos,
Thank you.
What does a *user* of the library need to do, beyond preserving the copyright notices?
The other angle is that MbedTLS is distributed with Cube IDE by STM, and they must have done their licensing deal. The whole of Cube IDE is free to use for any commercial purpose, AFAICT.
But if you create a product, how are you going to preserve copyright notices? Not in the binary code :) Perhaps you have to set up a website and post the open source code there. I recall seeing some Linksys product, years ago, which was like that. The source code posted was just a useless fragment, with a load of copyright notices.
Regards,
Peter
Hi Peter,
The section you quote is about contributing. Contributors have to agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is necessary for the library to be distributed under dual Apache-2.0 OR GPL-2.0-or-later licenses: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls/blob/de velopment/LICENSE__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR- WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFmljJ29A$
As a user of the library, you can take the licence that fits your purposes better and use that and ignore the other. For example, you can pick Apache-2.0 and use it like any other Apache-2.0 software.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Friday, 17 October 2025 at 11:45 To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
I looked up the licensing terms and on the face of it it basically says that you must preserve copyright notices and such like
Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code. GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL. Contribution requirements Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
However, it is not clear how much of the source code of the rest of your product you need to make open source.
I would expect the requirement to extend to code like e.g. interface to LWIP (which itself is also open source) but does it extend beyond that?
Regards,
Peter
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun's guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tV qOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiHKChFs4g$ https://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47 wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://urldefense.com/v3/__https://mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR-WBw -Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFce8JxgQ$ https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqS AY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://urldefense.com/v3/__https://lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!3MXub7er1tWIbR b7ChOnIByZhgRqHIZ5tVqOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFL1Ji9 iQ$ https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKL P5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5o Ps_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://urldefense.com/v3/__https://www.trustedfirmware.org/join/__%3B%21%21... https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
Hi Peter,
This forum thread seems to confirm my point that Apache 2.0 is a common enough license that the first answer to you post was suggesting a way to comply in this scenario, describing it as "commonly accepted".
The reason I'm not making such suggestions myself is that, in the context of this thread, my suggestions could be misread as having more authority (I'm an Mbed TLS developer) than they actually have (I'm not an IP lawyer). As a security engineer, I think the illusion of security (or in this case, authority), in the absence of the real thing, should be avoided.
Regarding why Apache was chosen, I don't think the people who made that decision are on this list, but I can offer a few leads:
* Apache 2.0 is a permissive licensehttps://en.wikipedia.org/wiki/Permissive_software_license. * It is the 2nd most commonhttps://github.blog/open-source/open-source-license-usage-on-github-com/ (hence widely know and understood, as far as licenses go) permissive license after MIT. * Contrary to MIT, it has an explicit clause meant to protect users from patent litigationhttps://en.wikipedia.org/wiki/Apache_License#Apache_License_2.0, which is seen as important by many users. * It is widely considered compatiblehttps://en.wikipedia.org/wiki/Apache_License#Compatibility with most other common open source licenses (other than the GPLv2, which is why we've added it as an explicit option).
I won't comment on your other claims in the linked forum thread, other than the bit specific to Mbed TLS: to the best of my knowledge, all of our source code was written from scratch for this project.
Regards, Manuel.
________________________________ From: Peter peter@peter2000.co.uk Sent: 22 October 2025 12:50 To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com; mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org shaun.longhorn@linaro.org; Ken Chen Ken.Chen@netgear.com; Manuel Pegourie-Gonnard Manuel.Pegourie-Gonnard@arm.com; MH Cheng mh.cheng@netgear.com Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
I posted a question on EEVBLOG on this very topic and I think the responses are quite illuminating
https://www.eevblog.com/forum/microcontrollers/mbedtls-licensing-terms/
Regards,
Peter
Hi Peter,
As Manuel mentioned, we (developers and maintainers of Mbed TLS) are engineers and can’t give legal advice. We don’t have much experience with distributing physical products and thus unfortunately we don’t have much to share from that angle either.
I am sorry we can’t help, I hope that some of the list members have experience in this area and can offer some helpful thoughts.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Monday, 20 October 2025 at 12:10 To: Manuel Pegourie-Gonnard Manuel.Pegourie-Gonnard@arm.com Cc: Janos Follath Janos.Follath@arm.com, Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org, Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
Hello All,
AFAICS nobody has actually answered the question :)
"the right people to consult would be IP lawyers"
For sure, if you want to spend a few k to find out how to sell a product which runs *binary* code and is not supplied with the sources on a CD :)
If you have a product using this code, on the face of it you need to preserve the license text, but how do you do that in practice? Do you put a URL on the label, pointing to a website with the relevant text on it?
Regards,
Peter
Hi Carina, Peter,
I'd like to point out that the Apache 2.0 License is a very standard open source license whose features are extensively documented online. (Same for the GPL 2.0 and later versions.) Just because Mbed TLS uses those licenses doesn't make our development team experts on those licenses.
Except perhaps for the bit about dual-licensing (Apache 2.0 OR GPLv2-or-later at the user's option) which Janos has clarified, I don't think there's anything unusual about the way we use these licenses.
I would suggest consulting existing sources about common open-source licenses in general and Apache 2.0 in particular if you want a general overview or its features and requirements, and how to use Apache 2.0 software in compliance with the licence. If you wanted to go further that what can be found online, I think the right people to consult would be IP lawyers, not a bunch of engineers.
Thank you for your interest in Mbed TLS and your care in making sure you comply with the license!
Regards, Manuel.
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 17 October 2025 13:57 To: Peter peter@peter2000.co.uk; Janos Follath Janos.Follath@arm.com Cc: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org shaun.longhorn@linaro.org; Ken Chen Ken.Chen@netgear.com; MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
- Ken / MH
Please allow me to add our SW team in the loop to ensure we adhere to the license terms and requirements correctly.
Thank you Peter, and Janos for the details and guidance.
Carina
-----Original Message----- From: Peter peter@peter2000.co.uk Sent: Friday, October 17, 2025 7:30 PM To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com; mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com.
Hello Janos,
Thank you.
What does a *user* of the library need to do, beyond preserving the copyright notices?
The other angle is that MbedTLS is distributed with Cube IDE by STM, and they must have done their licensing deal. The whole of Cube IDE is free to use for any commercial purpose, AFAICT.
But if you create a product, how are you going to preserve copyright notices? Not in the binary code :) Perhaps you have to set up a website and post the open source code there. I recall seeing some Linksys product, years ago, which was like that. The source code posted was just a useless fragment, with a load of copyright notices.
Regards,
Peter
Hi Peter,
The section you quote is about contributing. Contributors have to agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is necessary for the library to be distributed under dual Apache-2.0 OR GPL-2.0-or-later licenses: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls/blob/de velopment/LICENSE__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR- WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFmljJ29A$
As a user of the library, you can take the licence that fits your purposes better and use that and ignore the other. For example, you can pick Apache-2.0 and use it like any other Apache-2.0 software.
Regards, Janos
From: Peter peter@peter2000.co.uk Date: Friday, 17 October 2025 at 11:45 To: Janos Follath Janos.Follath@arm.com Cc: Carina Tsai Carina.Tsai@netgear.com, mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
I looked up the licensing terms and on the face of it it basically says that you must preserve copyright notices and such like
Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code. GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL. Contribution requirements Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses. This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
However, it is not clear how much of the source code of the rest of your product you need to make open source.
I would expect the requirement to extend to code like e.g. interface to LWIP (which itself is also open source) but does it extend beyond that?
Regards,
Peter
Hi Carina,
I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
Best regards, Janos (Mbed TLS developer)
From: Carina Tsai via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Friday, 17 October 2025 at 09:31 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org, shaun.longhorn@linaro.org shaun.longhorn@linaro.org Cc: Ken Chen Ken.Chen@netgear.com, MH Cheng mh.cheng@netgear.com Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
To whom it may concern,
Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun's guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
Thank you
Carina From: Shaun Longhorn <shaun.longhorn@linaro.orgmailto:shaun.longhorn@linaro.org> Sent: Tuesday, September 30, 2025 7:08 PM To: Ken Chen <Ken.Chen@netgear.commailto:Ken.Chen@netgear.com> Cc: enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.commailto:reportphishing@netgear.com. Hi Ken,
I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs: https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tV qOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiHKChFs4g$ https://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=re adme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47 wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$ https://urldefense.com/v3/__https://mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR-WBw -Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFce8JxgQ$ https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/ kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqS AY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$
You can also reach out to the Mbed-TLS community on the following public mailing list. https://urldefense.com/v3/__https://lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!3MXub7er1tWIbR b7ChOnIByZhgRqHIZ5tVqOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFL1Ji9 iQ$ https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3 /lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKL P5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5o Ps_K$
I should highlight our optional memberships for Trusted Firmware detailed on this page. https://urldefense.com/v3/__https://www.trustedfirmware.org/join/__%3B%21%21... https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$ membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
Thanks, Shaun Community Manager
On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.orgmailto:enquiries@trustedfirmware.org> wrote: Dear Sir/Madam,
I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products. I was unable to find a specific contact point for this type of query. Could you kindly forward this message to the appropriate person or team for further discussion? Thank you for your assistance.
Best regards Ken
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
My opinion:
If you don't have the money to consult a lawyer, and can't read/understand the license (the "lore" of open source licensing is almost 40 years old now) then you probably aren't rich enough to be sued.
But if you create a product, how are you going to preserve copyright notices? Not in the binary code :) Perhaps you have to set up a website and post the open source code there. I recall seeing some Linksys product, years ago, which was like that. The source code posted was just a useless fragment, with a load of copyright notices.
Yes, Linksys did it mostly right. Since forever on Android phones:
mbed-tls@lists.trustedfirmware.org
-
Carina Tsai -
Janos Follath -
Manuel Pegourie-Gonnard -
Michael Richardson -
Peter