diff --git a/scripts/generate_config_checks.py b/scripts/generate_config_checks.py
index b0dc26b191..c5d8054207 100755
--- a/scripts/generate_config_checks.py
+++ b/scripts/generate_config_checks.py
@@ -7,11 +7,19 @@ import framework_scripts_path # pylint: disable=unused-import
 from mbedtls_framework.config_checks_generator import * \
     #pylint: disable=wildcard-import,unused-wildcard-import
 
+class CryptoInternal(SubprojectInternal):
+    SUBPROJECT = 'TF-PSA-Crypto'
+
+class CryptoOption(SubprojectOption):
+    SUBPROJECT = 'psa/crypto_config.h'
+
 MBEDTLS_CHECKS = BranchData(
     header_directory='library',
     header_prefix='mbedtls_',
     project_cpp_prefix='MBEDTLS',
     checkers=[
+        CryptoInternal('MBEDTLS_MD5_C', 'PSA_WANT_ALG_MD5 in psa/crypto_config.h'),
+        CryptoOption('MBEDTLS_BASE64_C'),
         Removed('MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', 'Mbed TLS 4.0'),
         Removed('MBEDTLS_PADLOCK_C', 'Mbed TLS 4.0'),
     ],
diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py
index 7403f7ebdb..911e2d9a58 100755
--- a/tests/scripts/test_config_checks.py
+++ b/tests/scripts/test_config_checks.py
@@ -55,5 +55,43 @@ class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks):
                       error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'))
 
 
+    def test_define_MBEDTLS_MD5_C_redundant(self) -> None:
+        """Error when redundantly setting a subproject internal option."""
+        self.bad_case('#define PSA_WANT_ALG_MD5 1',
+                      '#define MBEDTLS_MD5_C',
+                      error=r'MBEDTLS_MD5_C.* PSA_WANT_ALG_MD5 in psa/crypto_config\.h')
+
+    def test_define_MBEDTLS_MD5_C_added(self) -> None:
+        """Error when setting a subproject internal option that was disabled."""
+        self.bad_case('''
+                      #undef PSA_WANT_ALG_MD5
+                      #undef MBEDTLS_MD5_C
+                      ''',
+                      '#define MBEDTLS_MD5_C',
+                      error=r'MBEDTLS_MD5_C.* PSA_WANT_ALG_MD5 in psa/crypto_config\.h')
+
+    def test_define_MBEDTLS_BASE64_C_redundant(self) -> None:
+        """Ok to redundantly set a subproject option."""
+        self.good_case(None,
+                       '#define MBEDTLS_BASE64_C')
+
+    def test_define_MBEDTLS_BASE64_C_added(self) -> None:
+        """Error when setting a subproject option that was disabled."""
+        self.bad_case('''
+                      #undef MBEDTLS_BASE64_C
+                      #undef MBEDTLS_PEM_PARSE_C
+                      #undef MBEDTLS_PEM_WRITE_C
+                      ''',
+                      '#define MBEDTLS_BASE64_C',
+                      error=r'MBEDTLS_BASE64_C .*psa/crypto_config\.h')
+
+    @unittest.skip("Checks for #undef are not implemented yet.")
+    def test_define_MBEDTLS_BASE64_C_unset(self) -> None:
+        """Error when unsetting a subproject option that was enabled."""
+        self.bad_case(None,
+                      '#undef MBEDTLS_BASE64_C',
+                      error=r'MBEDTLS_BASE64_C .*psa/crypto_config\.h')
+
+
 if __name__ == '__main__':
     unittest.main()