diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index ac2146ea11..d9e7dc2b72 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1570,6 +1570,19 @@
  */
 //#define MBEDTLS_PSA_INJECT_ENTROPY
 
+/**
+ * \def MBEDTLS_PSA_COPY_CALLER_BUFFERS
+ *
+ * Make local copies of buffers supplied by the callers of PSA functions.
+ *
+ * This should be enabled whenever caller-supplied buffers are owned by
+ * an untrusted party, for example where arguments to PSA calls are passed
+ * across a trust boundary.
+ *
+ * Note: Enabling this option increases memory usage and code size.
+ */
+#define MBEDTLS_PSA_COPY_CALLER_BUFFERS
+
 /**
  * \def MBEDTLS_RSA_NO_CRT
  *
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 1531c70eda..84928ecff8 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -106,6 +106,7 @@ mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state =
     if (global_data.initialized == 0)  \
     return PSA_ERROR_BAD_STATE;
 
+#if defined(MBEDTLS_PSA_COPY_CALLER_BUFFERS)
 /* Substitute an input buffer for a local copy of itself.
  * Assumptions:
  * - psa_status_t status exists
@@ -143,6 +144,12 @@ mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state =
     if (local_output_free_status != PSA_SUCCESS) { \
         status = local_output_free_status; \
     }
+#else /* MBEDTLS_PSA_COPY_CALLER_BUFFERS */
+#define SWAP_FOR_LOCAL_INPUT(input, length)
+#define FREE_LOCAL_INPUT(input)
+#define SWAP_FOR_LOCAL_OUTPUT(output, length)
+#define FREE_LOCAL_OUTPUT(output)
+#endif /* MBEDTLS_PSA_COPY_CALLER_BUFFERS */
 
 psa_status_t mbedtls_to_psa_error(int ret)
 {