diff --git a/CMakeLists.txt b/CMakeLists.txt
index a7f92f5683..c9c0a6d43d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -13,7 +13,7 @@
 # - MBEDTLS_TARGET_PREFIX: CMake targets are designed to be alterable by calling
 #   CMake in order to avoid target name clashes, via the use of
 #   MBEDTLS_TARGET_PREFIX. The value of this variable is prefixed to the
-#   mbedtls, mbedx509, mbedcrypto and apidoc targets.
+#   mbedtls, mbedx509, tfpsacrypto and mbedtls-apidoc targets.
 #
 
 # We specify a minimum requirement of 3.10.2, but for now use 3.5.1 here
@@ -100,14 +100,6 @@ option(USE_SHARED_MBEDTLS_LIBRARY "Build Mbed TLS shared library." OFF)
 option(LINK_WITH_PTHREAD "Explicitly link Mbed TLS library to pthread." OFF)
 option(LINK_WITH_TRUSTED_STORAGE "Explicitly link Mbed TLS library to trusted_storage." OFF)
 
-set(mbedcrypto_target "${MBEDTLS_TARGET_PREFIX}mbedcrypto")
-if (USE_STATIC_MBEDTLS_LIBRARY)
-    set(mbedcrypto_static_target ${mbedcrypto_target})
-endif()
-if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
-    string(APPEND mbedcrypto_static_target "_static")
-endif()
-
 # Warning string - created as a list for compatibility with CMake 2.8
 set(CTR_DRBG_128_BIT_KEY_WARN_L1 "****  WARNING!  MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n")
 set(CTR_DRBG_128_BIT_KEY_WARN_L2 "****  Using 128-bit keys for CTR_DRBG limits the security of generated\n")
@@ -328,6 +320,27 @@ function(set_msvc_base_compile_options target)
     endif(MBEDTLS_FATAL_WARNINGS)
 endfunction(set_msvc_base_compile_options)
 
+function(set_config_files_compile_definitions target)
+    # Pass-through MBEDTLS_CONFIG_FILE, MBEDTLS_USER_CONFIG_FILE,
+    # TF_PSA_CRYPTO_CONFIG_FILE and TF_PSA_CRYPTO_USER_CONFIG_FILE
+    if(MBEDTLS_CONFIG_FILE)
+        target_compile_definitions(${target}
+            PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
+    endif()
+    if(MBEDTLS_USER_CONFIG_FILE)
+        target_compile_definitions(${target}
+            PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
+    endif()
+    if(TF_PSA_CRYPTO_CONFIG_FILE)
+        target_compile_definitions(${target}
+            PUBLIC MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${TF_PSA_CRYPTO_CONFIG_FILE}")
+    endif()
+    if(TF_PSA_CRYPTO_USER_CONFIG_FILE)
+        target_compile_definitions(${target}
+            PUBLIC MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE="${TF_PSA_CRYPTO_USER_CONFIG_FILE}")
+    endif()
+endfunction(set_config_files_compile_definitions)
+
 if(CMAKE_BUILD_TYPE STREQUAL "Check" AND TEST_CPP)
     set(CMAKE_CXX_STANDARD 11)
     set(CMAKE_CXX_STANDARD_REQUIRED ON)
@@ -348,8 +361,38 @@ add_subdirectory(framework)
 
 add_subdirectory(include)
 
+set(TF_PSA_CRYPTO_TARGET_PREFIX ${MBEDTLS_TARGET_PREFIX} CACHE STRING "")
+set(TF_PSA_CRYPTO_FATAL_WARNINGS ${MBEDTLS_FATAL_WARNINGS} CACHE BOOL "")
+set(USE_STATIC_TF_PSA_CRYPTO_LIBRARY ${USE_STATIC_MBEDTLS_LIBRARY} CACHE BOOL "")
+set(USE_SHARED_TF_PSA_CRYPTO_LIBRARY ${USE_SHARED_MBEDTLS_LIBRARY} CACHE BOOL "")
 add_subdirectory(tf-psa-crypto)
 
+set(tfpsacrypto_target "${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto")
+if (USE_STATIC_MBEDTLS_LIBRARY)
+    set(tfpsacrypto_static_target ${tfpsacrypto_target})
+endif()
+if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
+    string(APPEND tfpsacrypto_static_target "_static")
+endif()
+
+set(tf_psa_crypto_library_targets
+    ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto
+    ${TF_PSA_CRYPTO_TARGET_PREFIX}builtin
+    ${TF_PSA_CRYPTO_TARGET_PREFIX}everest
+    ${TF_PSA_CRYPTO_TARGET_PREFIX}p256m)
+
+if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
+    list(APPEND tf_psa_crypto_library_targets
+         ${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto_static
+         ${TF_PSA_CRYPTO_TARGET_PREFIX}builtin_static)
+endif()
+
+foreach(target IN LISTS tf_psa_crypto_library_targets)
+    if(NOT TARGET ${target})
+        message(FATAL_ERROR "TF-PSA-Crypto target ${target} does not exist.")
+    endif()
+endforeach(target)
+
 add_subdirectory(library)
 
 add_subdirectory(pkgconfig)
@@ -359,7 +402,7 @@ add_subdirectory(pkgconfig)
 # and programs. This shared test code is compiled and linked to test suites and
 # programs objects as a set of compiled objects. The compiled objects are NOT
 # built into a library that the test suite and program objects would link
-# against as they link against the mbedcrypto, mbedx509 and mbedtls libraries.
+# against as they link against the tfpsacrypto, mbedx509 and mbedtls libraries.
 # The reason is that such library is expected to have mutual dependencies with
 # the aforementioned libraries and that there is as of today no portable way of
 # handling such dependencies (only toolchain specific solutions).
@@ -369,54 +412,6 @@ add_subdirectory(pkgconfig)
 # to define the test executables.
 #
 if(ENABLE_TESTING OR ENABLE_PROGRAMS)
-    file(GLOB MBEDTLS_TEST_FILES
-         ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c
-         ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/drivers/*.c)
-    add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
-    set_base_compile_options(mbedtls_test)
-    if(GEN_FILES)
-        add_custom_command(
-            OUTPUT
-                ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_keys.h
-            WORKING_DIRECTORY
-                ${CMAKE_CURRENT_SOURCE_DIR}/tests
-            COMMAND
-                "${MBEDTLS_PYTHON_EXECUTABLE}"
-                "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py"
-                "--output"
-                "${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_keys.h"
-            DEPENDS
-                ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py
-        )
-        add_custom_target(test_keys_header DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_keys.h)
-        add_custom_command(
-            OUTPUT
-                ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h
-            WORKING_DIRECTORY
-                ${CMAKE_CURRENT_SOURCE_DIR}/tests
-            COMMAND
-                "${MBEDTLS_PYTHON_EXECUTABLE}"
-                "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py"
-                "--output"
-                "${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h"
-            DEPENDS
-                ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py
-        )
-        add_custom_target(test_certs_header DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h)
-        add_dependencies(mbedtls_test test_keys_header test_certs_header)
-    endif()
-    target_include_directories(mbedtls_test
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/everest/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/core
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/src)
-    # Request C11, needed for memory poisoning tests
-    set_target_properties(mbedtls_test PROPERTIES C_STANDARD 11)
-
     file(GLOB MBEDTLS_TEST_HELPER_FILES
          ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_helpers/*.c)
     add_library(mbedtls_test_helpers OBJECT ${MBEDTLS_TEST_HELPER_FILES})
@@ -431,19 +426,7 @@ if(ENABLE_TESTING OR ENABLE_PROGRAMS)
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/src
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/everest/include)
 
-    # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
-    if(MBEDTLS_CONFIG_FILE)
-        target_compile_definitions(mbedtls_test
-            PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
-        target_compile_definitions(mbedtls_test_helpers
-            PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
-    endif()
-    if(MBEDTLS_USER_CONFIG_FILE)
-        target_compile_definitions(mbedtls_test
-            PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
-        target_compile_definitions(mbedtls_test_helpers
-            PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
-    endif()
+    set_config_files_compile_definitions(mbedtls_test_helpers)
 endif()
 
 if(ENABLE_PROGRAMS)
@@ -453,7 +436,7 @@ if(ENABLE_PROGRAMS)
     add_subdirectory(programs)
 endif()
 
-ADD_CUSTOM_TARGET(${MBEDTLS_TARGET_PREFIX}apidoc
+ADD_CUSTOM_TARGET(${MBEDTLS_TARGET_PREFIX}mbedtls-apidoc
     COMMAND doxygen mbedtls.doxyfile
     WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/doxygen)
 
@@ -463,8 +446,7 @@ if(ENABLE_TESTING)
     add_subdirectory(tests)
 
     # additional convenience targets for Unix only
-    if(UNIX)
-
+    if(UNIX AND (NOT MBEDTLS_AS_SUBPROJECT))
         # For coverage testing:
         # 1. Build with:
         #         cmake -D CMAKE_BUILD_TYPE=Coverage /path/to/source && make
@@ -483,7 +465,7 @@ if(ENABLE_TESTING)
             COMMAND rm -f memcheck.log
             COMMAND mv DartConfiguration.tcl.bak DartConfiguration.tcl
         )
-    endif(UNIX)
+    endif()
 
     # Make scripts needed for testing available in an out-of-source build.
     if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
diff --git a/README.md b/README.md
index 7ca0e8e7b0..dbee4a8307 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ There are currently three active build systems used within Mbed TLS releases:
 
 The main systems used for development are CMake and GNU Make. Those systems are always complete and up-to-date. The others should reflect all changes present in the CMake and Make build system, although features may not be ported there automatically.
 
-The Make and CMake build systems create three libraries: libmbedcrypto, libmbedx509, and libmbedtls. Note that libmbedtls depends on libmbedx509 and libmbedcrypto, and libmbedx509 depends on libmbedcrypto. As a result, some linkers will expect flags to be in a specific order, for example the GNU linker wants `-lmbedtls -lmbedx509 -lmbedcrypto`.
+The Make and CMake build systems create three libraries: libmbedcrypto/libtfpsacrypto, libmbedx509, and libmbedtls. Note that libmbedtls depends on libmbedx509 and libmbedcrypto/libtfpsacrypto, and libmbedx509 depends on libmbedcrypto/libtfpsacrypto. As a result, some linkers will expect flags to be in a specific order, for example the GNU linker wants `-lmbedtls -lmbedx509 -lmbedcrypto`.
 
 ### Tool versions
 
@@ -200,7 +200,7 @@ CMake projects. You can include Mbed TLS's CMake targets yourself with:
 If prompted, set `MbedTLS_DIR` to `${YOUR_MBEDTLS_INSTALL_DIR}/cmake`. This
 creates the following targets:
 
-- `MbedTLS::mbedcrypto` (Crypto library)
+- `MbedTLS::tfpsacrypto` (Crypto library)
 - `MbedTLS::mbedtls` (TLS library)
 - `MbedTLS::mbedx509` (X509 library)
 
@@ -210,7 +210,7 @@ You can then use these directly through `target_link_libraries()`:
 
     target_link_libraries(xyz
         PUBLIC MbedTLS::mbedtls
-               MbedTLS::mbedcrypto
+               MbedTLS::tfpsacrypto
                MbedTLS::mbedx509)
 
 This will link the Mbed TLS libraries to your library or application, and add
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 1e09d31c57..c6ee8ebdf0 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -156,7 +156,7 @@ if(USE_STATIC_MBEDTLS_LIBRARY)
     set_base_compile_options(${mbedx509_static_target})
     target_compile_options(${mbedx509_static_target} PRIVATE ${LIBS_C_FLAGS})
     set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509)
-    target_link_libraries(${mbedx509_static_target} PUBLIC ${libs} ${mbedcrypto_static_target})
+    target_link_libraries(${mbedx509_static_target} PUBLIC ${libs} ${tfpsacrypto_static_target})
 
     add_library(${mbedtls_static_target} STATIC ${src_tls})
     set_base_compile_options(${mbedtls_static_target})
@@ -170,7 +170,7 @@ if(USE_SHARED_MBEDTLS_LIBRARY)
     set_base_compile_options(${mbedx509_target})
     target_compile_options(${mbedx509_target} PRIVATE ${LIBS_C_FLAGS})
     set_target_properties(${mbedx509_target} PROPERTIES VERSION 4.0.0 SOVERSION 7)
-    target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
+    target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${tfpsacrypto_target})
 
     add_library(${mbedtls_target} SHARED ${src_tls})
     set_base_compile_options(${mbedtls_target})
@@ -192,15 +192,7 @@ foreach(target IN LISTS target_libraries)
         PRIVATE ${MBEDTLS_DIR}/library/
                 ${MBEDTLS_DIR}/tf-psa-crypto/core
                 ${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/src)
-    # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
-    if(MBEDTLS_CONFIG_FILE)
-        target_compile_definitions(${target}
-            PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
-    endif()
-    if(MBEDTLS_USER_CONFIG_FILE)
-        target_compile_definitions(${target}
-            PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
-    endif()
+    set_config_files_compile_definitions(${target})
     install(
         TARGETS ${target}
         EXPORT MbedTLSTargets
@@ -216,3 +208,27 @@ add_custom_target(${lib_target} DEPENDS ${mbedx509_target} ${mbedtls_target})
 if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
     add_dependencies(${lib_target} ${mbedx509_static_target} ${mbedtls_static_target})
 endif()
+
+foreach(target IN LISTS tf_psa_crypto_library_targets)
+    get_target_property(target_type ${target} TYPE)
+    if (target_type STREQUAL STATIC_LIBRARY)
+        add_custom_command(
+            TARGET ${mbedtls_target}
+            POST_BUILD
+            COMMAND ${CMAKE_COMMAND}
+            ARGS -E copy $<TARGET_FILE:${target}> ${CMAKE_BINARY_DIR}/library)
+    else()
+        add_custom_command(
+            TARGET ${mbedtls_target}
+            POST_BUILD
+            COMMAND ${CMAKE_COMMAND}
+            ARGS -E copy $<TARGET_FILE:${target}>
+            ${CMAKE_BINARY_DIR}/library/$<TARGET_FILE_NAME:${target}>)
+        add_custom_command(
+            TARGET ${mbedtls_target}
+            POST_BUILD
+            COMMAND ${CMAKE_COMMAND}
+            ARGS -E copy $<TARGET_LINKER_FILE:${target}>
+            ${CMAKE_BINARY_DIR}/library/$<TARGET_LINKER_FILE_NAME:${target}>)
+    endif()
+endforeach(target)
diff --git a/pkgconfig/mbedcrypto.pc.in b/pkgconfig/mbedcrypto.pc.in
index b35afc1b5b..28b9716b64 100644
--- a/pkgconfig/mbedcrypto.pc.in
+++ b/pkgconfig/mbedcrypto.pc.in
@@ -7,4 +7,4 @@ Description: @PKGCONFIG_PROJECT_DESCRIPTION@
 URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@
 Version: @PROJECT_VERSION@
 Cflags: -I"${includedir}"
-Libs: -L"${libdir}" -lmbedcrypto
+Libs: -L"${libdir}" -ltfpsacrypto -lbuiltin -leverest -lp256m
diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt
index b6dde7199c..ca1b30f940 100644
--- a/programs/aes/CMakeLists.txt
+++ b/programs/aes/CMakeLists.txt
@@ -4,9 +4,9 @@ set(executables
 add_dependencies(${programs_target} ${executables})
 
 foreach(exe IN LISTS executables)
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(${exe})
-    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
+    target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/cipher/CMakeLists.txt b/programs/cipher/CMakeLists.txt
index 7d4e4525eb..bd659b470b 100644
--- a/programs/cipher/CMakeLists.txt
+++ b/programs/cipher/CMakeLists.txt
@@ -4,9 +4,9 @@ set(executables
 add_dependencies(${programs_target} ${executables})
 
 foreach(exe IN LISTS executables)
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(${exe})
-    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
+    target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt
index 44fff9a348..722698a6c4 100644
--- a/programs/fuzz/CMakeLists.txt
+++ b/programs/fuzz/CMakeLists.txt
@@ -28,7 +28,7 @@ add_dependencies(${programs_target} ${executables_with_common_c})
 
 foreach(exe IN LISTS executables_no_common_c executables_with_common_c)
 
-    set(exe_sources ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+    set(exe_sources ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     if(NOT FUZZINGENGINE_LIB)
         list(APPEND exe_sources onefile.c)
     endif()
diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt
index c27c4e7153..419d484fd3 100644
--- a/programs/hash/CMakeLists.txt
+++ b/programs/hash/CMakeLists.txt
@@ -6,9 +6,9 @@ set(executables
 add_dependencies(${programs_target} ${executables})
 
 foreach(exe IN LISTS executables)
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(${exe})
-    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
+    target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt
index 9caec87325..136baa34c1 100644
--- a/programs/pkey/CMakeLists.txt
+++ b/programs/pkey/CMakeLists.txt
@@ -5,7 +5,7 @@ set(executables_mbedtls
 add_dependencies(${programs_target} ${executables_mbedtls})
 
 foreach(exe IN LISTS executables_mbedtls)
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(${exe})
     target_link_libraries(${exe} ${mbedtls_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
@@ -34,9 +34,9 @@ set(executables_mbedcrypto
 add_dependencies(${programs_target} ${executables_mbedcrypto})
 
 foreach(exe IN LISTS executables_mbedcrypto)
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(${exe})
-    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
+    target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/psa/CMakeLists.txt b/programs/psa/CMakeLists.txt
index 707de434fc..6cff1cfbf8 100644
--- a/programs/psa/CMakeLists.txt
+++ b/programs/psa/CMakeLists.txt
@@ -28,9 +28,9 @@ else()
 endif()
 
 foreach(exe IN LISTS executables)
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(${exe})
-    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
+    target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt
index a83bf9ea35..37e404e215 100644
--- a/programs/random/CMakeLists.txt
+++ b/programs/random/CMakeLists.txt
@@ -5,9 +5,9 @@ set(executables
 add_dependencies(${programs_target} ${executables})
 
 foreach(exe IN LISTS executables)
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(${exe})
-    target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
+    target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
 endforeach()
 
diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt
index 6919a8e04e..ed26c6a081 100644
--- a/programs/ssl/CMakeLists.txt
+++ b/programs/ssl/CMakeLists.txt
@@ -38,7 +38,7 @@ foreach(exe IN LISTS executables)
             ${CMAKE_CURRENT_SOURCE_DIR}/../test/query_config.h
             ${CMAKE_CURRENT_BINARY_DIR}/../test/query_config.c)
     endif()
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>
         ${extra_sources})
     set_base_compile_options(${exe})
     target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
@@ -53,7 +53,7 @@ foreach(exe IN LISTS executables)
 endforeach()
 
 if(THREADS_FOUND)
-    add_executable(ssl_pthread_server ssl_pthread_server.c $<TARGET_OBJECTS:mbedtls_test>)
+    add_executable(ssl_pthread_server ssl_pthread_server.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(ssl_pthread_server)
     target_include_directories(ssl_pthread_server PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
     target_link_libraries(ssl_pthread_server ${libs} ${CMAKE_THREAD_LIBS_INIT})
diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt
index 83bc9bf30b..6a90c48346 100644
--- a/programs/test/CMakeLists.txt
+++ b/programs/test/CMakeLists.txt
@@ -34,7 +34,7 @@ if(TEST_CPP)
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/drivers/builtin/include)
-    target_link_libraries(cpp_dummy_build ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
+    target_link_libraries(cpp_dummy_build ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
 endif()
 
 if(USE_SHARED_MBEDTLS_LIBRARY AND
@@ -82,7 +82,7 @@ foreach(exe IN LISTS executables_libs executables_mbedcrypto)
             ${CMAKE_CURRENT_SOURCE_DIR}/query_config.h
             ${CMAKE_CURRENT_BINARY_DIR}/query_config.c)
     endif()
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>
         ${extra_sources})
     set_base_compile_options(${exe})
     target_include_directories(${exe}
@@ -102,7 +102,7 @@ foreach(exe IN LISTS executables_libs executables_mbedcrypto)
     if (${exe_index} GREATER -1)
         target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
     else()
-        target_link_libraries(${exe} ${mbedcrypto_target} ${CMAKE_THREAD_LIBS_INIT})
+        target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
     endif()
 endforeach()
 
diff --git a/programs/test/cmake_package/CMakeLists.txt b/programs/test/cmake_package/CMakeLists.txt
index f498cf931d..85270bc8c7 100644
--- a/programs/test/cmake_package/CMakeLists.txt
+++ b/programs/test/cmake_package/CMakeLists.txt
@@ -35,4 +35,4 @@ find_package(MbedTLS REQUIRED)
 
 add_executable(cmake_package cmake_package.c)
 target_link_libraries(cmake_package
-    MbedTLS::mbedcrypto MbedTLS::mbedtls MbedTLS::mbedx509)
+    MbedTLS::tfpsacrypto MbedTLS::mbedtls MbedTLS::mbedx509)
diff --git a/programs/test/cmake_package_install/CMakeLists.txt b/programs/test/cmake_package_install/CMakeLists.txt
index 6937af4f66..f10109e94c 100644
--- a/programs/test/cmake_package_install/CMakeLists.txt
+++ b/programs/test/cmake_package_install/CMakeLists.txt
@@ -38,4 +38,4 @@ find_package(MbedTLS REQUIRED)
 
 add_executable(cmake_package_install cmake_package_install.c)
 target_link_libraries(cmake_package_install
-    MbedTLS::mbedcrypto MbedTLS::mbedtls MbedTLS::mbedx509)
+    MbedTLS::tfpsacrypto MbedTLS::mbedtls MbedTLS::mbedx509)
diff --git a/programs/test/cmake_subproject/CMakeLists.txt b/programs/test/cmake_subproject/CMakeLists.txt
index 78bd5e792d..7acdcc3393 100644
--- a/programs/test/cmake_subproject/CMakeLists.txt
+++ b/programs/test/cmake_subproject/CMakeLists.txt
@@ -14,7 +14,7 @@ add_subdirectory(${MBEDTLS_DIR} build)
 # Link against all the Mbed TLS libraries. Verifies that the targets have been
 # created using the specified prefix
 set(libs
-    subproject_test_mbedcrypto
+    subproject_test_tfpsacrypto
     subproject_test_mbedx509
     subproject_test_mbedtls
 )
diff --git a/programs/test/dlopen.c b/programs/test/dlopen.c
index f241254238..3a0f37d4ba 100644
--- a/programs/test/dlopen.c
+++ b/programs/test/dlopen.c
@@ -19,7 +19,8 @@
 #define SO_SUFFIX ".so"
 #endif
 
-#define CRYPTO_SO_FILENAME "libmbedcrypto" SO_SUFFIX
+#define MBEDCRYPTO_SO_FILENAME "libmbedcrypto" SO_SUFFIX
+#define TFPSACRYPTO_SO_FILENAME "libtfpsacrypto" SO_SUFFIX
 #define X509_SO_FILENAME "libmbedx509" SO_SUFFIX
 #define TLS_SO_FILENAME "libmbedtls" SO_SUFFIX
 
@@ -73,8 +74,16 @@ int main(void)
 #endif  /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_MD_C)
-    void *crypto_so = dlopen(CRYPTO_SO_FILENAME, RTLD_NOW);
-    CHECK_DLERROR("dlopen", CRYPTO_SO_FILENAME);
+    const char *crypto_so_filename = NULL;
+    void *crypto_so = dlopen(MBEDCRYPTO_SO_FILENAME, RTLD_NOW);
+    if (dlerror() == NULL) {
+        crypto_so_filename = MBEDCRYPTO_SO_FILENAME;
+    } else {
+        crypto_so = dlopen(TFPSACRYPTO_SO_FILENAME, RTLD_NOW);
+        CHECK_DLERROR("dlopen", TFPSACRYPTO_SO_FILENAME);
+        crypto_so_filename = TFPSACRYPTO_SO_FILENAME;
+    }
+
     const int *(*md_list)(void) =
         dlsym(crypto_so, "mbedtls_md_list");
     CHECK_DLERROR("dlsym", "mbedtls_md_list");
@@ -83,9 +92,9 @@ int main(void)
         ;
     }
     mbedtls_printf("dlopen(%s): %u hashes\n",
-                   CRYPTO_SO_FILENAME, n);
+                   crypto_so_filename, n);
     dlclose(crypto_so);
-    CHECK_DLERROR("dlclose", CRYPTO_SO_FILENAME);
+    CHECK_DLERROR("dlclose", crypto_so_filename);
 #endif  /* MBEDTLS_MD_C */
 
     return 0;
diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt
index ac713dce2e..befc1339f9 100644
--- a/programs/util/CMakeLists.txt
+++ b/programs/util/CMakeLists.txt
@@ -1,5 +1,5 @@
 set(libs
-    ${mbedcrypto_target}
+    ${tfpsacrypto_target}
     ${mbedx509_target}
 )
 
@@ -10,7 +10,7 @@ set(executables
 add_dependencies(${programs_target} ${executables})
 
 foreach(exe IN LISTS executables)
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(${exe})
     target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt
index a31bada7fd..837d97a094 100644
--- a/programs/x509/CMakeLists.txt
+++ b/programs/x509/CMakeLists.txt
@@ -13,7 +13,7 @@ set(executables
 add_dependencies(${programs_target} ${executables})
 
 foreach(exe IN LISTS executables)
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
+    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(${exe})
     target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT})
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index eba6c51787..2deae8f531 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -1,6 +1,5 @@
 set(libs
     ${mbedtls_target}
-    ${everest_target}
     ${CMAKE_THREAD_LIBS_INIT}
 )
 
@@ -155,7 +154,7 @@ function(add_test_suite suite_name)
     )
 
     add_executable(test_suite_${data_name} test_suite_${data_name}.c
-                   $<TARGET_OBJECTS:mbedtls_test>
+                   $<TARGET_OBJECTS:tf_psa_crypto_test>
                    $<TARGET_OBJECTS:mbedtls_test_helpers>)
     set_base_compile_options(test_suite_${data_name})
     target_compile_options(test_suite_${data_name} PRIVATE ${TEST_C_FLAGS})
diff --git a/tests/scripts/components-build-system.sh b/tests/scripts/components-build-system.sh
index f2b74a9429..7ebe627947 100644
--- a/tests/scripts/components-build-system.sh
+++ b/tests/scripts/components-build-system.sh
@@ -20,7 +20,7 @@ component_test_cmake_shared () {
     msg "build/test: cmake shared" # ~ 2min
     cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On .
     make
-    ldd programs/util/strerror | grep libmbedcrypto
+    ldd programs/util/strerror | grep libtfpsacrypto
     make test
     programs/test/dlopen_demo.sh
 }
diff --git a/tf-psa-crypto/CMakeLists.txt b/tf-psa-crypto/CMakeLists.txt
index 21eb64e6fd..21bfd2b4e6 100644
--- a/tf-psa-crypto/CMakeLists.txt
+++ b/tf-psa-crypto/CMakeLists.txt
@@ -13,13 +13,19 @@
 # - TF_PSA_CRYPTO_TARGET_PREFIX: CMake targets are designed to be alterable by
 #   calling CMake in order to avoid target name clashes, via the use of
 #   TF_PSA_CRYPTO_TARGET_PREFIX. The value of this variable is prefixed to the
-#   tfpsacrypto and apidoc targets.
+#   tfpsacrypto and tfpsacrypto-apidoc targets.
 #
 
 # We specify a minimum requirement of 3.10.2, but for now use 3.5.1 here
 # until our infrastructure catches up.
 cmake_minimum_required(VERSION 3.5.1)
 
+include(CMakePackageConfigHelpers)
+
+# Include convenience functions for printing properties and variables, like
+# cmake_print_properties(), cmake_print_variables().
+include(CMakePrintHelpers)
+
 # https://cmake.org/cmake/help/latest/policy/CMP0011.html
 # Setting this policy is required in CMake >= 3.18.0, otherwise a warning is generated. The OLD
 # policy setting is deprecated, and will be removed in future versions.
@@ -31,28 +37,6 @@ cmake_policy(SET CMP0011 NEW)
 # is deprecated and will be removed in future versions.
 cmake_policy(SET CMP0012 NEW)
 
-if(NOT (CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_SOURCE_DIR))
-
-set(TF_PSA_CRYPTO_PYTHON_EXECUTABLE ${MBEDTLS_PYTHON_EXECUTABLE})
-set(USE_STATIC_TF_PSA_CRYPTO_LIBRARY ${USE_STATIC_MBEDTLS_LIBRARY})
-set(USE_SHARED_TF_PSA_CRYPTO_LIBRARY ${USE_SHARED_MBEDTLS_LIBRARY})
-set(TF_PSA_CRYPTO_TARGET_PREFIX ${MBEDTLS_TARGET_PREFIX})
-option(INSTALL_TF_PSA_CRYPTO_HEADERS "Install TF-PSA-Crypto headers." ${INSTALL_MBEDTLS_HEADERS})
-
-# Set the project root directory.
-set(TF_PSA_CRYPTO_DIR ${CMAKE_CURRENT_SOURCE_DIR})
-
-add_subdirectory(include)
-add_subdirectory(core)
-add_subdirectory(drivers)
-
-if(ENABLE_TESTING)
-    enable_testing()
-    add_subdirectory(tests)
-endif()
-
-else(NOT (CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_SOURCE_DIR))
-
 set(TF_PSA_CRYPTO_VERSION 0.1.0)
 set(TF_PSA_CRYPTO_SOVERSION 0)
 
@@ -68,6 +52,477 @@ else()
     )
 endif()
 
-include(TF-PSA-Crypto.cmake)
+include(GNUInstallDirs)
 
-endif(NOT (CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_SOURCE_DIR))
+# Determine if TF-PSA-Crypto is being built as a subproject using add_subdirectory()
+if(NOT DEFINED TF_PSA_CRYPTO_AS_SUBPROJECT)
+  set(TF_PSA_CRYPTO_AS_SUBPROJECT ON)
+  if(CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_SOURCE_DIR)
+    set(TF_PSA_CRYPTO_AS_SUBPROJECT OFF)
+  endif()
+endif()
+
+# Set the project, Mbed TLS and framework root directory.
+set(TF_PSA_CRYPTO_DIR ${CMAKE_CURRENT_SOURCE_DIR})
+set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR}/..)
+set(MBEDTLS_FRAMEWORK_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../framework)
+
+# Put the version numbers into relevant files
+set(version_number_files
+        doxygen/input/doc_mainpage.h
+        doxygen/tfpsacrypto.doxyfile)
+foreach(file ${version_number_files})
+    configure_file(${file}.in
+                   ${TF_PSA_CRYPTO_DIR}/${file})
+endforeach(file)
+
+ADD_CUSTOM_TARGET(${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto-apidoc
+    COMMAND doxygen tfpsacrypto.doxyfile
+    WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/doxygen)
+
+option(ENABLE_PROGRAMS "Build TF-PSA-Crypto programs." ON)
+
+option(TF_PSA_CRYPTO_FATAL_WARNINGS "Compiler warnings treated as errors" ON)
+if(CMAKE_HOST_WIN32)
+    # N.B. The comment on the next line is significant! If you change it,
+    # edit the sed command in prepare_release.sh that modifies
+    # CMakeLists.txt.
+    option(GEN_FILES "Generate the auto-generated files as needed" OFF) # off in development
+else()
+    option(GEN_FILES "Generate the auto-generated files as needed" ON)
+endif()
+
+# Support for package config and install to be added later.
+option(DISABLE_PACKAGE_CONFIG_AND_INSTALL "Disable package configuration, target export and installation" ${TF_PSA_CRYPTO_AS_SUBPROJECT})
+
+if (CMAKE_C_SIMULATE_ID)
+    set(COMPILER_ID ${CMAKE_C_SIMULATE_ID})
+else()
+    set(COMPILER_ID ${CMAKE_C_COMPILER_ID})
+endif(CMAKE_C_SIMULATE_ID)
+
+string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${COMPILER_ID}")
+string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${COMPILER_ID}")
+string(REGEX MATCH "IAR" CMAKE_COMPILER_IS_IAR "${COMPILER_ID}")
+string(REGEX MATCH "MSVC" CMAKE_COMPILER_IS_MSVC "${COMPILER_ID}")
+
+# the test suites currently have compile errors with MSVC
+if(CMAKE_COMPILER_IS_MSVC)
+    option(ENABLE_TESTING "Build TF-PSA-Crypto tests." OFF)
+else()
+    option(ENABLE_TESTING "Build TF-PSA-Crypto tests." ON)
+endif()
+
+option(USE_STATIC_TF_PSA_CRYPTO_LIBRARY "Build TF-PSA-Crypto static library." ON)
+option(USE_SHARED_TF_PSA_CRYPTO_LIBRARY "Build TF-PSA-Crypto shared library." OFF)
+option(LINK_WITH_PTHREAD "Explicitly link Mbed TLS library to pthread." OFF)
+option(LINK_WITH_TRUSTED_STORAGE "Explicitly link Mbed TLS library to trusted_storage." OFF)
+
+set(tfpsacrypto_target "${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto")
+if (USE_STATIC_TF_PSA_CRYPTO_LIBRARY)
+    set(tfpsacrypto_static_target ${tfpsacrypto_target})
+endif()
+if(USE_STATIC_TF_PSA_CRYPTO_LIBRARY AND USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
+    string(APPEND tfpsacrypto_static_target "_static")
+endif()
+
+# Warning string - created as a list for compatibility with CMake 2.8
+set(CTR_DRBG_128_BIT_KEY_WARN_L1 "****  WARNING!  MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n")
+set(CTR_DRBG_128_BIT_KEY_WARN_L2 "****  Using 128-bit keys for CTR_DRBG limits the security of generated\n")
+set(CTR_DRBG_128_BIT_KEY_WARN_L3 "****  keys and operations that use random values generated to 128-bit security\n")
+
+set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}"
+                         "${CTR_DRBG_128_BIT_KEY_WARN_L1}"
+                         "${CTR_DRBG_128_BIT_KEY_WARN_L2}"
+                         "${CTR_DRBG_128_BIT_KEY_WARN_L3}"
+                         "${WARNING_BORDER}")
+
+# Python 3 is only needed here to check for configuration warnings.
+if(NOT CMAKE_VERSION VERSION_LESS 3.15.0)
+    set(Python3_FIND_STRATEGY LOCATION)
+    find_package(Python3 COMPONENTS Interpreter)
+    if(Python3_Interpreter_FOUND)
+        set(TF_PSA_CRYPTO_PYTHON_EXECUTABLE ${Python3_EXECUTABLE})
+    endif()
+else()
+    find_package(PythonInterp 3)
+    if(PYTHONINTERP_FOUND)
+        set(TF_PSA_CRYPTO_PYTHON_EXECUTABLE ${PYTHON_EXECUTABLE})
+    endif()
+endif()
+if(TF_PSA_CRYPTO_PYTHON_EXECUTABLE)
+
+    # If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
+    execute_process(COMMAND ${TF_PSA_CRYPTO_PYTHON_EXECUTABLE} ${MBEDTLS_DIR}/scripts/config.py -f ${MBEDTLS_DIR}/include/mbedtls/mbedtls_config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+                        RESULT_VARIABLE result)
+    if(${result} EQUAL 0)
+        message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
+    endif()
+
+endif()
+
+# We now potentially need to link all executables against PThreads, if available
+set(CMAKE_THREAD_PREFER_PTHREAD TRUE)
+set(THREADS_PREFER_PTHREAD_FLAG TRUE)
+find_package(Threads)
+
+# If this is the root project add longer list of available CMAKE_BUILD_TYPE values
+if(NOT TF_PSA_CRYPTO_AS_SUBPROJECT)
+    set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
+        CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull TSan TSanDbg"
+        FORCE)
+endif()
+
+# Make TF_PSA_CRYPTO_CONFIG_FILE and TF_PSA_CRYPTO_USER_CONFIG_FILE into PATHs
+set(TF_PSA_CRYPTO_CONFIG_FILE "" CACHE FILEPATH "TF-PSA-Crypto config file (overrides default).")
+set(TF_PSA_CRYPTO_USER_CONFIG_FILE "" CACHE FILEPATH "TF-PSA-Crypto user config file (appended to default).")
+
+# Create a symbolic link from ${base_name} in the binary directory
+# to the corresponding path in the source directory.
+# Note: Copies the file(s) on Windows.
+function(link_to_source base_name)
+    set(link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
+    set(target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
+
+    # Linking to non-existent file is not desirable. At best you will have a
+    # dangling link, but when building in tree, this can create a symbolic link
+    # to itself.
+    if (EXISTS ${target} AND NOT EXISTS ${link})
+        if (CMAKE_HOST_UNIX)
+            execute_process(COMMAND ln -s ${target} ${link}
+                RESULT_VARIABLE result
+                ERROR_VARIABLE output)
+
+            if (NOT ${result} EQUAL 0)
+                message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}")
+            endif()
+        else()
+            if (IS_DIRECTORY ${target})
+                file(GLOB_RECURSE files FOLLOW_SYMLINKS LIST_DIRECTORIES false RELATIVE ${target} "${target}/*")
+                foreach(file IN LISTS files)
+                    configure_file("${target}/${file}" "${link}/${file}" COPYONLY)
+                endforeach(file)
+            else()
+                configure_file(${target} ${link} COPYONLY)
+            endif()
+        endif()
+    endif()
+endfunction(link_to_source)
+
+# Get the filename without the final extension (i.e. convert "a.b.c" to "a.b")
+function(get_name_without_last_ext dest_var full_name)
+    # Split into a list on '.' (but a cmake list is just a ';'-separated string)
+    string(REPLACE "." ";" ext_parts "${full_name}")
+    # Remove the last item if there are more than one
+    list(LENGTH ext_parts ext_parts_len)
+    if (${ext_parts_len} GREATER "1")
+        math(EXPR ext_parts_last_item "${ext_parts_len} - 1")
+        list(REMOVE_AT ext_parts ${ext_parts_last_item})
+    endif()
+    # Convert back to a string by replacing separators with '.'
+    string(REPLACE ";" "." no_ext_name "${ext_parts}")
+    # Copy into the desired variable
+    set(${dest_var} ${no_ext_name} PARENT_SCOPE)
+endfunction(get_name_without_last_ext)
+
+include(CheckCCompilerFlag)
+
+set(CMAKE_C_EXTENSIONS OFF)
+set(CMAKE_C_STANDARD 99)
+
+function(set_base_compile_options target)
+    if(CMAKE_COMPILER_IS_GNU)
+        set_gnu_base_compile_options(${target})
+    elseif(CMAKE_COMPILER_IS_CLANG)
+        set_clang_base_compile_options(${target})
+    elseif(CMAKE_COMPILER_IS_IAR)
+        set_iar_base_compile_options(${target})
+    elseif(CMAKE_COMPILER_IS_MSVC)
+        set_msvc_base_compile_options(${target})
+    endif()
+endfunction(set_base_compile_options)
+
+function(set_gnu_base_compile_options target)
+    # some warnings we want are not available with old GCC versions
+    # note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
+    execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
+                    OUTPUT_VARIABLE GCC_VERSION)
+    target_compile_options(${target} PRIVATE -Wall -Wextra -Wwrite-strings -Wmissing-prototypes)
+    if (GCC_VERSION VERSION_GREATER 3.0 OR GCC_VERSION VERSION_EQUAL 3.0)
+        target_compile_options(${target} PRIVATE -Wformat=2 -Wno-format-nonliteral)
+    endif()
+    if (GCC_VERSION VERSION_GREATER 4.3 OR GCC_VERSION VERSION_EQUAL 4.3)
+        target_compile_options(${target} PRIVATE -Wvla)
+    endif()
+    if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5)
+        target_compile_options(${target} PRIVATE -Wlogical-op)
+    endif()
+    if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
+        target_compile_options(${target} PRIVATE -Wshadow)
+    endif()
+    if (GCC_VERSION VERSION_GREATER 5.0)
+        CHECK_C_COMPILER_FLAG("-Wformat-signedness" C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
+        if(C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
+            target_compile_options(${target} PRIVATE -Wformat-signedness)
+        endif()
+    endif()
+    if (GCC_VERSION VERSION_GREATER 7.0 OR GCC_VERSION VERSION_EQUAL 7.0)
+      target_compile_options(${target} PRIVATE -Wformat-overflow=2 -Wformat-truncation)
+    endif()
+    target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-O2>)
+    target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:-O0 -g3>)
+    target_compile_options(${target} PRIVATE $<$<CONFIG:Coverage>:-O0 -g3 --coverage>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_COVERAGE "--coverage")
+    # Old GCC versions hit a performance problem with test_suite_pkwrite
+    # "Private keey write check EC" tests when building with Asan+UBSan
+    # and -O3: those tests take more than 100x time than normal, with
+    # test_suite_pkwrite taking >3h on the CI. Observed with GCC 5.4 on
+    # Ubuntu 16.04 x86_64 and GCC 6.5 on Ubuntu 18.04 x86_64.
+    # GCC 7.5 and above on Ubuntu 18.04 appear fine.
+    # To avoid the performance problem, we use -O2 when GCC version is lower than 7.0.
+    # It doesn't slow down much even with modern compiler versions.
+    target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all>)
+    if (GCC_VERSION VERSION_LESS 7.0)
+        target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-O2>)
+    else()
+        target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-O3>)
+    endif()
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_ASAN "-fsanitize=address -fsanitize=undefined")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:ASanDbg>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_ASANDBG "-fsanitize=address -fsanitize=undefined")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:TSan>:-fsanitize=thread -O3>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_TSAN "-fsanitize=thread")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:TSanDbg>:-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_TSANDBG "-fsanitize=thread")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:Check>:-Os>)
+    target_compile_options(${target} PRIVATE $<$<CONFIG:CheckFull>:-Os -Wcast-qual>)
+
+    if(TF_PSA_CRYPTO_FATAL_WARNINGS)
+        target_compile_options(${target} PRIVATE -Werror)
+    endif(TF_PSA_CRYPTO_FATAL_WARNINGS)
+endfunction(set_gnu_base_compile_options)
+
+function(set_clang_base_compile_options target)
+    target_compile_options(${target} PRIVATE -Wall -Wextra -Wwrite-strings -Wmissing-prototypes -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral)
+    target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-O2>)
+    target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:-O0 -g3>)
+    target_compile_options(${target} PRIVATE $<$<CONFIG:Coverage>:-O0 -g3 --coverage>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_COVERAGE "--coverage")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_ASAN "-fsanitize=address -fsanitize=undefined")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:ASanDbg>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_ASANDBG "-fsanitize=address -fsanitize=undefined")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:MemSan>:-fsanitize=memory>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_MEMSAN "-fsanitize=memory")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:MemSanDbg>:-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_MEMSANDBG "-fsanitize=memory")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:TSan>:-fsanitize=thread -O3>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_TSAN "-fsanitize=thread")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:TSanDbg>:-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
+    set_target_properties(${target} PROPERTIES LINK_FLAGS_TSANDBG "-fsanitize=thread")
+    target_compile_options(${target} PRIVATE $<$<CONFIG:Check>:-Os>)
+
+    if(MBEDTLS_FATAL_WARNINGS)
+        target_compile_options(${target} PRIVATE -Werror)
+    endif(MBEDTLS_FATAL_WARNINGS)
+endfunction(set_clang_base_compile_options)
+
+function(set_iar_base_compile_options target)
+    target_compile_options(${target} PRIVATE --warn_about_c_style_casts)
+    target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-Ohz>)
+    target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:--debug -On>)
+
+    if(MBEDTLS_FATAL_WARNINGS)
+        target_compile_options(${target} PRIVATE --warnings_are_errors)
+    endif(MBEDTLS_FATAL_WARNINGS)
+endfunction(set_iar_base_compile_options)
+
+function(set_msvc_base_compile_options target)
+    # Strictest warnings, UTF-8 source and execution charset
+    target_compile_options(${target} PRIVATE /W3 /utf-8)
+
+    if(MBEDTLS_FATAL_WARNINGS)
+        target_compile_options(${target} PRIVATE /WX)
+    endif(MBEDTLS_FATAL_WARNINGS)
+endfunction(set_msvc_base_compile_options)
+
+function(set_config_files_compile_definitions target)
+    # Pass-through MBEDTLS_CONFIG_FILE, MBEDTLS_USER_CONFIG_FILE,
+    # TF_PSA_CRYPTO_CONFIG_FILE and TF_PSA_CRYPTO_USER_CONFIG_FILE
+    if(MBEDTLS_CONFIG_FILE)
+        target_compile_definitions(${target}
+            PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
+    endif()
+    if(MBEDTLS_USER_CONFIG_FILE)
+        target_compile_definitions(${target}
+            PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
+    endif()
+    if(TF_PSA_CRYPTO_CONFIG_FILE)
+        target_compile_definitions(${target}
+            PUBLIC MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${TF_PSA_CRYPTO_CONFIG_FILE}")
+    endif()
+    if(TF_PSA_CRYPTO_USER_CONFIG_FILE)
+        target_compile_definitions(${target}
+            PUBLIC MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE="${TF_PSA_CRYPTO_USER_CONFIG_FILE}")
+    endif()
+endfunction(set_config_files_compile_definitions)
+
+if(CMAKE_BUILD_TYPE STREQUAL "Check" AND TEST_CPP)
+    set(CMAKE_CXX_STANDARD 11)
+    set(CMAKE_CXX_STANDARD_REQUIRED ON)
+    set(CMAKE_CXX_EXTENSIONS OFF)
+    if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pedantic")
+    endif()
+endif()
+
+if (NOT EXISTS "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt")
+    message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found. Run `git submodule update --init` from the source tree to fetch the submodule contents.")
+endif()
+
+add_subdirectory(include)
+add_subdirectory(core)
+add_subdirectory(drivers)
+add_subdirectory(pkgconfig)
+
+#
+# The C files in tests/src directory contain test code shared among test suites
+# and programs. This shared test code is compiled and linked to test suites and
+# programs objects as a set of compiled objects. The compiled objects are NOT
+# built into a library that the test suite and program objects would link
+# against as they link against the tfpsacrypto library. The reason is that such
+# library is expected to have mutual dependencies with the aforementioned
+# library and that there is as of today no portable way of handling such
+# dependencies (only toolchain specific solutions).
+#
+# Thus the below definition of the `tf_psa_crypto_test` CMake library of
+# objects target. This library of objects is used by tests and programs CMake
+# files to define the test executables.
+#
+if(ENABLE_TESTING OR ENABLE_PROGRAMS)
+    file(GLOB MBEDTLS_TEST_FILES
+         ${MBEDTLS_DIR}/tests/src/*.c
+         ${MBEDTLS_DIR}/tests/src/drivers/*.c)
+    add_library(tf_psa_crypto_test OBJECT ${MBEDTLS_TEST_FILES})
+    set_base_compile_options(tf_psa_crypto_test)
+    if(GEN_FILES)
+        add_custom_command(
+            OUTPUT
+                ${MBEDTLS_DIR}/tests/src/test_keys.h
+            WORKING_DIRECTORY
+                ${MBEDTLS_DIR}/tests
+            COMMAND
+                "${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}"
+                "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py"
+                "--output"
+                "${MBEDTLS_DIR}/tests/src/test_keys.h"
+            DEPENDS
+                ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py
+        )
+        add_custom_target(tf_psa_crypto_test_keys_header DEPENDS ${MBEDTLS_DIR}/tests/src/test_keys.h)
+
+        add_custom_command(
+            OUTPUT
+                ${MBEDTLS_DIR}/tests/src/test_certs.h
+            WORKING_DIRECTORY
+                ${MBEDTLS_DIR}/tests
+            COMMAND
+                "${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}"
+                "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py"
+                "--output"
+                "${MBEDTLS_DIR}/tests/src/test_certs.h"
+            DEPENDS
+                ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py
+        )
+        add_custom_target(tf_psa_crypto_test_certs_header DEPENDS ${MBEDTLS_DIR}/tests/src/test_certs.h)
+        add_dependencies(tf_psa_crypto_test tf_psa_crypto_test_keys_header tf_psa_crypto_test_certs_header)
+    endif()
+    target_include_directories(tf_psa_crypto_test
+        PRIVATE ${MBEDTLS_DIR}/tests/include
+        PRIVATE ${MBEDTLS_DIR}/include
+        PRIVATE include
+        PRIVATE drivers/builtin/include
+        PRIVATE drivers/everest/include
+        PRIVATE core
+        PRIVATE drivers/builtin/src)
+    # Request C11, needed for memory poisoning tests
+    set_target_properties(tf_psa_crypto_test PROPERTIES C_STANDARD 11)
+    set_config_files_compile_definitions(tf_psa_crypto_test)
+endif()
+
+if(ENABLE_PROGRAMS)
+    add_subdirectory(programs)
+endif()
+
+if(ENABLE_TESTING)
+    enable_testing()
+
+    add_subdirectory(tests)
+
+    # additional convenience targets for Unix only
+    if(UNIX AND (NOT TF_PSA_CRYPTO_AS_SUBPROJECT))
+        # For coverage testing:
+        # 1. Build with:
+        #         cmake -D CMAKE_BUILD_TYPE=Coverage /path/to/source && make
+        # 2. Run the relevant tests for the part of the code you're interested in.
+        #    For the reference coverage measurement, see
+        #    tests/scripts/basic-build-test.sh
+        # 3. Run scripts/lcov.sh to generate an HTML report.
+        ADD_CUSTOM_TARGET(lcov
+            COMMAND ${MBEDTLS_DIR}/scripts/lcov.sh
+        )
+
+        ADD_CUSTOM_TARGET(memcheck
+            COMMAND sed -i.bak s+/usr/bin/valgrind+`which valgrind`+ DartConfiguration.tcl
+            COMMAND ctest -O memcheck.log -D ExperimentalMemCheck
+            COMMAND tail -n1 memcheck.log | grep 'Memory checking results:' > /dev/null
+            COMMAND rm -f memcheck.log
+            COMMAND mv DartConfiguration.tcl.bak DartConfiguration.tcl
+        )
+    endif()
+
+    # Make scripts needed for testing available in an out-of-source build.
+    if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
+        link_to_source(scripts)
+        # Copy (don't link) DartConfiguration.tcl, needed for memcheck, to
+        # keep things simple with the sed commands in the memcheck target.
+        configure_file(${CMAKE_CURRENT_SOURCE_DIR}/DartConfiguration.tcl
+                    ${CMAKE_CURRENT_BINARY_DIR}/DartConfiguration.tcl COPYONLY)
+    endif()
+endif()
+
+if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
+    configure_package_config_file(
+        "cmake/TF-PSA-CryptoConfig.cmake.in"
+        "cmake/TF-PSA-CryptoConfig.cmake"
+            INSTALL_DESTINATION "cmake")
+
+    write_basic_package_version_file(
+        "cmake/TF-PSA-CryptoConfigVersion.cmake"
+            COMPATIBILITY SameMajorVersion
+            VERSION 0.1.0)
+
+    install(
+        FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/TF-PSA-CryptoConfig.cmake"
+              "${CMAKE_CURRENT_BINARY_DIR}/cmake/TF-PSA-CryptoConfigVersion.cmake"
+        DESTINATION "${CMAKE_INSTALL_LIBDIR}/cmake/TF-PSA-Crypto")
+
+    export(
+        EXPORT TF-PSA-CryptoTargets
+        NAMESPACE TF-PSA-Crypto::
+        FILE "cmake/TF-PSA-CryptoTargets.cmake")
+
+    install(
+        EXPORT TF-PSA-CryptoTargets
+        NAMESPACE TF-PSA-Crypto::
+        DESTINATION "${CMAKE_INSTALL_LIBDIR}/cmake/TF-PSA-Crypto"
+        FILE "TF-PSA-CryptoTargets.cmake")
+
+    if(CMAKE_VERSION VERSION_GREATER 3.15 OR CMAKE_VERSION VERSION_EQUAL 3.15)
+        # Do not export the package by default
+        cmake_policy(SET CMP0090 NEW)
+
+        # Make this package visible to the system
+        export(PACKAGE TF-PSA-Crypto)
+    endif()
+endif()
diff --git a/tf-psa-crypto/TF-PSA-Crypto.cmake b/tf-psa-crypto/TF-PSA-Crypto.cmake
deleted file mode 100644
index 13b7a45bf0..0000000000
--- a/tf-psa-crypto/TF-PSA-Crypto.cmake
+++ /dev/null
@@ -1,462 +0,0 @@
-include(CMakePackageConfigHelpers)
-include(GNUInstallDirs)
-
-# Determine if TF-PSA-Crypto is being built as a subproject using add_subdirectory()
-if(NOT DEFINED TF_PSA_CRYPTO_AS_SUBPROJECT)
-  set(TF_PSA_CRYPTO_AS_SUBPROJECT ON)
-  if(CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_SOURCE_DIR)
-    set(TF_PSA_CRYPTO_AS_SUBPROJECT OFF)
-  endif()
-endif()
-
-# Set the project, Mbed TLS and framework root directory.
-set(TF_PSA_CRYPTO_DIR ${CMAKE_CURRENT_SOURCE_DIR})
-set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR}/..)
-set(MBEDTLS_FRAMEWORK_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../framework)
-
-# Put the version numbers into relevant files
-set(version_number_files
-        doxygen/input/doc_mainpage.h
-        doxygen/tfpsacrypto.doxyfile)
-foreach(file ${version_number_files})
-    configure_file(${file}.in
-                   ${TF_PSA_CRYPTO_DIR}/${file})
-endforeach(file)
-
-ADD_CUSTOM_TARGET(${TF_PSA_CRYPTO_TARGET_PREFIX}apidoc
-    COMMAND doxygen tfpsacrypto.doxyfile
-    WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/doxygen)
-
-option(ENABLE_PROGRAMS "Build TF-PSA-Crypto programs." ON)
-
-option(TF_PSA_CRYPTO_FATAL_WARNINGS "Compiler warnings treated as errors" ON)
-if(CMAKE_HOST_WIN32)
-    # N.B. The comment on the next line is significant! If you change it,
-    # edit the sed command in prepare_release.sh that modifies
-    # CMakeLists.txt.
-    option(GEN_FILES "Generate the auto-generated files as needed" OFF) # off in development
-else()
-    option(GEN_FILES "Generate the auto-generated files as needed" ON)
-endif()
-
-# Support for package config and install to be added later.
-option(DISABLE_PACKAGE_CONFIG_AND_INSTALL "Disable package configuration, target export and installation" ${TF_PSA_CRYPTO_AS_SUBPROJECT})
-
-if (CMAKE_C_SIMULATE_ID)
-    set(COMPILER_ID ${CMAKE_C_SIMULATE_ID})
-else()
-    set(COMPILER_ID ${CMAKE_C_COMPILER_ID})
-endif(CMAKE_C_SIMULATE_ID)
-
-string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${COMPILER_ID}")
-string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${COMPILER_ID}")
-string(REGEX MATCH "IAR" CMAKE_COMPILER_IS_IAR "${COMPILER_ID}")
-string(REGEX MATCH "MSVC" CMAKE_COMPILER_IS_MSVC "${COMPILER_ID}")
-
-# the test suites currently have compile errors with MSVC
-if(CMAKE_COMPILER_IS_MSVC)
-    option(ENABLE_TESTING "Build TF-PSA-Crypto tests." OFF)
-else()
-    option(ENABLE_TESTING "Build TF-PSA-Crypto tests." ON)
-endif()
-
-option(USE_STATIC_TF_PSA_CRYPTO_LIBRARY "Build TF-PSA-Crypto static library." ON)
-option(USE_SHARED_TF_PSA_CRYPTO_LIBRARY "Build TF-PSA-Crypto shared library." OFF)
-option(LINK_WITH_PTHREAD "Explicitly link Mbed TLS library to pthread." OFF)
-option(LINK_WITH_TRUSTED_STORAGE "Explicitly link Mbed TLS library to trusted_storage." OFF)
-
-set(mbedcrypto_target "${TF_PSA_CRYPTO_TARGET_PREFIX}mbedcrypto")
-if (USE_STATIC_TF_PSA_CRYPTO_LIBRARY)
-    set(mbedcrypto_static_target ${mbedcrypto_target})
-endif()
-if(USE_STATIC_TF_PSA_CRYPTO_LIBRARY AND USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
-    string(APPEND mbedcrypto_static_target "_static")
-endif()
-
-# Warning string - created as a list for compatibility with CMake 2.8
-set(CTR_DRBG_128_BIT_KEY_WARN_L1 "****  WARNING!  MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n")
-set(CTR_DRBG_128_BIT_KEY_WARN_L2 "****  Using 128-bit keys for CTR_DRBG limits the security of generated\n")
-set(CTR_DRBG_128_BIT_KEY_WARN_L3 "****  keys and operations that use random values generated to 128-bit security\n")
-
-set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}"
-                         "${CTR_DRBG_128_BIT_KEY_WARN_L1}"
-                         "${CTR_DRBG_128_BIT_KEY_WARN_L2}"
-                         "${CTR_DRBG_128_BIT_KEY_WARN_L3}"
-                         "${WARNING_BORDER}")
-
-# Python 3 is only needed here to check for configuration warnings.
-if(NOT CMAKE_VERSION VERSION_LESS 3.15.0)
-    set(Python3_FIND_STRATEGY LOCATION)
-    find_package(Python3 COMPONENTS Interpreter)
-    if(Python3_Interpreter_FOUND)
-        set(TF_PSA_CRYPTO_PYTHON_EXECUTABLE ${Python3_EXECUTABLE})
-    endif()
-else()
-    find_package(PythonInterp 3)
-    if(PYTHONINTERP_FOUND)
-        set(TF_PSA_CRYPTO_PYTHON_EXECUTABLE ${PYTHON_EXECUTABLE})
-    endif()
-endif()
-if(TF_PSA_CRYPTO_PYTHON_EXECUTABLE)
-
-    # If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
-    execute_process(COMMAND ${TF_PSA_CRYPTO_PYTHON_EXECUTABLE} ${MBEDTLS_DIR}/scripts/config.py -f ${MBEDTLS_DIR}/include/mbedtls/mbedtls_config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
-                        RESULT_VARIABLE result)
-    if(${result} EQUAL 0)
-        message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
-    endif()
-
-endif()
-
-# We now potentially need to link all executables against PThreads, if available
-set(CMAKE_THREAD_PREFER_PTHREAD TRUE)
-set(THREADS_PREFER_PTHREAD_FLAG TRUE)
-find_package(Threads)
-
-# If this is the root project add longer list of available CMAKE_BUILD_TYPE values
-if(NOT TF_PSA_CRYPTO_AS_SUBPROJECT)
-    set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
-        CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull TSan TSanDbg"
-        FORCE)
-endif()
-
-# Make TF_PSA_CRYPTO_CONFIG_FILE and TF_PSA_CRYPTO_USER_CONFIG_FILE into PATHs
-set(TF_PSA_CRYPTO_CONFIG_FILE "" CACHE FILEPATH "TF-PSA-Crypto config file (overrides default).")
-set(TF_PSA_CRYPTO_USER_CONFIG_FILE "" CACHE FILEPATH "TF-PSA-Crypto user config file (appended to default).")
-
-# Create a symbolic link from ${base_name} in the binary directory
-# to the corresponding path in the source directory.
-# Note: Copies the file(s) on Windows.
-function(link_to_source base_name)
-    set(link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
-    set(target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
-
-    # Linking to non-existent file is not desirable. At best you will have a
-    # dangling link, but when building in tree, this can create a symbolic link
-    # to itself.
-    if (EXISTS ${target} AND NOT EXISTS ${link})
-        if (CMAKE_HOST_UNIX)
-            execute_process(COMMAND ln -s ${target} ${link}
-                RESULT_VARIABLE result
-                ERROR_VARIABLE output)
-
-            if (NOT ${result} EQUAL 0)
-                message(FATAL_ERROR "Could not create symbolic link for: ${target} --> ${output}")
-            endif()
-        else()
-            if (IS_DIRECTORY ${target})
-                file(GLOB_RECURSE files FOLLOW_SYMLINKS LIST_DIRECTORIES false RELATIVE ${target} "${target}/*")
-                foreach(file IN LISTS files)
-                    configure_file("${target}/${file}" "${link}/${file}" COPYONLY)
-                endforeach(file)
-            else()
-                configure_file(${target} ${link} COPYONLY)
-            endif()
-        endif()
-    endif()
-endfunction(link_to_source)
-
-# Get the filename without the final extension (i.e. convert "a.b.c" to "a.b")
-function(get_name_without_last_ext dest_var full_name)
-    # Split into a list on '.' (but a cmake list is just a ';'-separated string)
-    string(REPLACE "." ";" ext_parts "${full_name}")
-    # Remove the last item if there are more than one
-    list(LENGTH ext_parts ext_parts_len)
-    if (${ext_parts_len} GREATER "1")
-        math(EXPR ext_parts_last_item "${ext_parts_len} - 1")
-        list(REMOVE_AT ext_parts ${ext_parts_last_item})
-    endif()
-    # Convert back to a string by replacing separators with '.'
-    string(REPLACE ";" "." no_ext_name "${ext_parts}")
-    # Copy into the desired variable
-    set(${dest_var} ${no_ext_name} PARENT_SCOPE)
-endfunction(get_name_without_last_ext)
-
-include(CheckCCompilerFlag)
-
-set(CMAKE_C_EXTENSIONS OFF)
-set(CMAKE_C_STANDARD 99)
-
-function(set_base_compile_options target)
-    if(CMAKE_COMPILER_IS_GNU)
-        set_gnu_base_compile_options(${target})
-    elseif(CMAKE_COMPILER_IS_CLANG)
-        set_clang_base_compile_options(${target})
-    elseif(CMAKE_COMPILER_IS_IAR)
-        set_iar_base_compile_options(${target})
-    elseif(CMAKE_COMPILER_IS_MSVC)
-        set_msvc_base_compile_options(${target})
-    endif()
-endfunction(set_base_compile_options)
-
-function(set_gnu_base_compile_options target)
-    # some warnings we want are not available with old GCC versions
-    # note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
-    execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
-                    OUTPUT_VARIABLE GCC_VERSION)
-    target_compile_options(${target} PRIVATE -Wall -Wextra -Wwrite-strings -Wmissing-prototypes)
-    if (GCC_VERSION VERSION_GREATER 3.0 OR GCC_VERSION VERSION_EQUAL 3.0)
-        target_compile_options(${target} PRIVATE -Wformat=2 -Wno-format-nonliteral)
-    endif()
-    if (GCC_VERSION VERSION_GREATER 4.3 OR GCC_VERSION VERSION_EQUAL 4.3)
-        target_compile_options(${target} PRIVATE -Wvla)
-    endif()
-    if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5)
-        target_compile_options(${target} PRIVATE -Wlogical-op)
-    endif()
-    if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
-        target_compile_options(${target} PRIVATE -Wshadow)
-    endif()
-    if (GCC_VERSION VERSION_GREATER 5.0)
-        CHECK_C_COMPILER_FLAG("-Wformat-signedness" C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
-        if(C_COMPILER_SUPPORTS_WFORMAT_SIGNEDNESS)
-            target_compile_options(${target} PRIVATE -Wformat-signedness)
-        endif()
-    endif()
-    if (GCC_VERSION VERSION_GREATER 7.0 OR GCC_VERSION VERSION_EQUAL 7.0)
-      target_compile_options(${target} PRIVATE -Wformat-overflow=2 -Wformat-truncation)
-    endif()
-    target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-O2>)
-    target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:-O0 -g3>)
-    target_compile_options(${target} PRIVATE $<$<CONFIG:Coverage>:-O0 -g3 --coverage>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_COVERAGE "--coverage")
-    # Old GCC versions hit a performance problem with test_suite_pkwrite
-    # "Private keey write check EC" tests when building with Asan+UBSan
-    # and -O3: those tests take more than 100x time than normal, with
-    # test_suite_pkwrite taking >3h on the CI. Observed with GCC 5.4 on
-    # Ubuntu 16.04 x86_64 and GCC 6.5 on Ubuntu 18.04 x86_64.
-    # GCC 7.5 and above on Ubuntu 18.04 appear fine.
-    # To avoid the performance problem, we use -O2 when GCC version is lower than 7.0.
-    # It doesn't slow down much even with modern compiler versions.
-    target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all>)
-    if (GCC_VERSION VERSION_LESS 7.0)
-        target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-O2>)
-    else()
-        target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-O3>)
-    endif()
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_ASAN "-fsanitize=address -fsanitize=undefined")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:ASanDbg>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_ASANDBG "-fsanitize=address -fsanitize=undefined")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:TSan>:-fsanitize=thread -O3>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_TSAN "-fsanitize=thread")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:TSanDbg>:-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_TSANDBG "-fsanitize=thread")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:Check>:-Os>)
-    target_compile_options(${target} PRIVATE $<$<CONFIG:CheckFull>:-Os -Wcast-qual>)
-
-    if(TF_PSA_CRYPTO_FATAL_WARNINGS)
-        target_compile_options(${target} PRIVATE -Werror)
-    endif(TF_PSA_CRYPTO_FATAL_WARNINGS)
-endfunction(set_gnu_base_compile_options)
-
-function(set_clang_base_compile_options target)
-    target_compile_options(${target} PRIVATE -Wall -Wextra -Wwrite-strings -Wmissing-prototypes -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral)
-    target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-O2>)
-    target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:-O0 -g3>)
-    target_compile_options(${target} PRIVATE $<$<CONFIG:Coverage>:-O0 -g3 --coverage>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_COVERAGE "--coverage")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:ASan>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_ASAN "-fsanitize=address -fsanitize=undefined")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:ASanDbg>:-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_ASANDBG "-fsanitize=address -fsanitize=undefined")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:MemSan>:-fsanitize=memory>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_MEMSAN "-fsanitize=memory")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:MemSanDbg>:-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_MEMSANDBG "-fsanitize=memory")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:TSan>:-fsanitize=thread -O3>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_TSAN "-fsanitize=thread")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:TSanDbg>:-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls>)
-    set_target_properties(${target} PROPERTIES LINK_FLAGS_TSANDBG "-fsanitize=thread")
-    target_compile_options(${target} PRIVATE $<$<CONFIG:Check>:-Os>)
-
-    if(MBEDTLS_FATAL_WARNINGS)
-        target_compile_options(${target} PRIVATE -Werror)
-    endif(MBEDTLS_FATAL_WARNINGS)
-endfunction(set_clang_base_compile_options)
-
-function(set_iar_base_compile_options target)
-    target_compile_options(${target} PRIVATE --warn_about_c_style_casts)
-    target_compile_options(${target} PRIVATE $<$<CONFIG:Release>:-Ohz>)
-    target_compile_options(${target} PRIVATE $<$<CONFIG:Debug>:--debug -On>)
-
-    if(MBEDTLS_FATAL_WARNINGS)
-        target_compile_options(${target} PRIVATE --warnings_are_errors)
-    endif(MBEDTLS_FATAL_WARNINGS)
-endfunction(set_iar_base_compile_options)
-
-function(set_msvc_base_compile_options target)
-    # Strictest warnings, UTF-8 source and execution charset
-    target_compile_options(${target} PRIVATE /W3 /utf-8)
-
-    if(MBEDTLS_FATAL_WARNINGS)
-        target_compile_options(${target} PRIVATE /WX)
-    endif(MBEDTLS_FATAL_WARNINGS)
-endfunction(set_msvc_base_compile_options)
-
-if(CMAKE_BUILD_TYPE STREQUAL "Check" AND TEST_CPP)
-    set(CMAKE_CXX_STANDARD 11)
-    set(CMAKE_CXX_STANDARD_REQUIRED ON)
-    set(CMAKE_CXX_EXTENSIONS OFF)
-    if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
-        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pedantic")
-    endif()
-endif()
-
-if (NOT EXISTS "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt")
-    message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found. Run `git submodule update --init` from the source tree to fetch the submodule contents.")
-endif()
-
-add_subdirectory(include)
-add_subdirectory(core)
-add_subdirectory(drivers)
-add_subdirectory(pkgconfig)
-
-#
-# The C files in tests/src directory contain test code shared among test suites
-# and programs. This shared test code is compiled and linked to test suites and
-# programs objects as a set of compiled objects. The compiled objects are NOT
-# built into a library that the test suite and program objects would link
-# against as they link against the tfpsacrypto library. The reason is that such
-# library is expected to have mutual dependencies with the aforementioned
-# library and that there is as of today no portable way of handling such
-# dependencies (only toolchain specific solutions).
-#
-# Thus the below definition of the `mbedtls_test` CMake library of objects
-# target. This library of objects is used by tests and programs CMake files
-# to define the test executables.
-#
-if(ENABLE_TESTING OR ENABLE_PROGRAMS)
-    file(GLOB MBEDTLS_TEST_FILES
-         ${MBEDTLS_DIR}/tests/src/*.c
-         ${MBEDTLS_DIR}/tests/src/drivers/*.c)
-    add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
-    set_base_compile_options(mbedtls_test)
-    if(GEN_FILES)
-        add_custom_command(
-            OUTPUT
-                ${MBEDTLS_DIR}/tests/src/test_keys.h
-            WORKING_DIRECTORY
-                ${MBEDTLS_DIR}/tests
-            COMMAND
-                "${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}"
-                "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py"
-                "--output"
-                "${MBEDTLS_DIR}/tests/src/test_keys.h"
-            DEPENDS
-                ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py
-        )
-        add_custom_target(test_keys_header DEPENDS ${MBEDTLS_DIR}/tests/src/test_keys.h)
-
-        add_custom_command(
-            OUTPUT
-                ${MBEDTLS_DIR}/tests/src/test_certs.h
-            WORKING_DIRECTORY
-                ${MBEDTLS_DIR}/tests
-            COMMAND
-                "${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}"
-                "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py"
-                "--output"
-                "${MBEDTLS_DIR}/tests/src/test_certs.h"
-            DEPENDS
-                ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py
-        )
-        add_custom_target(test_certs_header DEPENDS ${MBEDTLS_DIR}/tests/src/test_certs.h)
-        add_dependencies(mbedtls_test test_keys_header test_certs_header)
-    endif()
-    target_include_directories(mbedtls_test
-        PRIVATE ${MBEDTLS_DIR}/tests/include
-        PRIVATE ${MBEDTLS_DIR}/include
-        PRIVATE include
-        PRIVATE drivers/builtin/include
-        PRIVATE core
-        PRIVATE drivers/builtin/src)
-    # Request C11, needed for memory poisoning tests
-    set_target_properties(mbedtls_test PROPERTIES C_STANDARD 11)
-
-    # Pass-through TF_PSA_CRYPTO_CONFIG_FILE and TF_PSA_CRYPTO_USER_CONFIG_FILE
-    if(TF_PSA_CRYPTO_CONFIG_FILE)
-        target_compile_definitions(mbedtls_test
-            PUBLIC TF_PSA_CRYPTO_CONFIG_FILE="${TF_PSA_CRYPTO_CONFIG_FILE}")
-    endif()
-    if(TF_PSA_CRYPTO_USER_CONFIG_FILE)
-        target_compile_definitions(mbedtls_test
-            PUBLIC TF_PSA_CRYPTO_USER_CONFIG_FILE="${TF_PSA_CRYPTO_USER_CONFIG_FILE}")
-    endif()
-endif()
-
-if(ENABLE_PROGRAMS)
-    add_subdirectory(programs)
-endif()
-
-if(ENABLE_TESTING)
-    enable_testing()
-
-    add_subdirectory(tests)
-
-    # additional convenience targets for Unix only
-    if(UNIX)
-        # For coverage testing:
-        # 1. Build with:
-        #         cmake -D CMAKE_BUILD_TYPE=Coverage /path/to/source && make
-        # 2. Run the relevant tests for the part of the code you're interested in.
-        #    For the reference coverage measurement, see
-        #    tests/scripts/basic-build-test.sh
-        # 3. Run scripts/lcov.sh to generate an HTML report.
-        ADD_CUSTOM_TARGET(lcov
-            COMMAND ${MBEDTLS_DIR}/scripts/lcov.sh
-        )
-
-        ADD_CUSTOM_TARGET(memcheck
-            COMMAND sed -i.bak s+/usr/bin/valgrind+`which valgrind`+ DartConfiguration.tcl
-            COMMAND ctest -O memcheck.log -D ExperimentalMemCheck
-            COMMAND tail -n1 memcheck.log | grep 'Memory checking results:' > /dev/null
-            COMMAND rm -f memcheck.log
-            COMMAND mv DartConfiguration.tcl.bak DartConfiguration.tcl
-        )
-    endif(UNIX)
-
-    # Make scripts needed for testing available in an out-of-source build.
-    if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
-        link_to_source(scripts)
-        # Copy (don't link) DartConfiguration.tcl, needed for memcheck, to
-        # keep things simple with the sed commands in the memcheck target.
-        configure_file(${CMAKE_CURRENT_SOURCE_DIR}/DartConfiguration.tcl
-                    ${CMAKE_CURRENT_BINARY_DIR}/DartConfiguration.tcl COPYONLY)
-    endif()
-endif()
-
-if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
-    configure_package_config_file(
-        "cmake/TF-PSA-CryptoConfig.cmake.in"
-        "cmake/TF-PSA-CryptoConfig.cmake"
-            INSTALL_DESTINATION "cmake")
-
-    write_basic_package_version_file(
-        "cmake/TF-PSA-CryptoConfigVersion.cmake"
-            COMPATIBILITY SameMajorVersion
-            VERSION 0.1.0)
-
-    install(
-        FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/TF-PSA-CryptoConfig.cmake"
-              "${CMAKE_CURRENT_BINARY_DIR}/cmake/TF-PSA-CryptoConfigVersion.cmake"
-        DESTINATION "${CMAKE_INSTALL_LIBDIR}/cmake/TF-PSA-Crypto")
-
-    export(
-        EXPORT MbedTLSTargets
-        NAMESPACE TF-PSA-Crypto::
-        FILE "cmake/TF-PSA-CryptoTargets.cmake")
-
-    install(
-        EXPORT MbedTLSTargets
-        NAMESPACE TF-PSA-Crypto::
-        DESTINATION "${CMAKE_INSTALL_LIBDIR}/cmake/TF-PSA-Crypto"
-        FILE "TF-PSA-CryptoTargets.cmake")
-
-    if(CMAKE_VERSION VERSION_GREATER 3.15 OR CMAKE_VERSION VERSION_EQUAL 3.15)
-        # Do not export the package by default
-        cmake_policy(SET CMP0090 NEW)
-
-        # Make this package visible to the system
-        export(PACKAGE TF-PSA-Crypto)
-    endif()
-endif()
diff --git a/tf-psa-crypto/core/CMakeLists.txt b/tf-psa-crypto/core/CMakeLists.txt
index 1264acf33e..3e4092c1ae 100644
--- a/tf-psa-crypto/core/CMakeLists.txt
+++ b/tf-psa-crypto/core/CMakeLists.txt
@@ -68,66 +68,66 @@ if (NOT USE_STATIC_TF_PSA_CRYPTO_LIBRARY AND NOT USE_SHARED_TF_PSA_CRYPTO_LIBRAR
     message(FATAL_ERROR "Need to choose static or shared TF-PSA-Crypto build!")
 endif(NOT USE_STATIC_TF_PSA_CRYPTO_LIBRARY AND NOT USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
 
-set(mbedcrypto_target "${TF_PSA_CRYPTO_TARGET_PREFIX}mbedcrypto")
+set(tfpsacrypto_target "${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto")
 set(builtin_target "${TF_PSA_CRYPTO_TARGET_PREFIX}builtin")
 
 if (USE_STATIC_TF_PSA_CRYPTO_LIBRARY)
-    set(mbedcrypto_static_target ${mbedcrypto_target})
+    set(tfpsacrypto_static_target ${tfpsacrypto_target})
     set(builtin_static_target ${builtin_target})
 endif()
 
-set(target_libraries ${mbedcrypto_target})
+set(target_libraries ${tfpsacrypto_target})
 
 if(USE_STATIC_TF_PSA_CRYPTO_LIBRARY AND USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
-    string(APPEND mbedcrypto_static_target "_static")
+    string(APPEND tfpsacrypto_static_target "_static")
     string(APPEND builtin_static_target "_static")
 
     list(APPEND target_libraries
-        ${mbedcrypto_static_target})
+        ${tfpsacrypto_static_target})
 endif()
 
 set(p256m_target "${TF_PSA_CRYPTO_TARGET_PREFIX}p256m")
 set(everest_target "${TF_PSA_CRYPTO_TARGET_PREFIX}everest")
 
 if(USE_STATIC_TF_PSA_CRYPTO_LIBRARY)
-    add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
-    set_base_compile_options(${mbedcrypto_static_target})
-    target_compile_options(${mbedcrypto_static_target} PRIVATE ${LIBS_C_FLAGS})
-    set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
-    target_link_libraries(${mbedcrypto_static_target} PUBLIC ${libs})
+    add_library(${tfpsacrypto_static_target} STATIC ${src_crypto})
+    set_base_compile_options(${tfpsacrypto_static_target})
+    target_compile_options(${tfpsacrypto_static_target} PRIVATE ${LIBS_C_FLAGS})
+    set_target_properties(${tfpsacrypto_static_target} PROPERTIES OUTPUT_NAME tfpsacrypto)
+    target_link_libraries(${tfpsacrypto_static_target} PUBLIC ${libs})
 
-    target_link_libraries(${mbedcrypto_static_target} PUBLIC ${builtin_static_target})
+    target_link_libraries(${tfpsacrypto_static_target} PUBLIC ${builtin_static_target})
 
     if(TARGET ${everest_target})
-        target_link_libraries(${mbedcrypto_static_target} PUBLIC ${everest_target})
+        target_link_libraries(${tfpsacrypto_static_target} PUBLIC ${everest_target})
     endif()
 
     if(TARGET ${p256m_target})
-        target_link_libraries(${mbedcrypto_static_target} PUBLIC ${p256m_target})
+        target_link_libraries(${tfpsacrypto_static_target} PUBLIC ${p256m_target})
     endif()
 endif(USE_STATIC_TF_PSA_CRYPTO_LIBRARY)
 
 if(USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
     set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
-    add_library(${mbedcrypto_target} SHARED ${src_crypto})
-    set_base_compile_options(${mbedcrypto_target})
-    target_compile_options(${mbedcrypto_static_target} PRIVATE ${LIBS_C_FLAGS})
-    set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 4.0.0 SOVERSION 16)
-    target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
+    add_library(${tfpsacrypto_target} SHARED ${src_crypto})
+    set_base_compile_options(${tfpsacrypto_target})
+    target_compile_options(${tfpsacrypto_target} PRIVATE ${LIBS_C_FLAGS})
+    set_target_properties(${tfpsacrypto_target} PROPERTIES VERSION 4.0.0 SOVERSION 16)
+    target_link_libraries(${tfpsacrypto_target} PUBLIC ${libs})
 
-    target_link_libraries(${mbedcrypto_target} PUBLIC ${builtin_target})
+    target_link_libraries(${tfpsacrypto_target} PUBLIC ${builtin_target})
 
     if(TARGET ${everest_target})
-        target_link_libraries(${mbedcrypto_target} PUBLIC ${everest_target})
+        target_link_libraries(${tfpsacrypto_target} PUBLIC ${everest_target})
     endif()
 
     if(TARGET ${p256m_target})
-        target_link_libraries(${mbedcrypto_target} PUBLIC ${p256m_target})
+        target_link_libraries(${tfpsacrypto_target} PUBLIC ${p256m_target})
     endif()
 endif(USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
 
 foreach(target IN LISTS target_libraries)
-    add_library(MbedTLS::${target} ALIAS ${target})  # add_subdirectory support
+    add_library(TF-PSA-Crypto::${target} ALIAS ${target})  # add_subdirectory support
     # Include public header files include/, drivers/builtin/include/ and
     # ${MBEDTLS_DIR}/include/ as we still need it. Include private header files
     # from core/ and drivers/builtin/src/.
@@ -140,15 +140,7 @@ foreach(target IN LISTS target_libraries)
                 ${TF_PSA_CRYPTO_DIR}/drivers/builtin/src
                 # Needed to include psa_crypto_driver_wrappers.h
                 ${CMAKE_CURRENT_BINARY_DIR})
-    # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
-    if(MBEDTLS_CONFIG_FILE)
-        target_compile_definitions(${target}
-            PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
-    endif()
-    if(MBEDTLS_USER_CONFIG_FILE)
-        target_compile_definitions(${target}
-            PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
-    endif()
+    set_config_files_compile_definitions(${target})
     install(
         TARGETS ${target}
         EXPORT MbedTLSTargets
@@ -156,27 +148,11 @@ foreach(target IN LISTS target_libraries)
         LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}
         RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
         PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+    install(
+        TARGETS ${target}
+        EXPORT TF-PSA-CryptoTargets
+        ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
+        LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}
+        RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
+        PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
 endforeach(target)
-
-if(USE_STATIC_TF_PSA_CRYPTO_LIBRARY)
-    add_custom_command(
-        TARGET ${mbedcrypto_static_target}
-        POST_BUILD
-        COMMAND ${CMAKE_COMMAND}
-        ARGS -E copy $<TARGET_FILE:${mbedcrypto_static_target}> ${CMAKE_BINARY_DIR}/library)
-endif(USE_STATIC_TF_PSA_CRYPTO_LIBRARY)
-
-if(USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
-    add_custom_command(
-        TARGET ${mbedcrypto_target}
-        POST_BUILD
-        COMMAND ${CMAKE_COMMAND}
-        ARGS -E copy $<TARGET_FILE:${mbedcrypto_target}>
-        ${CMAKE_BINARY_DIR}/library/$<TARGET_FILE_NAME:${mbedcrypto_target}>)
-    add_custom_command(
-        TARGET ${mbedcrypto_target}
-        POST_BUILD
-        COMMAND ${CMAKE_COMMAND}
-        ARGS -E copy $<TARGET_LINKER_FILE:${mbedcrypto_target}>
-        ${CMAKE_BINARY_DIR}/library/$<TARGET_LINKER_FILE_NAME:${mbedcrypto_target}>)
-endif(USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
diff --git a/tf-psa-crypto/drivers/builtin/CMakeLists.txt b/tf-psa-crypto/drivers/builtin/CMakeLists.txt
index dd1a1130fe..983e050199 100644
--- a/tf-psa-crypto/drivers/builtin/CMakeLists.txt
+++ b/tf-psa-crypto/drivers/builtin/CMakeLists.txt
@@ -69,7 +69,7 @@ endif(USE_STATIC_TF_PSA_CRYPTO_LIBRARY)
 if(USE_SHARED_TF_PSA_CRYPTO_LIBRARY)
     add_library(${builtin_target} SHARED ${src_builtin})
     set_base_compile_options(${builtin_target})
-    target_compile_options(${builtin_static_target} PRIVATE ${LIBS_C_FLAGS})
+    target_compile_options(${builtin_target} PRIVATE ${LIBS_C_FLAGS})
     target_link_libraries(${builtin_target} PUBLIC ${libs})
     if(TARGET ${everest_target})
         target_link_libraries(${builtin_target} PUBLIC ${everest_target})
@@ -87,19 +87,7 @@ foreach (target IN LISTS target_libraries)
              $<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
              $<BUILD_INTERFACE:${TF_PSA_CRYPTO_DIR}/include>
       PRIVATE ${TF_PSA_CRYPTO_DIR}/core)
-
-    # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
-    # This must be duplicated from library/CMakeLists.txt because
-    # everest is not directly linked against any mbedtls targets
-    # so does not inherit the compile definitions.
-    if(MBEDTLS_CONFIG_FILE)
-        target_compile_definitions(${target}
-            PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
-    endif()
-    if(MBEDTLS_USER_CONFIG_FILE)
-        target_compile_definitions(${target}
-            PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
-    endif()
+    set_config_files_compile_definitions(${target})
 
     if(INSTALL_TF_PSA_CRYPTO_HEADERS)
 
@@ -113,7 +101,12 @@ foreach (target IN LISTS target_libraries)
     endif(INSTALL_TF_PSA_CRYPTO_HEADERS)
 
     install(TARGETS ${target}
-    EXPORT MbedTLSTargets
-    DESTINATION ${CMAKE_INSTALL_LIBDIR}
-    PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+      EXPORT MbedTLSTargets
+      DESTINATION ${CMAKE_INSTALL_LIBDIR}
+      PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+
+    install(TARGETS ${target}
+      EXPORT TF-PSA-CryptoTargets
+      DESTINATION ${CMAKE_INSTALL_LIBDIR}
+      PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
 endforeach(target)
diff --git a/tf-psa-crypto/drivers/everest/CMakeLists.txt b/tf-psa-crypto/drivers/everest/CMakeLists.txt
index 5671200387..8c7b7c155f 100644
--- a/tf-psa-crypto/drivers/everest/CMakeLists.txt
+++ b/tf-psa-crypto/drivers/everest/CMakeLists.txt
@@ -16,19 +16,7 @@ target_include_directories(${everest_target}
           include/everest/kremlib
           ${MBEDTLS_DIR}/library
           ${TF_PSA_CRYPTO_DIR}/core)
-
-# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
-# This must be duplicated from library/CMakeLists.txt because
-# everest is not directly linked against any mbedtls targets
-# so does not inherit the compile definitions.
-if(MBEDTLS_CONFIG_FILE)
-    target_compile_definitions(${everest_target}
-        PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
-endif()
-if(MBEDTLS_USER_CONFIG_FILE)
-    target_compile_definitions(${everest_target}
-        PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
-endif()
+set_config_files_compile_definitions(${everest_target})
 
 if(INSTALL_TF_PSA_CRYPTO_HEADERS)
 
@@ -44,3 +32,8 @@ install(TARGETS ${everest_target}
   EXPORT MbedTLSTargets
   DESTINATION ${CMAKE_INSTALL_LIBDIR}
   PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+
+install(TARGETS ${everest_target}
+  EXPORT TF-PSA-CryptoTargets
+  DESTINATION ${CMAKE_INSTALL_LIBDIR}
+  PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
diff --git a/tf-psa-crypto/drivers/p256-m/CMakeLists.txt b/tf-psa-crypto/drivers/p256-m/CMakeLists.txt
index ae44123ca9..3e62627e8c 100644
--- a/tf-psa-crypto/drivers/p256-m/CMakeLists.txt
+++ b/tf-psa-crypto/drivers/p256-m/CMakeLists.txt
@@ -16,19 +16,7 @@ target_include_directories(${p256m_target}
          $<INSTALL_INTERFACE:include>
   PRIVATE ${MBEDTLS_DIR}/library/
           ${TF_PSA_CRYPTO_DIR}/core)
-
-# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
-# This must be duplicated from library/CMakeLists.txt because
-# p256m is not directly linked against any mbedtls targets
-# so does not inherit the compile definitions.
-if(MBEDTLS_CONFIG_FILE)
-    target_compile_definitions(${p256m_target}
-        PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
-endif()
-if(MBEDTLS_USER_CONFIG_FILE)
-    target_compile_definitions(${p256m_target}
-        PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
-endif()
+set_config_files_compile_definitions(${p256m_target})
 
 if(INSTALL_TF_PSA_CRYPTO_HEADERS)
 
@@ -44,3 +32,8 @@ install(TARGETS ${p256m_target}
   EXPORT MbedTLSTargets
   DESTINATION ${CMAKE_INSTALL_LIBDIR}
   PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+
+install(TARGETS ${p256m_target}
+  EXPORT TF-PSA-CryptoTargets
+  DESTINATION ${CMAKE_INSTALL_LIBDIR}
+  PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
diff --git a/tf-psa-crypto/pkgconfig/tfpsacrypto.pc.in b/tf-psa-crypto/pkgconfig/tfpsacrypto.pc.in
index 2d130ea658..28b9716b64 100644
--- a/tf-psa-crypto/pkgconfig/tfpsacrypto.pc.in
+++ b/tf-psa-crypto/pkgconfig/tfpsacrypto.pc.in
@@ -7,4 +7,4 @@ Description: @PKGCONFIG_PROJECT_DESCRIPTION@
 URL: @PKGCONFIG_PROJECT_HOMEPAGE_URL@
 Version: @PROJECT_VERSION@
 Cflags: -I"${includedir}"
-Libs: -L"${libdir}" -lmbedcrypto -lbuiltin -leverest -lp256m
+Libs: -L"${libdir}" -ltfpsacrypto -lbuiltin -leverest -lp256m
diff --git a/tf-psa-crypto/programs/test/cmake_package/CMakeLists.txt b/tf-psa-crypto/programs/test/cmake_package/CMakeLists.txt
index 20b7322d12..3ca548fb32 100644
--- a/tf-psa-crypto/programs/test/cmake_package/CMakeLists.txt
+++ b/tf-psa-crypto/programs/test/cmake_package/CMakeLists.txt
@@ -32,4 +32,4 @@ find_package(TF-PSA-Crypto REQUIRED)
 #
 
 add_executable(cmake_package cmake_package.c)
-target_link_libraries(cmake_package TF-PSA-Crypto::mbedcrypto)
+target_link_libraries(cmake_package TF-PSA-Crypto::tfpsacrypto)
diff --git a/tf-psa-crypto/programs/test/cmake_subproject/.gitignore b/tf-psa-crypto/programs/test/cmake_subproject/.gitignore
new file mode 100644
index 0000000000..464833b932
--- /dev/null
+++ b/tf-psa-crypto/programs/test/cmake_subproject/.gitignore
@@ -0,0 +1,3 @@
+build
+Makefile
+cmake_subproject
diff --git a/tf-psa-crypto/programs/test/cmake_subproject/CMakeLists.txt b/tf-psa-crypto/programs/test/cmake_subproject/CMakeLists.txt
new file mode 100644
index 0000000000..d0c9aafaed
--- /dev/null
+++ b/tf-psa-crypto/programs/test/cmake_subproject/CMakeLists.txt
@@ -0,0 +1,18 @@
+cmake_minimum_required(VERSION 3.5.1)
+
+# Test the target renaming support by adding a prefix to the targets built
+set(TF_PSA_CRYPTO_TARGET_PREFIX subproject_test_)
+
+# We use the parent TF-PSA-Crypto directory as the TF_PSA_CRYPTO_DIR for this
+# test. Other projects that use TF-PSA-Crypto as a subproject are likely to
+# add by their own relative paths.
+set(TF_PSA_CRYPTO_DIR ../../../)
+
+# Add TF-PSA-Crypto as a subdirectory.
+add_subdirectory(${TF_PSA_CRYPTO_DIR} build)
+
+# Link against all the TF-PSA-Crypto library. Verifies that the target has been
+# created using the specified prefix
+
+add_executable(cmake_subproject cmake_subproject.c)
+target_link_libraries(cmake_subproject subproject_test_tfpsacrypto ${CMAKE_THREAD_LIBS_INIT})
diff --git a/tf-psa-crypto/programs/test/cmake_subproject/cmake_subproject.c b/tf-psa-crypto/programs/test/cmake_subproject/cmake_subproject.c
new file mode 100644
index 0000000000..d82f0acd84
--- /dev/null
+++ b/tf-psa-crypto/programs/test/cmake_subproject/cmake_subproject.c
@@ -0,0 +1,19 @@
+/*
+ *  Simple program to test that CMake builds with TF-PSA-Crypto as a
+ *  subdirectory work correctly.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <psa/crypto.h>
+
+/* The main reason to build this is for testing the CMake build, so the program
+ * doesn't need to do very much. It calls a PSA cryptography API to ensure
+ * linkage works, but that is all. */
+int main()
+{
+    psa_crypto_init();
+
+    return 0;
+}
diff --git a/tf-psa-crypto/programs/test/cmake_subproject/framework/.gitignore b/tf-psa-crypto/programs/test/cmake_subproject/framework/.gitignore
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tf-psa-crypto/tests/CMakeLists.txt b/tf-psa-crypto/tests/CMakeLists.txt
index 0793dbe35f..75fcace8de 100644
--- a/tf-psa-crypto/tests/CMakeLists.txt
+++ b/tf-psa-crypto/tests/CMakeLists.txt
@@ -1,5 +1,5 @@
 set(libs
-    ${mbedcrypto_target}
+    ${tfpsacrypto_target}
     ${CMAKE_THREAD_LIBS_INIT}
 )
 
@@ -287,13 +287,13 @@ function(add_test_suite suite_name)
             ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function
             ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function
             ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function
-            ${mbedcrypto_target}
+            ${tfpsacrypto_target}
         BYPRODUCTS
             test_suite_${data_name}.datax
     )
 
     add_executable(test_suite_${data_name} test_suite_${data_name}.c
-                   $<TARGET_OBJECTS:mbedtls_test>)
+                   $<TARGET_OBJECTS:tf_psa_crypto_test>)
     set_base_compile_options(test_suite_${data_name})
     target_compile_options(test_suite_${data_name} PRIVATE ${TEST_C_FLAGS})
     add_dependencies(test_suite_${data_name} ${dependency})
diff --git a/tf-psa-crypto/tests/scripts/components-build-system.sh b/tf-psa-crypto/tests/scripts/components-build-system.sh
index 957e23a4fc..5de9dc7876 100644
--- a/tf-psa-crypto/tests/scripts/components-build-system.sh
+++ b/tf-psa-crypto/tests/scripts/components-build-system.sh
@@ -9,7 +9,7 @@
 #### Build System Testing
 ################################################################
 
-component_test_cmake_tf_psa_crypto_out_of_source () {
+component_test_tf_psa_crypto_cmake_out_of_source () {
     msg "build: cmake tf-psa-crypto 'out-of-source' build"
     TF_PSA_CRYPTO_ROOT_DIR="$PWD"
     mkdir "$OUT_OF_SOURCE_DIR"
@@ -22,3 +22,12 @@ component_test_cmake_tf_psa_crypto_out_of_source () {
     cd "$TF_PSA_CRYPTO_ROOT_DIR"
     rm -rf "$OUT_OF_SOURCE_DIR"
 }
+
+component_test_tf_psa_crypto_cmake_as_subdirectory () {
+    msg "build: cmake 'as-subdirectory' build"
+    cd programs/test/cmake_subproject
+    # Note: Explicitly generate files as these are turned off in releases
+    cmake -D GEN_FILES=ON .
+    make
+    ./cmake_subproject
+}