Merge pull request #9340 from ronald-cron-arm/move-mbedtls-crypto-modules

Move mbedtls crypto modules
2025-05-13 18:29:52 +08:00 · 2024-07-10 14:02:42 +00:00 · 2024-07-10 14:02:42 +00:00 · 1004c9cacb
commit 1004c9cacb
parent fe3ad99af3 1992c9122f
200 changed files with 973 additions and 421 deletions
--- a/3rdparty/Makefile.inc
+++ b/3rdparty/Makefile.inc
@ -1,3 +0,0 @@
 THIRDPARTY_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
 include $(THIRDPARTY_DIR)/everest/Makefile.inc
 include $(THIRDPARTY_DIR)/p256-m/Makefile.inc
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -294,12 +294,10 @@ add_subdirectory(framework)
 add_subdirectory(include)
-add_subdirectory(3rdparty)
+add_subdirectory(tf-psa-crypto)
 add_subdirectory(library)
 add_subdirectory(tf-psa-crypto)
 add_subdirectory(pkgconfig)
 #
@ -357,7 +355,9 @@ if(ENABLE_TESTING OR ENABLE_PROGRAMS)
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/include
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library)
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/core
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/src)
    # Request C11, needed for memory poisoning tests
    set_target_properties(mbedtls_test PROPERTIES C_STANDARD 11)
@ -370,7 +370,9 @@ if(ENABLE_TESTING OR ENABLE_PROGRAMS)
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/include
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/include
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/everest/include)
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/core
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/src
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/everest/include)
    # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
    if(MBEDTLS_CONFIG_FILE)
--- a/19
+++ b/19
@ -200,12 +200,18 @@ endif
 ## Editor navigation files
 C_SOURCE_FILES = $(wildcard \
 	3rdparty/*/include/*/*.h 3rdparty/*/include/*/*/*.h 3rdparty/*/include/*/*/*/*.h \
 	3rdparty/*/*.c 3rdparty/*/*/*.c 3rdparty/*/*/*/*.c 3rdparty/*/*/*/*/*.c \
 	include/*/*.h \
 	library/*.[hc] \
 	tf-psa-crypto/core/*.[hc] \
 	tf-psa-crypto/include/*/*.h \
-	tf-psa-crypto/drivers/builtin/include/*/*.h \
+	tf-psa-crypto/drivers/*/include/*/*.h \
 	tf-psa-crypto/drivers/*/include/*/*/*.h \
 	tf-psa-crypto/drivers/*/include/*/*/*/*.h \
 	tf-psa-crypto/drivers/builtin/src/*.[hc] \
 	tf-psa-crypto/drivers/*/*.c \
 	tf-psa-crypto/drivers/*/*/*.c \
 	tf-psa-crypto/drivers/*/*/*/*.c \
 	tf-psa-crypto/drivers/*/*/*/*/*.c \
 	programs/*/*.[hc] \
 	tests/include/*/*.h tests/include/*/*/*.h \
 	tests/src/*.c tests/src/*/*.c \
@ -222,7 +228,8 @@ GPATH GRTAGS GSYMS GTAGS: $(C_SOURCE_FILES)
 	ls $(C_SOURCE_FILES) | gtags -f - --gtagsconf .globalrc
 cscope: cscope.in.out cscope.po.out cscope.out
 cscope.in.out cscope.po.out cscope.out: $(C_SOURCE_FILES)
-	cscope -bq -u -Iinclude -Ilibrary -Itf-psa-crypto/include \
+	cscope -bq -u -Iinclude -Ilibrary -Itf-psa-crypto/core \
-	-Itf-psa-crypto/drivers/builtin/include \
+        -Itf-psa-crypto/include \
-	$(patsubst %,-I%,$(wildcard 3rdparty/*/include)) -Itests/include $(C_SOURCE_FILES)
+	-Itf-psa-crypto/drivers/builtin/src \
 	$(patsubst %,-I%,$(wildcard tf-psa-crypto/drivers/*/include)) -Itests/include $(C_SOURCE_FILES)
 .PHONY: cscope global
--- a/README.md
+++ b/README.md
@ -315,10 +315,10 @@ Unless specifically indicated otherwise in a file, Mbed TLS files are provided u
 ### Third-party code included in Mbed TLS
-This project contains code from other projects. This code is located within the `3rdparty/` directory. The original license text is included within project subdirectories, where it differs from the normal Mbed TLS license, and/or in source files. The projects are listed below:
+This project contains code from other projects. This code is located within the `tf-psa-crypto/drivers/` directory. The original license text is included within project subdirectories, where it differs from the normal Mbed TLS license, and/or in source files. The projects are listed below:
-* `3rdparty/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
+* `drivers/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
-* `3rdparty/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is distributed in Mbed TLS under a dual Apache-2.0 OR GPL-2.0-or-later license with permission from the author.
+* `drivers/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is distributed in Mbed TLS under a dual Apache-2.0 OR GPL-2.0-or-later license with permission from the author.
 Contributing
 ------------
--- a/docs/psa-driver-example-and-guide.md
+++ b/docs/psa-driver-example-and-guide.md
@ -138,7 +138,7 @@ This guide assumes you are building Mbed TLS from source alongside your project.
 ### Example: Manually integrating a software accelerator alongside Mbed TLS
-[p256-m](https://github.com/mpg/p256-m) is a minimalistic implementation of ECDH and ECDSA on the NIST P-256 curve, specifically optimized for use in constrained 32-bit environments. It started out as an independent project and has been integrated in Mbed TLS as a PSA transparent driver. The source code of p256-m and the driver entry points is located in the Mbed TLS source tree under `3rdparty/p256-m`. In this section, we will look at how this integration was done.
+[p256-m](https://github.com/mpg/p256-m) is a minimalistic implementation of ECDH and ECDSA on the NIST P-256 curve, specifically optimized for use in constrained 32-bit environments. It started out as an independent project and has been integrated in Mbed TLS as a PSA transparent driver. The source code of p256-m and the driver entry points is located in the Mbed TLS source tree under `drivers/p256-m`. In this section, we will look at how this integration was done.
 The Mbed TLS build system includes the instructions needed to build p256-m. To build with and use p256-m, set the macro `MBEDTLS_PSA_P256M_DRIVER_ENABLED` using `config.py`, then build as usual using make/cmake. From the root of the `mbedtls/` directory, run:
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 8853c8471200e62448413d1f40d6801a19796a83
+Subproject commit 9eeacb7125d6630a11e29d8a7aab5873b3638b6d
--- a/library/.gitignore
+++ b/library/.gitignore
@ -6,6 +6,4 @@ libmbed*
 /error.c
 /version_features.c
 /ssl_debug_helpers_generated.c
 /psa_crypto_driver_wrappers.h
 /psa_crypto_driver_wrappers_no_static.c
 ###END_GENERATED_FILES###
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@ -10,87 +10,90 @@ if(NOT DEFINED MBEDTLS_DIR)
    set(MBEDTLS_DIR ${CMAKE_SOURCE_DIR})
 endif()
 set(TF_PSA_CRYPTO_CORE_DIR ../tf-psa-crypto/core)
 set(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR ../tf-psa-crypto/drivers/builtin/src)
 set(src_crypto
-    aes.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aes.c
-    aesni.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aesni.c
-    aesce.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aesce.c
-    aria.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aria.c
-    asn1parse.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/asn1parse.c
-    asn1write.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/asn1write.c
-    base64.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/base64.c
-    bignum.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum.c
-    bignum_core.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum_core.c
-    bignum_mod.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum_mod.c
-    bignum_mod_raw.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum_mod_raw.c
-    block_cipher.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/block_cipher.c
-    camellia.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/camellia.c
-    ccm.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ccm.c
-    chacha20.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/chacha20.c
-    chachapoly.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/chachapoly.c
-    cipher.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/cipher.c
-    cipher_wrap.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/cipher_wrap.c
-    constant_time.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/constant_time.c
-    cmac.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/cmac.c
-    ctr_drbg.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ctr_drbg.c
-    des.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/des.c
-    dhm.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/dhm.c
-    ecdh.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecdh.c
-    ecdsa.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecdsa.c
-    ecjpake.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecjpake.c
-    ecp.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecp.c
-    ecp_curves.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecp_curves.c
-    ecp_curves_new.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecp_curves_new.c
-    entropy.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/entropy.c
-    entropy_poll.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/entropy_poll.c
-    error.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c
-    gcm.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/gcm.c
-    hkdf.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/hkdf.c
-    hmac_drbg.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/hmac_drbg.c
-    lmots.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/lmots.c
-    lms.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/lms.c
-    md.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/md.c
-    md5.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/md5.c
-    memory_buffer_alloc.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/memory_buffer_alloc.c
-    nist_kw.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/nist_kw.c
-    oid.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/oid.c
-    pem.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pem.c
-    pk.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pk.c
-    pk_ecc.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pk_ecc.c
-    pk_wrap.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pk_wrap.c
-    pkcs12.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkcs12.c
-    pkcs5.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkcs5.c
-    pkparse.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkparse.c
-    pkwrite.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkwrite.c
-    platform.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/platform.c
-    platform_util.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/platform_util.c
-    poly1305.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/poly1305.c
-    psa_crypto.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto.c
-    psa_crypto_aead.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_aead.c
-    psa_crypto_cipher.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_cipher.c
-    psa_crypto_client.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_client.c
-    psa_crypto_driver_wrappers_no_static.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers_no_static.c
-    psa_crypto_ecp.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_ecp.c
-    psa_crypto_ffdh.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_ffdh.c
-    psa_crypto_hash.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_hash.c
-    psa_crypto_mac.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_mac.c
-    psa_crypto_pake.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_pake.c
-    psa_crypto_rsa.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_rsa.c
-    psa_crypto_se.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_se.c
-    psa_crypto_slot_management.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_slot_management.c
-    psa_crypto_storage.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_storage.c
-    psa_its_file.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_its_file.c
-    psa_util.c
+    ${TF_PSA_CRYPTO_CORE_DIR}/psa_util.c
-    ripemd160.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ripemd160.c
-    rsa.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/rsa.c
-    rsa_alt_helpers.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/rsa_alt_helpers.c
-    sha1.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha1.c
-    sha256.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha256.c
-    sha512.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha512.c
-    sha3.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha3.c
-    threading.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/threading.c
-    timing.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/timing.c
-    version.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version.c
-    version_features.c
+    ${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c
 )
 set(src_x509
@ -133,14 +136,14 @@ if(GEN_FILES)
    file(GLOB tls_error_headers ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/*.h)
    add_custom_command(
        OUTPUT
-            ${CMAKE_CURRENT_BINARY_DIR}/error.c
+            ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c
        COMMAND
            ${PERL_EXECUTABLE}
                ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl
                ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/drivers/builtin/include/mbedtls
                ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls
                ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files
-                ${CMAKE_CURRENT_BINARY_DIR}/error.c
+                ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c
        DEPENDS
            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl
            ${crypto_error_headers}
@ -150,13 +153,13 @@ if(GEN_FILES)
    add_custom_command(
        OUTPUT
-            ${CMAKE_CURRENT_BINARY_DIR}/version_features.c
+            ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c
        COMMAND
            ${PERL_EXECUTABLE}
                ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_features.pl
                ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls
                ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files
-                ${CMAKE_CURRENT_BINARY_DIR}/version_features.c
+                ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c
        DEPENDS
            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_features.pl
            ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h
@ -178,24 +181,23 @@ if(GEN_FILES)
    add_custom_command(
        OUTPUT
-            ${CMAKE_CURRENT_BINARY_DIR}/psa_crypto_driver_wrappers.h
+            ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers.h
-            ${CMAKE_CURRENT_BINARY_DIR}/psa_crypto_driver_wrappers_no_static.c
+            ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers_no_static.c
        COMMAND
            ${MBEDTLS_PYTHON_EXECUTABLE}
                ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_driver_wrappers.py
-                ${CMAKE_CURRENT_BINARY_DIR}
+                ${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_CORE_DIR}
        DEPENDS
            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_driver_wrappers.py
            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
            ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
    )
 else()
-    link_to_source(error.c)
+    link_to_source(${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c)
-    link_to_source(version_features.c)
+    link_to_source(${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c)
    link_to_source(ssl_debug_helpers_generated.c)
-    link_to_source(psa_crypto_driver_wrappers_no_static.c)
+    link_to_source(${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers.h)
    link_to_source(${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers_no_static.c)
 endif()
 if(CMAKE_COMPILER_IS_GNUCC)
@ -324,19 +326,19 @@ endif(USE_SHARED_MBEDTLS_LIBRARY)
 foreach(target IN LISTS target_libraries)
    add_library(MbedTLS::${target} ALIAS ${target})  # add_subdirectory support
-    # Include public header files from /include and other directories
+    # Include public header files from /include, /tf-psa-crypto/include/ and
-    # declared by /3rdparty/**/CMakeLists.txt. Include private header files
+    # tf-psa-crypto/drivers/builtin/include/. Include private header files
-    # from /library and others declared by /3rdparty/**/CMakeLists.txt.
+    # from /library, tf-psa-crypto/core/ and tf-psa-crypto/drivers/builtin/src/.
    # /library needs to be listed explicitly when building .c files outside
    # of /library (which currently means: under /3rdparty).
    target_include_directories(${target}
        PUBLIC $<BUILD_INTERFACE:${MBEDTLS_DIR}/include/>
               $<BUILD_INTERFACE:${MBEDTLS_DIR}/tf-psa-crypto/include/>
               $<BUILD_INTERFACE:${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/include/>
               $<INSTALL_INTERFACE:include/>
        PRIVATE ${MBEDTLS_DIR}/library/
                ${MBEDTLS_DIR}/tf-psa-crypto/core
                ${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/src
                # Needed to include psa_crypto_driver_wrappers.h
-                ${CMAKE_CURRENT_BINARY_DIR})
+                ${CMAKE_CURRENT_BINARY_DIR}/../tf-psa-crypto/core)
    # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
    if(MBEDTLS_CONFIG_FILE)
        target_compile_definitions(${target}
--- a/library/Makefile
+++ b/library/Makefile
@ -2,11 +2,15 @@ ifndef MBEDTLS_PATH
 MBEDTLS_PATH := ..
 endif
 TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core
 TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src
 GENERATED_FILES := \
-	error.c version_features.c \
+	$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c \
        $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c \
 	ssl_debug_helpers_generated.c \
-	psa_crypto_driver_wrappers.h \
+	$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
-	psa_crypto_driver_wrappers_no_static.c
+	$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c
 ifneq ($(GENERATED_FILES),$(wildcard $(GENERATED_FILES)))
    ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make))
@ -29,11 +33,12 @@ WARNING_CFLAGS ?=  -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
 LDFLAGS ?=
 # Include ../include, ../tf-psa-crypto/include and
-# ../tf-psa-crypto/drivers/builtin/include for public headers and . for
+# ../tf-psa-crypto/drivers/builtin/include for public headers and .,
-# private headers. Note that . needs to be included explicitly for the sake of
+# ../tf-psa-crypto/core and ../tf-psa-crypto/drivers/builtin/src for
-# library files that are not in the /library directory (which currently means
+# private headers.
-# under /3rdparty).
+LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. -I../tf-psa-crypto/core \
-LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. -I../include -I../tf-psa-crypto/include \
+               -I../tf-psa-crypto/drivers/builtin/src \
               -I../include -I../tf-psa-crypto/include \
               -I../tf-psa-crypto/drivers/builtin/include -D_FILE_OFFSET_BITS=64
 LOCAL_LDFLAGS =
@ -105,89 +110,91 @@ endif
 endif
 OBJS_CRYPTO= \
-	     aes.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o \
-	     aesni.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_aead.o \
-	     aesce.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_cipher.o \
-	     aria.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_client.o \
-	     asn1parse.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o \
-	     asn1write.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_ecp.o \
-	     base64.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_ffdh.o \
-	     bignum.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_hash.o \
-	     bignum_core.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_mac.o \
-	     bignum_mod.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_pake.o \
-	     bignum_mod_raw.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_rsa.o \
-	     block_cipher.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_se.o \
-	     camellia.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_slot_management.o \
-	     ccm.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_storage.o \
-	     chacha20.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_its_file.o \
-	     chachapoly.o \
+	     $(TF_PSA_CRYPTO_CORE_PATH)/psa_util.o \
-	     cipher.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aes.o \
-	     cipher_wrap.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aesni.o \
-	     cmac.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aesce.o \
-	     constant_time.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aria.o \
-	     ctr_drbg.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/asn1parse.o \
-	     des.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/asn1write.o \
-	     dhm.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/base64.o \
-	     ecdh.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum.o \
-	     ecdsa.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_core.o \
-	     ecjpake.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_mod.o \
-	     ecp.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_mod_raw.o \
-	     ecp_curves.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/block_cipher.o \
-	     ecp_curves_new.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/camellia.o \
-	     entropy.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ccm.o \
-	     entropy_poll.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/chacha20.o \
-	     error.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/chachapoly.o \
-	     gcm.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cipher.o \
-	     hkdf.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cipher_wrap.o \
-	     hmac_drbg.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cmac.o \
-	     lmots.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/constant_time.o \
-	     lms.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ctr_drbg.o \
-	     md.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/des.o \
-	     md5.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/dhm.o \
-	     memory_buffer_alloc.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdh.o \
-	     nist_kw.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdsa.o \
-	     oid.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecjpake.o \
-	     pem.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp.o \
-	     pk.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp_curves.o \
-	     pk_ecc.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp_curves_new.o \
-	     pk_wrap.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/entropy.o \
-	     pkcs12.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/entropy_poll.o \
-	     pkcs5.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.o \
-	     pkparse.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/gcm.o \
-	     pkwrite.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/hkdf.o \
-	     platform.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/hmac_drbg.o \
-	     platform_util.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/lmots.o \
-	     poly1305.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/lms.o \
-	     psa_crypto.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/md.o \
-	     psa_crypto_aead.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/md5.o \
-	     psa_crypto_cipher.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/memory_buffer_alloc.o \
-	     psa_crypto_client.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/nist_kw.o \
-	     psa_crypto_driver_wrappers_no_static.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/oid.o \
-	     psa_crypto_ecp.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pem.o \
-	     psa_crypto_ffdh.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk.o \
-	     psa_crypto_hash.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk_ecc.o \
-	     psa_crypto_mac.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk_wrap.o \
-	     psa_crypto_pake.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkcs12.o \
-	     psa_crypto_rsa.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkcs5.o \
-	     psa_crypto_se.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkparse.o \
-	     psa_crypto_slot_management.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkwrite.o \
-	     psa_crypto_storage.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/platform.o \
-	     psa_its_file.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/platform_util.o \
-	     psa_util.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/poly1305.o \
-	     ripemd160.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ripemd160.o \
-	     rsa.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/rsa.o \
-	     rsa_alt_helpers.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/rsa_alt_helpers.o \
-	     sha1.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha1.o \
-	     sha256.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha256.o \
-	     sha512.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha512.o \
-	     sha3.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha3.o \
-	     threading.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/threading.o \
-	     timing.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/timing.o \
-	     version.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version.o \
-	     version_features.o \
+	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.o \
 	     # This line is intentionally left blank
-include ../3rdparty/Makefile.inc
+THIRDPARTY_DIR := $(MBEDTLS_PATH)/tf-psa-crypto/drivers
 include $(MBEDTLS_PATH)/tf-psa-crypto/drivers/everest/Makefile.inc
 include $(MBEDTLS_PATH)/tf-psa-crypto/drivers/p256-m/Makefile.inc
 LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
 OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS)
@ -349,10 +356,10 @@ else
 gen_file_dep = |
 endif
-error.c: $(gen_file_dep) ../scripts/generate_errors.pl
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) ../scripts/generate_errors.pl
-error.c: $(gen_file_dep) ../scripts/data_files/error.fmt
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) ../scripts/data_files/error.fmt
-error.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h))
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h))
-error.c:
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c:
 	echo "  Gen   $@"
 	$(PERL) ../scripts/generate_errors.pl
@ -362,33 +369,34 @@ ssl_debug_helpers_generated.c:
 	echo "  Gen   $@"
 	$(PYTHON) ../scripts/generate_ssl_debug_helpers.py --mbedtls-root .. .
-version_features.c: $(gen_file_dep) ../scripts/generate_features.pl
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c: $(gen_file_dep) ../scripts/generate_features.pl
-version_features.c: $(gen_file_dep) ../scripts/data_files/version_features.fmt
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c: $(gen_file_dep) ../scripts/data_files/version_features.fmt
 ## The generated file only depends on the options that are present in mbedtls_config.h,
 ## not on which options are set. To avoid regenerating this file all the time
 ## when switching between configurations, don't declare mbedtls_config.h as a
 ## dependency. Remove this file from your working tree if you've just added or
 ## removed an option in mbedtls_config.h.
 #version_features.c: ../include/mbedtls/mbedtls_config.h
-version_features.c:
+$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c:
 	echo "  Gen   $@"
 	$(PERL) ../scripts/generate_features.pl
 GENERATED_WRAPPER_FILES = \
-                    psa_crypto_driver_wrappers.h \
+                    $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
-                    psa_crypto_driver_wrappers_no_static.c
+                    $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c
 $(GENERATED_WRAPPER_FILES): ../scripts/generate_driver_wrappers.py
 $(GENERATED_WRAPPER_FILES): ../scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
 $(GENERATED_WRAPPER_FILES): ../scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
 $(GENERATED_WRAPPER_FILES):
 	echo "  Gen   $(GENERATED_WRAPPER_FILES)"
-	$(PYTHON) ../scripts/generate_driver_wrappers.py
+	$(PYTHON) ../scripts/generate_driver_wrappers.py $(TF_PSA_CRYPTO_CORE_PATH)
-psa_crypto.o:psa_crypto_driver_wrappers.h
+$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h
 clean:
 ifndef WINDOWS
 	rm -f *.o libmbed*
 	rm -f $(OBJS_CRYPTO)
 	rm -f $(THIRDPARTY_CRYPTO_OBJECTS)
 else
 	if exist *.o del /Q /F *.o
--- a/programs/Makefile
+++ b/programs/Makefile
@ -356,7 +356,7 @@ endif
 test/metatest$(EXEXT): test/metatest.c $(DEP)
 	echo "  CC    test/metatest.c"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I ../library test/metatest.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I../library -I../tf-psa-crypto/core test/metatest.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 test/query_config.o: test/query_config.c test/query_config.h $(DEP)
 	echo "  CC    test/query_config.c"
--- a/programs/test/CMakeLists.txt
+++ b/programs/test/CMakeLists.txt
@ -78,8 +78,11 @@ foreach(exe IN LISTS executables_libs executables_mbedcrypto)
    endif()
    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>
        ${extra_sources})
-    target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
+    target_include_directories(${exe}
-    target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../library)
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
    target_include_directories(${exe}
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../library
                ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/core)
    if(exe STREQUAL "query_compile_time_config")
        target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR})
    endif()
--- a/scripts/code_style.py
+++ b/scripts/code_style.py
@ -66,7 +66,7 @@ def get_src_files(since: Optional[str]) -> List[str]:
    that have changed since that commit. Without this argument, list all
    files known to git.
-    Only C files are included, and certain files (generated, or 3rdparty)
+    Only C files are included, and certain files (generated, or third party)
    are excluded.
    """
    file_patterns = ["*.[hc]",
@ -130,7 +130,8 @@ def get_src_files(since: Optional[str]) -> List[str]:
    # companion files in the same subtree), or for automatically
    # generated files (we're correcting the templates instead).
    src_files = [filename for filename in src_files
-                 if not (filename.startswith("3rdparty/") or
+                 if not (filename.startswith("tf-psa-crypto/drivers/everest/") or
                         filename.startswith("tf-psa-crypto/drivers/p256-m/") or
                         filename in generated_files or
                         is_file_autogenerated(filename))]
    return src_files
--- a/scripts/common.make
+++ b/scripts/common.make
@ -44,7 +44,9 @@ LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
 		-lmbedcrypto$(SHARED_SUFFIX)
 endif
-include $(MBEDTLS_PATH)/3rdparty/Makefile.inc
+THIRDPARTY_DIR = $(MBEDTLS_PATH)/tf-psa-crypto/drivers
 include $(THIRDPARTY_DIR)/everest/Makefile.inc
 include $(THIRDPARTY_DIR)/p256-m/Makefile.inc
 LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
 ifdef PSASIM
--- a/scripts/data_files/driver_jsons/p256_transparent_driver.json
+++ b/scripts/data_files/driver_jsons/p256_transparent_driver.json
@ -2,7 +2,7 @@
    "prefix":       "p256",
    "type":         "transparent",
    "mbedtls/h_condition":   "defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)",
-    "headers":      ["../3rdparty/p256-m/p256-m_driver_entrypoints.h"],
+    "headers":      ["../tf-psa-crypto/drivers/p256-m/p256-m_driver_entrypoints.h"],
    "capabilities": [
        {
            "mbedtls/c_condition": "defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)",
--- a/scripts/generate_driver_wrappers.py
+++ b/scripts/generate_driver_wrappers.py
@ -1,6 +1,6 @@
 #!/usr/bin/env python3
-"""Generate library/psa_crypto_driver_wrappers.h
+"""Generate psa_crypto_driver_wrappers.h
-            library/psa_crypto_driver_wrappers_no_static.c
+            psa_crypto_driver_wrappers_no_static.c
   This module is invoked by the build scripts to auto generate the
   psa_crypto_driver_wrappers.h and psa_crypto_driver_wrappers_no_static
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@ -24,7 +24,7 @@ if( @ARGV ) {
    $crypto_include_dir = 'tf-psa-crypto/drivers/builtin/include/mbedtls';
    $tls_include_dir = 'include/mbedtls';
    $data_dir = 'scripts/data_files';
-    $error_file = 'library/error.c';
+    $error_file = 'tf-psa-crypto/drivers/builtin/src/error.c';
    unless( -d $crypto_include_dir && -d $tls_include_dir && -d $data_dir ) {
        chdir '..' or die;
--- a/scripts/generate_features.pl
+++ b/scripts/generate_features.pl
@ -16,7 +16,7 @@ if( @ARGV ) {
 } else {
    $include_dir = 'include/mbedtls';
    $data_dir = 'scripts/data_files';
-    $feature_file = 'library/version_features.c';
+    $feature_file = 'tf-psa-crypto/drivers/builtin/src/version_features.c';
    unless( -d $include_dir && -d $data_dir ) {
        chdir '..' or die;
--- a/scripts/generate_visualc_files.pl
+++ b/scripts/generate_visualc_files.pl
@ -25,19 +25,21 @@ my $programs_dir = 'programs';
 my $mbedtls_header_dir = 'include/mbedtls';
 my $drivers_builtin_header_dir = 'tf-psa-crypto/drivers/builtin/include/mbedtls';
 my $psa_header_dir = 'tf-psa-crypto/include/psa';
-my $source_dir = 'library';
+my $tls_source_dir = 'library';
 my $crypto_core_source_dir = 'tf-psa-crypto/core';
 my $crypto_source_dir = 'tf-psa-crypto/drivers/builtin/src';
 my $test_source_dir = 'tests/src';
 my $test_header_dir = 'tests/include/test';
 my $test_drivers_header_dir = 'tests/include/test/drivers';
 my $test_drivers_source_dir = 'tests/src/drivers';
 my @thirdparty_header_dirs = qw(
-    3rdparty/everest/include/everest
+    tf-psa-crypto/drivers/everest/include/everest
 );
 my @thirdparty_source_dirs = qw(
-    3rdparty/everest/library
+    tf-psa-crypto/drivers/everest/library
-    3rdparty/everest/library/kremlib
+    tf-psa-crypto/drivers/everest/library/kremlib
-    3rdparty/everest/library/legacy
+    tf-psa-crypto/drivers/everest/library/legacy
 );
 # Directories to add to the include path.
@ -47,25 +49,27 @@ my @include_directories = qw(
    include
    tf-psa-crypto/include
    tf-psa-crypto/drivers/builtin/include
-    3rdparty/everest/include/
+    tf-psa-crypto/drivers/everest/include/
-    3rdparty/everest/include/everest
+    tf-psa-crypto/drivers/everest/include/everest
-    3rdparty/everest/include/everest/vs2013
+    tf-psa-crypto/drivers/everest/include/everest/vs2013
-    3rdparty/everest/include/everest/kremlib
+    tf-psa-crypto/drivers/everest/include/everest/kremlib
    tests/include
 );
 my $include_directories = join(';', map {"../../$_"} @include_directories);
-# Directories to add to the include path when building the library, but not
+# Directories to add to the include path when building the libraries, but not
 # when building tests or applications.
 my @library_include_directories = qw(
    library
    tf-psa-crypto/core
    tf-psa-crypto/drivers/builtin/src
 );
 my $library_include_directories =
  join(';', map {"../../$_"} (@library_include_directories,
                              @include_directories));
 my @excluded_files = qw(
-    3rdparty/everest/library/Hacl_Curve25519.c
+    tf-psa-crypto/drivers/everest/library/Hacl_Curve25519.c
 );
 my %excluded_files = ();
 foreach (@excluded_files) { $excluded_files{$_} = 1 }
@ -106,7 +110,9 @@ sub check_dirs {
        && -d $mbedtls_header_dir
        && -d $drivers_builtin_header_dir
        && -d $psa_header_dir
-        && -d $source_dir
+        && -d $tls_source_dir
        && -d $crypto_core_source_dir
        && -d $crypto_source_dir
        && -d $test_source_dir
        && -d $test_drivers_source_dir
        && -d $test_header_dir
@ -265,12 +271,16 @@ sub main {
                       $psa_header_dir,
                       $test_header_dir,
                       $test_drivers_header_dir,
-                       $source_dir,
+                       $tls_source_dir,
                       $crypto_core_source_dir,
                       $crypto_source_dir,
                       @thirdparty_header_dirs,
                      );
    my @headers = (map { <$_/*.h> } @header_dirs);
    my @source_dirs = (
-                       $source_dir,
+                       $tls_source_dir,
                       $crypto_core_source_dir,
                       $crypto_source_dir,
                       $test_source_dir,
                       $test_drivers_source_dir,
                       @thirdparty_source_dirs,
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@ -291,7 +291,9 @@ function(add_test_suite suite_name)
    # them as PUBLIC.
    target_include_directories(test_suite_${data_name}
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
-        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../library)
+        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../library
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/core
        PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/drivers/builtin/src)
    # Request C11, which is needed for memory poisoning tests
    set_target_properties(test_suite_${data_name} PROPERTIES C_STANDARD 11)
--- a/tests/Makefile
+++ b/tests/Makefile
@ -4,8 +4,8 @@ include ../scripts/common.make
 # Set this to -v to see the details of failing test cases
 TEST_FLAGS ?= $(if $(filter-out 0 OFF Off off NO No no FALSE False false N n,$(CTEST_OUTPUT_ON_FAILURE)),-v,)
-# Also include library headers, for the sake of invasive tests.
+# Also include private headers, for the sake of invasive tests.
-LOCAL_CFLAGS += -I../library
+LOCAL_CFLAGS += -I../library -I../tf-psa-crypto/core -I../tf-psa-crypto/drivers/builtin/src
 # Enable definition of various functions used throughout the testsuite
@ -268,17 +268,22 @@ define libtestdriver1_rewrite :=
 	s/\b(?=mbedtls_|psa_)/libtestdriver1_/g;
 endef
 libtestdriver1.a: export MBEDTLS_PATH := $(patsubst ../..//%,/%,../../$(MBEDTLS_PATH))
 libtestdriver1.a:
 	# Copy the library and fake a 3rdparty Makefile include.
 	rm -Rf ./libtestdriver1
 	mkdir ./libtestdriver1
 	mkdir ./libtestdriver1/tf-psa-crypto
 	mkdir ./libtestdriver1/tf-psa-crypto/drivers
 	mkdir ./libtestdriver1/tf-psa-crypto/drivers/everest
 	mkdir ./libtestdriver1/tf-psa-crypto/drivers/p256-m
 	touch ./libtestdriver1/tf-psa-crypto/drivers/everest/Makefile.inc
 	touch ./libtestdriver1/tf-psa-crypto/drivers/p256-m/Makefile.inc
 	cp -Rf ../framework ./libtestdriver1
 	cp -Rf ../library ./libtestdriver1
 	cp -Rf ../include ./libtestdriver1
-	cp -Rf ../tf-psa-crypto ./libtestdriver1
+	cp -Rf ../tf-psa-crypto/core ./libtestdriver1/tf-psa-crypto
 	cp -Rf ../tf-psa-crypto/include ./libtestdriver1/tf-psa-crypto
 	cp -Rf ../tf-psa-crypto/drivers/builtin ./libtestdriver1/tf-psa-crypto/drivers
 	cp -Rf ../scripts ./libtestdriver1
 	mkdir ./libtestdriver1/3rdparty
 	touch ./libtestdriver1/3rdparty/Makefile.inc
 	# Set the test driver base (minimal) configuration.
 	cp ./include/test/drivers/config_test_driver.h ./libtestdriver1/include/mbedtls/mbedtls_config.h
@ -298,8 +303,10 @@ libtestdriver1.a:
 	# when this test driver library is linked with the Mbed TLS library.
 	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/library/*.[ch]
 	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/include/*/*.h
 	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/core/*.[ch]
 	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/include/*/*.h
 	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*.h
 	perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/drivers/builtin/src/*.[ch]
 	$(MAKE) -C ./libtestdriver1/library CFLAGS="-I../../ $(CFLAGS)" LDFLAGS="$(LDFLAGS)" libmbedcrypto.a
 	cp ./libtestdriver1/library/libmbedcrypto.a ../library/libtestdriver1.a
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@ -133,10 +133,18 @@ pre_check_environment () {
 pre_initialize_variables () {
    if in_mbedtls_repo; then
        CONFIG_H='include/mbedtls/mbedtls_config.h'
-        CRYPTO_CONFIG_H='tf-psa-crypto/include/psa/crypto_config.h'
+        if [ -d tf-psa-crypto ]; then
            CRYPTO_CONFIG_H='tf-psa-crypto/include/psa/crypto_config.h'
            PSA_CORE_PATH='tf-psa-crypto/core'
            BUILTIN_SRC_PATH='tf-psa-crypto/drivers/builtin/src'
        else
            CRYPTO_CONFIG_H='include/psa/crypto_config.h'
        fi
    else
        CONFIG_H='drivers/builtin/include/mbedtls/mbedtls_config.h'
        CRYPTO_CONFIG_H='include/psa/crypto_config.h'
        PSA_CORE_PATH='core'
        BUILTIN_SRC_PATH='drivers/builtin/src'
    fi
    CONFIG_TEST_DRIVER_H='tests/include/test/drivers/config_test_driver.h'
@ -331,9 +339,14 @@ cleanup()
              -iname CMakeCache.txt -o \
              -path './cmake/*.cmake' \) -exec rm -f {} \+
    # Remove Makefiles generated by in-tree CMake builds
-    rm -f 3rdparty/Makefile 3rdparty/*/Makefile pkgconfig/Makefile framework/Makefile
+    rm -f pkgconfig/Makefile framework/Makefile
    rm -f include/Makefile programs/!(fuzz)/Makefile
    rm -f tf-psa-crypto/Makefile tf-psa-crypto/include/Makefile
    rm -f tf-psa-crypto/core/Makefile tf-psa-crypto/drivers/Makefile
    rm -f tf-psa-crypto/drivers/everest/Makefile
    rm -f tf-psa-crypto/drivers/p256-m/Makefile
    rm -f tf-psa-crypto/drivers/builtin/Makefile
    rm -f tf-psa-crypto/drivers/builtin/src/Makefile
    # Remove any artifacts from the component_test_cmake_as_subdirectory test.
    rm -rf programs/test/cmake_subproject/build
@ -444,6 +457,12 @@ armc6_build_test()
    msg "size: ARM Compiler 6 ($FLAGS)"
    "$ARMC6_FROMELF" -z library/*.o
    if [ -n ${PSA_CORE_PATH} ]; then
        "$ARMC6_FROMELF" -z ${PSA_CORE_PATH}/*.o
    fi
    if [ -n ${BUILTIN_SRC_PATH} ]; then
        "$ARMC6_FROMELF" -z ${BUILTIN_SRC_PATH}/*.o
    fi
 }
 err_msg()
@ -1108,6 +1127,8 @@ helper_psasim_server() {
 component_check_recursion () {
    msg "Check: recursion.pl" # < 1s
    tests/scripts/recursion.pl library/*.c
    tests/scripts/recursion.pl ${PSA_CORE_PATH}/*.c
    tests/scripts/recursion.pl ${BUILTIN_SRC_PATH}/*.c
 }
 component_check_generated_files () {
@ -1670,8 +1691,8 @@ component_full_no_pkparse_pkwrite() {
    make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
    # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config).
-    not grep mbedtls_pk_parse_key library/pkparse.o
+    not grep mbedtls_pk_parse_key ${BUILTIN_SRC_PATH}/pkparse.o
-    not grep mbedtls_pk_write_key_der library/pkwrite.o
+    not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o
    msg "test: full without pkparse and pkwrite"
    make test
@ -1698,8 +1719,8 @@ component_test_crypto_full_md_light_only () {
    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
    # Make sure we don't have the HMAC functions, but the hashing functions
-    not grep mbedtls_md_hmac library/md.o
+    not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o
-    grep mbedtls_md library/md.o
+    grep mbedtls_md ${BUILTIN_SRC_PATH}/md.o
    msg "test: crypto_full with only the light subset of MD"
    make test
@ -1734,7 +1755,7 @@ component_test_full_no_cipher () {
    make
    # Ensure that CIPHER_C was not re-enabled
-    not grep mbedtls_cipher_init library/cipher.o
+    not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o
    msg "test: full no CIPHER"
    make test
@ -1787,7 +1808,7 @@ component_test_full_no_ccm_star_no_tag() {
    make
    # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled
-    not grep mbedtls_psa_cipher library/psa_crypto_cipher.o
+    not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o
    msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
    make test
@ -2524,7 +2545,7 @@ component_test_psa_crypto_config_accel_ecdsa () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdsa_ library/ecdsa.o
+    not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
    # Run the tests
    # -------------
@ -2565,7 +2586,7 @@ component_test_psa_crypto_config_accel_ecdh () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdh_ library/ecdh.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
    # Run the tests
    # -------------
@ -2603,7 +2624,7 @@ component_test_psa_crypto_config_accel_ffdh () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_dhm_ library/dhm.o
+    not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
    # Run the tests
    # -------------
@ -2657,7 +2678,7 @@ component_test_psa_crypto_config_accel_pake() {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_ecjpake_init library/ecjpake.o
+    not grep mbedtls_ecjpake_init ${BUILTIN_SRC_PATH}/ecjpake.o
    # Run the tests
    # -------------
@ -2714,10 +2735,10 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # ECP should be re-enabled but not the others
-    not grep mbedtls_ecdh_ library/ecdh.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
-    not grep mbedtls_ecdsa library/ecdsa.o
+    not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
-    not grep mbedtls_ecjpake  library/ecjpake.o
+    not grep mbedtls_ecjpake  ${BUILTIN_SRC_PATH}/ecjpake.o
-    grep mbedtls_ecp library/ecp.o
+    grep mbedtls_ecp ${BUILTIN_SRC_PATH}/ecp.o
    # Run the tests
    # -------------
@ -2808,27 +2829,27 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # We expect ECDH to be re-enabled for the missing curves
-    grep mbedtls_ecdh_ library/ecdh.o
+    grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
    # We expect ECP to be re-enabled, however the parts specific to the
    # families of curves that are accelerated should be ommited.
    # - functions with mxz in the name are specific to Montgomery curves
    # - ecp_muladd is specific to Weierstrass curves
-    ##nm library/ecp.o | tee ecp.syms
+    ##nm ${BUILTIN_SRC_PATH}/ecp.o | tee ecp.syms
    if [ $weierstrass -eq 1 ]; then
-        not grep mbedtls_ecp_muladd library/ecp.o
+        not grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o
-        grep mxz library/ecp.o
+        grep mxz ${BUILTIN_SRC_PATH}/ecp.o
    else
-        grep mbedtls_ecp_muladd library/ecp.o
+        grep mbedtls_ecp_muladd ${BUILTIN_SRC_PATH}/ecp.o
-        not grep mxz library/ecp.o
+        not grep mxz ${BUILTIN_SRC_PATH}/ecp.o
    fi
    # We expect ECDSA and ECJPAKE to be re-enabled only when
    # Weierstrass curves are not accelerated
    if [ $weierstrass -eq 1 ]; then
-        not grep mbedtls_ecdsa library/ecdsa.o
+        not grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
-        not grep mbedtls_ecjpake  library/ecjpake.o
+        not grep mbedtls_ecjpake  ${BUILTIN_SRC_PATH}/ecjpake.o
    else
-        grep mbedtls_ecdsa library/ecdsa.o
+        grep mbedtls_ecdsa ${BUILTIN_SRC_PATH}/ecdsa.o
-        grep mbedtls_ecjpake  library/ecjpake.o
+        grep mbedtls_ecjpake  ${BUILTIN_SRC_PATH}/ecjpake.o
    fi
    # Run the tests
@ -2907,10 +2928,10 @@ component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure any built-in EC alg was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdsa_ library/ecdsa.o
+    not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
-    not grep mbedtls_ecdh_ library/ecdh.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
-    not grep mbedtls_ecjpake_ library/ecjpake.o
+    not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
-    not grep mbedtls_ecp_mul library/ecp.o
+    not grep mbedtls_ecp_mul ${BUILTIN_SRC_PATH}/ecp.o
    # Run the tests
    # -------------
@ -3011,11 +3032,11 @@ component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure any built-in EC alg was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdsa_ library/ecdsa.o
+    not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
-    not grep mbedtls_ecdh_ library/ecdh.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
-    not grep mbedtls_ecjpake_ library/ecjpake.o
+    not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
    # Also ensure that ECP module was not re-enabled
-    not grep mbedtls_ecp_ library/ecp.o
+    not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
    # Run the tests
    # -------------
@ -3186,14 +3207,14 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure any built-in EC alg was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdsa_ library/ecdsa.o
+    not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
-    not grep mbedtls_ecdh_ library/ecdh.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
-    not grep mbedtls_ecjpake_ library/ecjpake.o
+    not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
    # Also ensure that ECP, RSA, [DHM] or BIGNUM modules were not re-enabled
-    not grep mbedtls_ecp_ library/ecp.o
+    not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
-    not grep mbedtls_rsa_ library/rsa.o
+    not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o
-    not grep mbedtls_mpi_ library/bignum.o
+    not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o
-    not grep mbedtls_dhm_ library/dhm.o
+    not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
    # Run the tests
    # -------------
@ -3289,20 +3310,20 @@ component_test_tfm_config_p256m_driver_accel_ec () {
    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include/spe" LDFLAGS="$ASAN_CFLAGS"
    # Make sure any built-in EC alg was not re-enabled by accident (additive config)
-    not grep mbedtls_ecdsa_ library/ecdsa.o
+    not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o
-    not grep mbedtls_ecdh_ library/ecdh.o
+    not grep mbedtls_ecdh_ ${BUILTIN_SRC_PATH}/ecdh.o
-    not grep mbedtls_ecjpake_ library/ecjpake.o
+    not grep mbedtls_ecjpake_ ${BUILTIN_SRC_PATH}/ecjpake.o
    # Also ensure that ECP, RSA, DHM or BIGNUM modules were not re-enabled
-    not grep mbedtls_ecp_ library/ecp.o
+    not grep mbedtls_ecp_ ${BUILTIN_SRC_PATH}/ecp.o
-    not grep mbedtls_rsa_ library/rsa.o
+    not grep mbedtls_rsa_ ${BUILTIN_SRC_PATH}/rsa.o
-    not grep mbedtls_dhm_ library/dhm.o
+    not grep mbedtls_dhm_ ${BUILTIN_SRC_PATH}/dhm.o
-    not grep mbedtls_mpi_ library/bignum.o
+    not grep mbedtls_mpi_ ${BUILTIN_SRC_PATH}/bignum.o
    # Check that p256m was built
    grep -q p256_ecdsa_ library/libmbedcrypto.a
    # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration
    # files, so we want to ensure that it has not be re-enabled accidentally.
-    not grep mbedtls_cipher library/cipher.o
+    not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
    # Run the tests
    msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA"
@ -3327,7 +3348,7 @@ component_test_tfm_config() {
    # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration
    # files, so we want to ensure that it has not be re-enabled accidentally.
-    not grep mbedtls_cipher library/cipher.o
+    not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
    msg "test: TF-M config"
    make test
@ -3449,7 +3470,7 @@ component_test_psa_crypto_config_accel_rsa_crypto () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_rsa library/rsa.o
+    not grep mbedtls_rsa ${BUILTIN_SRC_PATH}/rsa.o
    # Run the tests
    # -------------
@ -3559,11 +3580,11 @@ component_test_psa_crypto_config_accel_hash () {
    # There's a risk of something getting re-enabled via config_psa.h;
    # make sure it did not happen. Note: it's OK for MD_C to be enabled.
-    not grep mbedtls_md5 library/md5.o
+    not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o
-    not grep mbedtls_sha1 library/sha1.o
+    not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o
-    not grep mbedtls_sha256 library/sha256.o
+    not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o
-    not grep mbedtls_sha512 library/sha512.o
+    not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o
-    not grep mbedtls_ripemd160 library/ripemd160.o
+    not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o
    # Run the tests
    # -------------
@ -3616,11 +3637,11 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
    # There's a risk of something getting re-enabled via config_psa.h;
    # make sure it did not happen. Note: it's OK for MD_C to be enabled.
-    not grep mbedtls_md5 library/md5.o
+    not grep mbedtls_md5 ${BUILTIN_SRC_PATH}/md5.o
-    not grep mbedtls_sha1 library/sha1.o
+    not grep mbedtls_sha1 ${BUILTIN_SRC_PATH}/sha1.o
-    not grep mbedtls_sha256 library/sha256.o
+    not grep mbedtls_sha256 ${BUILTIN_SRC_PATH}/sha256.o
-    not grep mbedtls_sha512 library/sha512.o
+    not grep mbedtls_sha512 ${BUILTIN_SRC_PATH}/sha512.o
-    not grep mbedtls_ripemd160 library/ripemd160.o
+    not grep mbedtls_ripemd160 ${BUILTIN_SRC_PATH}/ripemd160.o
    # Run the tests
    # -------------
@ -3707,7 +3728,7 @@ component_test_psa_crypto_config_accel_hmac() {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Ensure that built-in support for HMAC is disabled.
-    not grep mbedtls_md_hmac library/md.o
+    not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o
    # Run the tests
    # -------------
@ -3765,7 +3786,7 @@ component_test_psa_crypto_config_accel_des () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_des* library/des.o
+    not grep mbedtls_des* ${BUILTIN_SRC_PATH}/des.o
    # Run the tests
    # -------------
@ -3802,9 +3823,9 @@ component_test_psa_crypto_config_accel_aead () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_ccm library/ccm.o
+    not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o
-    not grep mbedtls_gcm library/gcm.o
+    not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o
-    not grep mbedtls_chachapoly library/chachapoly.o
+    not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o
    # Run the tests
    # -------------
@ -3870,15 +3891,15 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () {
    helper_libtestdriver1_make_main "$loc_accel_list"
    # Make sure this was not re-enabled by accident (additive config)
-    not grep mbedtls_cipher library/cipher.o
+    not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
-    not grep mbedtls_des library/des.o
+    not grep mbedtls_des ${BUILTIN_SRC_PATH}/des.o
-    not grep mbedtls_aes library/aes.o
+    not grep mbedtls_aes ${BUILTIN_SRC_PATH}/aes.o
-    not grep mbedtls_aria library/aria.o
+    not grep mbedtls_aria ${BUILTIN_SRC_PATH}/aria.o
-    not grep mbedtls_camellia library/camellia.o
+    not grep mbedtls_camellia ${BUILTIN_SRC_PATH}/camellia.o
-    not grep mbedtls_ccm library/ccm.o
+    not grep mbedtls_ccm ${BUILTIN_SRC_PATH}/ccm.o
-    not grep mbedtls_gcm library/gcm.o
+    not grep mbedtls_gcm ${BUILTIN_SRC_PATH}/gcm.o
-    not grep mbedtls_chachapoly library/chachapoly.o
+    not grep mbedtls_chachapoly ${BUILTIN_SRC_PATH}/chachapoly.o
-    not grep mbedtls_cmac library/cmac.o
+    not grep mbedtls_cmac ${BUILTIN_SRC_PATH}/cmac.o
    # Run the tests
    # -------------
@ -3967,9 +3988,9 @@ component_test_full_block_cipher_psa_dispatch () {
    # Make sure disabled components were not re-enabled by accident (additive
    # config)
-    not grep mbedtls_aes_ library/aes.o
+    not grep mbedtls_aes_ ${BUILTIN_SRC_PATH}/aes.o
-    not grep mbedtls_aria_ library/aria.o
+    not grep mbedtls_aria_ ${BUILTIN_SRC_PATH}/aria.o
-    not grep mbedtls_camellia_ library/camellia.o
+    not grep mbedtls_camellia_ ${BUILTIN_SRC_PATH}/camellia.o
    # Run the tests
    # -------------
@ -4074,9 +4095,8 @@ build_test_config_combos() {
        ./scripts/config.py unset ${opt}
    done
-    # enter the directory containing the target file & strip the dir from the filename
+    # enter the library directory
-    cd $(dirname ${file})
+    cd library
    file=$(basename ${file})
    # The most common issue is unused variables/functions, so ensure -Wunused is set.
    warning_flags="-Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused"
@ -4091,7 +4111,7 @@ build_test_config_combos() {
    deps=""
    len=${#options[@]}
-    source_file=${file%.o}.c
+    source_file=../${file%.o}.c
    targets=0
    echo 'include Makefile' >${makefile}
@ -4148,7 +4168,7 @@ component_build_aes_variations() {
    MBEDTLS_ROOT_DIR="$PWD"
    msg "build: aes.o for all combinations of relevant config options"
-    build_test_config_combos library/aes.o validate_aes_config_variations \
+    build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
        "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \
        "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \
        "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
@ -4165,7 +4185,7 @@ component_build_aes_variations() {
    scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
    scripts/config.py unset MBEDTLS_DES_C
    scripts/config.py unset MBEDTLS_NIST_KW_C
-    build_test_config_combos library/aes.o validate_aes_config_variations \
+    build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
        "MBEDTLS_AES_SETKEY_ENC_ALT" "MBEDTLS_AES_DECRYPT_ALT" \
        "MBEDTLS_AES_ROM_TABLES" "MBEDTLS_AES_ENCRYPT_ALT" "MBEDTLS_AES_SETKEY_DEC_ALT" \
        "MBEDTLS_AES_FEWER_TABLES" "MBEDTLS_AES_USE_HARDWARE_ONLY" \
@ -4597,49 +4617,49 @@ component_build_aes_armce () {
    scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
    msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64"
-    make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
    msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm"
-    make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
    msg "MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb"
-    make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
    scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
    msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, aarch64"
-    make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
    msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, arm"
-    make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
    msg "no MBEDTLS_AES_USE_HARDWARE_ONLY, clang, thumb"
-    make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
    # test for presence of AES instructions
    scripts/config.py set MBEDTLS_AES_USE_HARDWARE_ONLY
    msg "clang, test A32 crypto instructions built"
-    make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
-    grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o
+    grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
    msg "clang, test T32 crypto instructions built"
-    make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
-    grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o
+    grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
    msg "clang, test aarch64 crypto instructions built"
-    make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
-    grep -E 'aes[a-z]+\s*[qv]' library/aesce.o
+    grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
    # test for absence of AES instructions
    scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY
    scripts/config.py unset MBEDTLS_AESCE_C
    msg "clang, test A32 crypto instructions not built"
-    make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
-    not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o
+    not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
    msg "clang, test T32 crypto instructions not built"
-    make -B library/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
-    not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' library/aesce.o
+    not grep -E 'aes[0-9a-z]+.[0-9]\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
    msg "clang, test aarch64 crypto instructions not built"
-    make -B library/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
+    make -B library/../${BUILTIN_SRC_PATH}/aesce.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
-    not grep -E 'aes[a-z]+\s*[qv]' library/aesce.o
+    not grep -E 'aes[a-z]+\s*[qv]' ${BUILTIN_SRC_PATH}/aesce.o
 }
 support_build_sha_armce() {
@ -4654,30 +4674,30 @@ component_build_sha_armce () {
    # Test variations of SHA256 Armv8 crypto extensions
    scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
        msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, aarch64"
-        make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
        msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, arm"
-        make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm"
    scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
    # test the deprecated form of the config option
    scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
        msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb"
-        make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
    scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
        msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64"
-        make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a"
    scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
    # test the deprecated form of the config option
    scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
        msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm"
-        make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99"
        msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb"
-        make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
+        make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
    scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
@ -4685,32 +4705,32 @@ component_build_sha_armce () {
    for opt in MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT; do
        scripts/config.py set ${opt}
            msg "${opt} clang, test A32 crypto instructions built"
-            make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
+            make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
-            grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o
+            grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
            msg "${opt} clang, test T32 crypto instructions built"
-            make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
+            make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
-            grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o
+            grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
            msg "${opt} clang, test aarch64 crypto instructions built"
-            make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
+            make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
-            grep -E 'sha256[a-z0-9]+\s+[qv]' library/sha256.o
+            grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
        scripts/config.py unset ${opt}
    done
    # examine the disassembly for absence of SHA instructions
    msg "clang, test A32 crypto instructions not built"
-    make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
+    make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S"
-    not grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o
+    not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
    msg "clang, test T32 crypto instructions not built"
-    make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
+    make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S"
-    not grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o
+    not grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
    msg "clang, test aarch64 crypto instructions not built"
-    make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
+    make -B library/../${BUILTIN_SRC_PATH}/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S"
-    not grep -E 'sha256[a-z0-9]+\s+[qv]' library/sha256.o
+    not grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.o
 }
 support_build_aes_aesce_armcc () {
@ -4832,13 +4852,13 @@ helper_block_cipher_no_decrypt_build_test () {
    make CFLAGS="-O2 $cflags" LDFLAGS="$ldflags"
    # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA
-    not grep mbedtls_aes_setkey_dec library/aes.o
+    not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o
-    not grep mbedtls_aria_setkey_dec library/aria.o
+    not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o
-    not grep mbedtls_camellia_setkey_dec library/camellia.o
+    not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o
    # Make sure we don't have mbedtls_internal_aes_decrypt in AES
-    not grep mbedtls_internal_aes_decrypt library/aes.o
+    not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o
    # Make sure we don't have mbedtls_aesni_inverse_key in AESNI
-    not grep mbedtls_aesni_inverse_key library/aesni.o
+    not grep mbedtls_aesni_inverse_key ${BUILTIN_SRC_PATH}/aesni.o
    msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}"
    make test
@ -4939,14 +4959,14 @@ component_test_block_cipher_no_decrypt_aesce_armcc () {
    armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto -Werror -Wall -Wextra"
    # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA
-    not grep mbedtls_aes_setkey_dec library/aes.o
+    not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o
-    not grep mbedtls_aria_setkey_dec library/aria.o
+    not grep mbedtls_aria_setkey_dec ${BUILTIN_SRC_PATH}/aria.o
-    not grep mbedtls_camellia_setkey_dec library/camellia.o
+    not grep mbedtls_camellia_setkey_dec ${BUILTIN_SRC_PATH}/camellia.o
    # Make sure we don't have mbedtls_internal_aes_decrypt in AES
-    not grep mbedtls_internal_aes_decrypt library/aes.o
+    not grep mbedtls_internal_aes_decrypt ${BUILTIN_SRC_PATH}/aes.o
    # Make sure we don't have mbedtls_aesce_inverse_key and aesce_decrypt_block in AESCE
-    not grep mbedtls_aesce_inverse_key library/aesce.o
+    not grep mbedtls_aesce_inverse_key ${BUILTIN_SRC_PATH}/aesce.o
-    not grep aesce_decrypt_block library/aesce.o
+    not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o
 }
 component_test_ctr_drbg_aes_256_sha_256 () {
@ -5319,6 +5339,8 @@ component_build_arm_none_eabi_gcc () {
    msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -O1, baremetal+debug"
    ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
 }
 component_build_arm_linux_gnueabi_gcc_arm5vte () {
@ -5333,6 +5355,8 @@ component_build_arm_linux_gnueabi_gcc_arm5vte () {
    msg "size: ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
    ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t library/*.o
    ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
    ${ARM_LINUX_GNUEABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
 }
 support_build_arm_linux_gnueabi_gcc_arm5vte () {
    type ${ARM_LINUX_GNUEABI_GCC_PREFIX}gcc >/dev/null 2>&1
@ -5348,6 +5372,8 @@ component_build_arm_none_eabi_gcc_arm5vte () {
    msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -march=armv5te -O1, baremetal+debug"
    ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
 }
 component_build_arm_none_eabi_gcc_m0plus () {
@ -5357,6 +5383,8 @@ component_build_arm_none_eabi_gcc_m0plus () {
    msg "size: ${ARM_NONE_EABI_GCC_PREFIX}gcc -mthumb -mcpu=cortex-m0plus -Os, baremetal_size"
    ${ARM_NONE_EABI_GCC_PREFIX}size -t library/*.o
    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${PSA_CORE_PATH}/*.o
    ${ARM_NONE_EABI_GCC_PREFIX}size -t ${BUILTIN_SRC_PATH}/*.o
    for lib in library/*.a; do
        echo "$lib:"
        ${ARM_NONE_EABI_GCC_PREFIX}size -t $lib | grep TOTALS
@ -5370,6 +5398,8 @@ component_build_arm_none_eabi_gcc_no_udbl_division () {
    make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -Wall -Wextra' lib
    echo "Checking that software 64-bit division is not required"
    not grep __aeabi_uldiv library/*.o
    not grep __aeabi_uldiv ${PSA_CORE_PATH}/*.o
    not grep __aeabi_uldiv ${BUILTIN_SRC_PATH}/*.o
 }
 component_build_arm_none_eabi_gcc_no_64bit_multiplication () {
@ -5379,6 +5409,8 @@ component_build_arm_none_eabi_gcc_no_64bit_multiplication () {
    make CC="${ARM_NONE_EABI_GCC_PREFIX}gcc" AR="${ARM_NONE_EABI_GCC_PREFIX}ar" LD="${ARM_NONE_EABI_GCC_PREFIX}ld" CFLAGS='-std=c99 -Werror -O1 -march=armv6-m -mthumb' lib
    echo "Checking that software 64-bit multiplication is not required"
    not grep __aeabi_lmul library/*.o
    not grep __aeabi_lmul ${PSA_CORE_PATH}/*.o
    not grep __aeabi_lmul ${BUILTIN_SRC_PATH}/*.o
 }
 component_build_arm_clang_thumb () {
@ -5423,6 +5455,8 @@ component_build_armcc () {
    msg "size: ARM Compiler 5"
    "$ARMC5_FROMELF" -z library/*.o
    "$ARMC5_FROMELF" -z ${PSA_CORE_PATH}/*.o
    "$ARMC5_FROMELF" -z ${BUILTIN_SRC_PATH}/*.o
    # Compile mostly with -O1 since some Arm inline assembly is disabled for -O0.
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@ -31,9 +31,16 @@ in_tf_psa_crypto_repo () {
 }
 if in_mbedtls_repo; then
-    library_dir='library'
+    if [ -d tf-psa-crypto ]; then
        crypto_core_dir='tf-psa-crypto/core'
        builtin_drivers_dir='tf-psa-crypto/drivers/builtin/src'
    else
        crypto_core_dir='library'
        builtin_drivers_dir='library'
    fi
 elif in_tf_psa_crypto_repo; then
-    library_dir='core'
+    crypto_core_dir='core'
    builtin_drivers_dir='drivers/builtin/src/'
 else
    echo "Must be run from Mbed TLS root or TF-PSA-Crypto root" >&2
    exit 1
@ -133,13 +140,14 @@ check framework/scripts/generate_config_tests.py $(framework/scripts/generate_co
 check framework/scripts/generate_ecp_tests.py $(framework/scripts/generate_ecp_tests.py --list)
 check framework/scripts/generate_psa_tests.py $(framework/scripts/generate_psa_tests.py --list)
 check framework/scripts/generate_test_keys.py tests/src/test_keys.h
-check scripts/generate_driver_wrappers.py $library_dir/psa_crypto_driver_wrappers.h $library_dir/psa_crypto_driver_wrappers_no_static.c
+check scripts/generate_driver_wrappers.py ${crypto_core_dir}/psa_crypto_driver_wrappers.h \
                                          ${crypto_core_dir}/psa_crypto_driver_wrappers_no_static.c
 # Additional checks for Mbed TLS only
 if in_mbedtls_repo; then
-    check scripts/generate_errors.pl library/error.c
+    check scripts/generate_errors.pl ${builtin_drivers_dir}/error.c
    check scripts/generate_query_config.pl programs/test/query_config.c
-    check scripts/generate_features.pl library/version_features.c
+    check scripts/generate_features.pl ${builtin_drivers_dir}/version_features.c
    check scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c
    check framework/scripts/generate_test_cert_macros.py tests/src/test_certs.h
    # generate_visualc_files enumerates source files (library/*.c). It doesn't
--- a/tests/scripts/check_files.py
+++ b/tests/scripts/check_files.py
@ -368,9 +368,8 @@ class LicenseIssueTracker(LineIssueTracker):
    heading = "License issue:"
    LICENSE_EXEMPTION_RE_LIST = [
-        # Third-party code, other than whitelisted third-party modules,
+        # Exempt third-party drivers which may be under a different license
-        # may be under a different license.
+        r'tf-psa-crypto/drivers/(?=(everest)/.*)',
        r'3rdparty/(?!(p256-m)/.*)',
        # Documentation explaining the license may have accidental
        # false positives.
        r'(ChangeLog|LICENSE|framework\/LICENSE|[-0-9A-Z_a-z]+\.md)\Z',
--- a/tests/scripts/check_names.py
+++ b/tests/scripts/check_names.py
@ -240,15 +240,19 @@ class CodeParser():
            "include/psa/*.h",
            "tf-psa-crypto/include/psa/*.h",
            "tf-psa-crypto/drivers/builtin/include/mbedtls/*.h",
-            "3rdparty/everest/include/everest/everest.h",
+            "tf-psa-crypto/drivers/everest/include/everest/everest.h",
-            "3rdparty/everest/include/everest/x25519.h"
+            "tf-psa-crypto/drivers/everest/include/everest/x25519.h"
        ])
        all_macros["internal"] = self.parse_macros([
            "library/*.h",
            "tf-psa-crypto/core/*.h",
            "tf-psa-crypto/drivers/builtin/src/*.h",
            "tests/include/test/drivers/*.h",
        ])
        all_macros["private"] = self.parse_macros([
            "library/*.c",
            "tf-psa-crypto/core/*.c",
            "tf-psa-crypto/drivers/builtin/src/*.c",
        ])
        enum_consts = self.parse_enum_consts([
            "include/mbedtls/*.h",
@ -256,9 +260,13 @@ class CodeParser():
            "tf-psa-crypto/include/psa/*.h",
            "tf-psa-crypto/drivers/builtin/include/mbedtls/*.h",
            "library/*.h",
            "tf-psa-crypto/core/*.h",
            "tf-psa-crypto/drivers/builtin/src/*.h",
            "library/*.c",
-            "3rdparty/everest/include/everest/everest.h",
+            "tf-psa-crypto/core/*.c",
-            "3rdparty/everest/include/everest/x25519.h"
+            "tf-psa-crypto/drivers/builtin/src/*.c",
            "tf-psa-crypto/drivers/everest/include/everest/everest.h",
            "tf-psa-crypto/drivers/everest/include/everest/x25519.h"
        ])
        identifiers, excluded_identifiers = self.parse_identifiers([
            "include/mbedtls/*.h",
@ -266,21 +274,27 @@ class CodeParser():
            "tf-psa-crypto/include/psa/*.h",
            "tf-psa-crypto/drivers/builtin/include/mbedtls/*.h",
            "library/*.h",
-            "3rdparty/everest/include/everest/everest.h",
+            "tf-psa-crypto/core/*.h",
-            "3rdparty/everest/include/everest/x25519.h"
+            "tf-psa-crypto/drivers/builtin/src/*.h",
-        ], ["3rdparty/p256-m/p256-m/p256-m.h"])
+            "tf-psa-crypto/drivers/everest/include/everest/everest.h",
            "tf-psa-crypto/drivers/everest/include/everest/x25519.h"
        ], ["tf-psa-crypto/drivers/p256-m/p256-m/p256-m.h"])
        mbed_psa_words = self.parse_mbed_psa_words([
            "include/mbedtls/*.h",
            "include/psa/*.h",
            "tf-psa-crypto/include/psa/*.h",
            "tf-psa-crypto/drivers/builtin/include/mbedtls/*.h",
            "library/*.h",
-            "3rdparty/everest/include/everest/everest.h",
+            "tf-psa-crypto/core/*.h",
-            "3rdparty/everest/include/everest/x25519.h",
+            "tf-psa-crypto/drivers/builtin/src/*.h",
            "tf-psa-crypto/drivers/everest/include/everest/everest.h",
            "tf-psa-crypto/drivers/everest/include/everest/x25519.h",
            "library/*.c",
-            "3rdparty/everest/library/everest.c",
+            "tf-psa-crypto/core/*.c",
-            "3rdparty/everest/library/x25519.c"
+            "tf-psa-crypto/drivers/builtin/src/*.c",
-        ], ["library/psa_crypto_driver_wrappers.h"])
+            "tf-psa-crypto/drivers/everest/library/everest.c",
            "tf-psa-crypto/drivers/everest/library/x25519.c"
        ], ["tf-psa-crypto/core/psa_crypto_driver_wrappers.h"])
        symbols = self.parse_symbols()
        # Remove identifier macros like mbedtls_printf or mbedtls_calloc
--- a/tests/scripts/list_internal_identifiers.py
+++ b/tests/scripts/list_internal_identifiers.py
@ -33,7 +33,9 @@ def main():
    name_check = CodeParser(logging.getLogger())
    result = name_check.parse_identifiers([
        "include/mbedtls/*_internal.h",
-        "library/*.h"
+        "library/*.h",
        "tf-psa-crypto/core/*.h",
        "tf-psa-crypto/drivers/builtin/src/*.h"
    ])[0]
    result.sort(key=lambda x: x.name)
--- a/tests/scripts/test_psa_compliance.py
+++ b/tests/scripts/test_psa_compliance.py
@ -39,7 +39,14 @@ def main(library_build_dir: str):
    in_tf_psa_crypto_repo = build_tree.looks_like_tf_psa_crypto_root(root_dir)
    crypto_name = build_tree.crypto_library_filename(root_dir)
-    library_subdir = build_tree.crypto_core_directory(root_dir, relative=True)
+
    # Temporary, while the crypto library is still located in the library
    # directory. This will not be the case anymore when it will be built by
    # the TF-PSA-Crypto build system.
    if in_tf_psa_crypto_repo:
        library_subdir = build_tree.crypto_core_directory(root_dir, relative=True)
    else:
        library_subdir = 'library'
    crypto_lib_filename = (library_build_dir + '/' +
                           library_subdir + '/' +
--- a/tests/src/drivers/hash.c
+++ b/tests/src/drivers/hash.c
@ -13,7 +13,7 @@
 #include "test/drivers/hash.h"
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_hash.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_hash.h"
 #endif
 mbedtls_test_driver_hash_hooks_t
--- a/tests/src/drivers/test_driver_aead.c
+++ b/tests/src/drivers/test_driver_aead.c
@ -16,7 +16,7 @@
 #include "mbedtls/constant_time.h"
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_aead.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_aead.h"
 #endif
 mbedtls_test_driver_aead_hooks_t
--- a/tests/src/drivers/test_driver_asymmetric_encryption.c
+++ b/tests/src/drivers/test_driver_asymmetric_encryption.c
@ -16,7 +16,7 @@
 #include "test/drivers/key_management.h"
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_rsa.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_rsa.h"
 #endif
 #define PSA_RSA_KEY_PAIR_MAX_SIZE \
--- a/tests/src/drivers/test_driver_cipher.c
+++ b/tests/src/drivers/test_driver_cipher.c
@ -19,7 +19,7 @@
 #include "test/random.h"
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_cipher.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_cipher.h"
 #endif
 #include <string.h>
--- a/tests/src/drivers/test_driver_key_agreement.c
+++ b/tests/src/drivers/test_driver_key_agreement.c
@ -21,8 +21,8 @@
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
 #include "libtestdriver1/tf-psa-crypto/include/psa/crypto.h"
-#include "libtestdriver1/library/psa_crypto_ecp.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_ecp.h"
-#include "libtestdriver1/library/psa_crypto_ffdh.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_ffdh.h"
 #endif
 mbedtls_test_driver_key_agreement_hooks_t
--- a/tests/src/drivers/test_driver_key_management.c
+++ b/tests/src/drivers/test_driver_key_management.c
@ -23,9 +23,9 @@
 #include "test/random.h"
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_ecp.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_ecp.h"
-#include "libtestdriver1/library/psa_crypto_rsa.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_rsa.h"
-#include "libtestdriver1/library/psa_crypto_ffdh.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_ffdh.h"
 #endif
 #include <string.h>
--- a/tests/src/drivers/test_driver_mac.c
+++ b/tests/src/drivers/test_driver_mac.c
@ -13,7 +13,7 @@
 #include "test/drivers/mac.h"
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_mac.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_mac.h"
 #endif
 mbedtls_test_driver_mac_hooks_t mbedtls_test_driver_mac_hooks =
--- a/tests/src/drivers/test_driver_pake.c
+++ b/tests/src/drivers/test_driver_pake.c
@ -14,7 +14,7 @@
 #include "string.h"
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_pake.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_pake.h"
 #endif
 mbedtls_test_driver_pake_hooks_t mbedtls_test_driver_pake_hooks =
--- a/tests/src/drivers/test_driver_signature.c
+++ b/tests/src/drivers/test_driver_signature.c
@ -26,9 +26,9 @@
 #include "test/random.h"
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
-#include "libtestdriver1/library/psa_crypto_ecp.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_ecp.h"
-#include "libtestdriver1/library/psa_crypto_hash.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_hash.h"
-#include "libtestdriver1/library/psa_crypto_rsa.h"
+#include "libtestdriver1/tf-psa-crypto/core/psa_crypto_rsa.h"
 #endif
 #include <string.h>
--- a/tf-psa-crypto/CMakeLists.txt
+++ b/tf-psa-crypto/CMakeLists.txt
@ -36,3 +36,5 @@ if(LIB_INSTALL_DIR)
 endif()
 add_subdirectory(include)
 add_subdirectory(core)
 add_subdirectory(drivers)
--- a/tf-psa-crypto/core/.gitignore
+++ b/tf-psa-crypto/core/.gitignore
@ -0,0 +1,4 @@
 ###START_GENERATED_FILES###
 /psa_crypto_driver_wrappers.h
 /psa_crypto_driver_wrappers_no_static.c
 ###END_GENERATED_FILES###
--- a/tf-psa-crypto/core/CMakeLists.txt
+++ b/tf-psa-crypto/core/CMakeLists.txt
--- a/tf-psa-crypto/core/alignment.h
+++ b/tf-psa-crypto/core/alignment.h
--- a/tf-psa-crypto/core/common.h
+++ b/tf-psa-crypto/core/common.h
@ -0,0 +1,435 @@
 /**
 * \file common.h
 *
 * \brief Utility macros for internal use in the library
 */
 /*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 */
 #ifndef MBEDTLS_LIBRARY_COMMON_H
 #define MBEDTLS_LIBRARY_COMMON_H
 #include "mbedtls/build_info.h"
 #include "alignment.h"
 #include <assert.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <stddef.h>
 #if defined(__ARM_NEON)
 #include <arm_neon.h>
 #define MBEDTLS_HAVE_NEON_INTRINSICS
 #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
 #include <arm64_neon.h>
 #define MBEDTLS_HAVE_NEON_INTRINSICS
 #endif
 /** Helper to define a function as static except when building invasive tests.
 *
 * If a function is only used inside its own source file and should be
 * declared `static` to allow the compiler to optimize for code size,
 * but that function has unit tests, define it with
 * ```
 * MBEDTLS_STATIC_TESTABLE int mbedtls_foo(...) { ... }
 * ```
 * and declare it in a header in the `library/` directory with
 * ```
 * #if defined(MBEDTLS_TEST_HOOKS)
 * int mbedtls_foo(...);
 * #endif
 * ```
 */
 #if defined(MBEDTLS_TEST_HOOKS)
 #define MBEDTLS_STATIC_TESTABLE
 #else
 #define MBEDTLS_STATIC_TESTABLE static
 #endif
 #if defined(MBEDTLS_TEST_HOOKS)
 extern void (*mbedtls_test_hook_test_fail)(const char *test, int line, const char *file);
 #define MBEDTLS_TEST_HOOK_TEST_ASSERT(TEST) \
    do { \
        if ((!(TEST)) && ((*mbedtls_test_hook_test_fail) != NULL)) \
        { \
            (*mbedtls_test_hook_test_fail)( #TEST, __LINE__, __FILE__); \
        } \
    } while (0)
 #else
 #define MBEDTLS_TEST_HOOK_TEST_ASSERT(TEST)
 #endif /* defined(MBEDTLS_TEST_HOOKS) */
 /** \def ARRAY_LENGTH
 * Return the number of elements of a static or stack array.
 *
 * \param array         A value of array (not pointer) type.
 *
 * \return The number of elements of the array.
 */
 /* A correct implementation of ARRAY_LENGTH, but which silently gives
 * a nonsensical result if called with a pointer rather than an array. */
 #define ARRAY_LENGTH_UNSAFE(array)            \
    (sizeof(array) / sizeof(*(array)))
 #if defined(__GNUC__)
 /* Test if arg and &(arg)[0] have the same type. This is true if arg is
 * an array but not if it's a pointer. */
 #define IS_ARRAY_NOT_POINTER(arg)                                     \
    (!__builtin_types_compatible_p(__typeof__(arg),                \
                                   __typeof__(&(arg)[0])))
 /* A compile-time constant with the value 0. If `const_expr` is not a
 * compile-time constant with a nonzero value, cause a compile-time error. */
 #define STATIC_ASSERT_EXPR(const_expr)                                \
    (0 && sizeof(struct { unsigned int STATIC_ASSERT : 1 - 2 * !(const_expr); }))
 /* Return the scalar value `value` (possibly promoted). This is a compile-time
 * constant if `value` is. `condition` must be a compile-time constant.
 * If `condition` is false, arrange to cause a compile-time error. */
 #define STATIC_ASSERT_THEN_RETURN(condition, value)   \
    (STATIC_ASSERT_EXPR(condition) ? 0 : (value))
 #define ARRAY_LENGTH(array)                                           \
    (STATIC_ASSERT_THEN_RETURN(IS_ARRAY_NOT_POINTER(array),         \
                               ARRAY_LENGTH_UNSAFE(array)))
 #else
 /* If we aren't sure the compiler supports our non-standard tricks,
 * fall back to the unsafe implementation. */
 #define ARRAY_LENGTH(array) ARRAY_LENGTH_UNSAFE(array)
 #endif
 /** Allow library to access its structs' private members.
 *
 * Although structs defined in header files are publicly available,
 * their members are private and should not be accessed by the user.
 */
 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
 /**
 * \brief       Securely zeroize a buffer then free it.
 *
 *              Similar to making consecutive calls to
 *              \c mbedtls_platform_zeroize() and \c mbedtls_free(), but has
 *              code size savings, and potential for optimisation in the future.
 *
 *              Guaranteed to be a no-op if \p buf is \c NULL and \p len is 0.
 *
 * \param buf   Buffer to be zeroized then freed.
 * \param len   Length of the buffer in bytes
 */
 void mbedtls_zeroize_and_free(void *buf, size_t len);
 /** Return an offset into a buffer.
 *
 * This is just the addition of an offset to a pointer, except that this
 * function also accepts an offset of 0 into a buffer whose pointer is null.
 * (`p + n` has undefined behavior when `p` is null, even when `n == 0`.
 * A null pointer is a valid buffer pointer when the size is 0, for example
 * as the result of `malloc(0)` on some platforms.)
 *
 * \param p     Pointer to a buffer of at least n bytes.
 *              This may be \p NULL if \p n is zero.
 * \param n     An offset in bytes.
 * \return      Pointer to offset \p n in the buffer \p p.
 *              Note that this is only a valid pointer if the size of the
 *              buffer is at least \p n + 1.
 */
 static inline unsigned char *mbedtls_buffer_offset(
    unsigned char *p, size_t n)
 {
    return p == NULL ? NULL : p + n;
 }
 /** Return an offset into a read-only buffer.
 *
 * Similar to mbedtls_buffer_offset(), but for const pointers.
 *
 * \param p     Pointer to a buffer of at least n bytes.
 *              This may be \p NULL if \p n is zero.
 * \param n     An offset in bytes.
 * \return      Pointer to offset \p n in the buffer \p p.
 *              Note that this is only a valid pointer if the size of the
 *              buffer is at least \p n + 1.
 */
 static inline const unsigned char *mbedtls_buffer_offset_const(
    const unsigned char *p, size_t n)
 {
    return p == NULL ? NULL : p + n;
 }
 /* Always inline mbedtls_xor() for similar reasons as mbedtls_xor_no_simd(). */
 #if defined(__IAR_SYSTEMS_ICC__)
 #pragma inline = forced
 #elif defined(__GNUC__)
 __attribute__((always_inline))
 #endif
 /**
 * Perform a fast block XOR operation, such that
 * r[i] = a[i] ^ b[i] where 0 <= i < n
 *
 * \param   r Pointer to result (buffer of at least \p n bytes). \p r
 *            may be equal to either \p a or \p b, but behaviour when
 *            it overlaps in other ways is undefined.
 * \param   a Pointer to input (buffer of at least \p n bytes)
 * \param   b Pointer to input (buffer of at least \p n bytes)
 * \param   n Number of bytes to process.
 *
 * \note      Depending on the situation, it may be faster to use either mbedtls_xor() or
 *            mbedtls_xor_no_simd() (these are functionally equivalent).
 *            If the result is used immediately after the xor operation in non-SIMD code (e.g, in
 *            AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
 *            registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
 *            the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
 *            For targets without SIMD support, they will behave the same.
 */
 static inline void mbedtls_xor(unsigned char *r,
                               const unsigned char *a,
                               const unsigned char *b,
                               size_t n)
 {
    size_t i = 0;
 #if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
 #if defined(MBEDTLS_HAVE_NEON_INTRINSICS) && \
    (!(defined(MBEDTLS_COMPILER_IS_GCC) && MBEDTLS_GCC_VERSION < 70300))
    /* Old GCC versions generate a warning here, so disable the NEON path for these compilers */
    for (; (i + 16) <= n; i += 16) {
        uint8x16_t v1 = vld1q_u8(a + i);
        uint8x16_t v2 = vld1q_u8(b + i);
        uint8x16_t x = veorq_u8(v1, v2);
        vst1q_u8(r + i, x);
    }
 #if defined(__IAR_SYSTEMS_ICC__)
    /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
     * where n is a constant multiple of 16.
     * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
     * constant, and is a very small perf regression if n is not a compile-time constant. */
    if (n % 16 == 0) {
        return;
    }
 #endif
 #elif defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
    /* This codepath probably only makes sense on architectures with 64-bit registers */
    for (; (i + 8) <= n; i += 8) {
        uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
        mbedtls_put_unaligned_uint64(r + i, x);
    }
 #if defined(__IAR_SYSTEMS_ICC__)
    if (n % 8 == 0) {
        return;
    }
 #endif
 #else
    for (; (i + 4) <= n; i += 4) {
        uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
        mbedtls_put_unaligned_uint32(r + i, x);
    }
 #if defined(__IAR_SYSTEMS_ICC__)
    if (n % 4 == 0) {
        return;
    }
 #endif
 #endif
 #endif
    for (; i < n; i++) {
        r[i] = a[i] ^ b[i];
    }
 }
 /* Always inline mbedtls_xor_no_simd() as we see significant perf regressions when it does not get
 * inlined (e.g., observed about 3x perf difference in gcm_mult_largetable with gcc 7 - 12) */
 #if defined(__IAR_SYSTEMS_ICC__)
 #pragma inline = forced
 #elif defined(__GNUC__)
 __attribute__((always_inline))
 #endif
 /**
 * Perform a fast block XOR operation, such that
 * r[i] = a[i] ^ b[i] where 0 <= i < n
 *
 * In some situations, this can perform better than mbedtls_xor() (e.g., it's about 5%
 * better in AES-CBC).
 *
 * \param   r Pointer to result (buffer of at least \p n bytes). \p r
 *            may be equal to either \p a or \p b, but behaviour when
 *            it overlaps in other ways is undefined.
 * \param   a Pointer to input (buffer of at least \p n bytes)
 * \param   b Pointer to input (buffer of at least \p n bytes)
 * \param   n Number of bytes to process.
 *
 * \note      Depending on the situation, it may be faster to use either mbedtls_xor() or
 *            mbedtls_xor_no_simd() (these are functionally equivalent).
 *            If the result is used immediately after the xor operation in non-SIMD code (e.g, in
 *            AES-CBC), there may be additional latency to transfer the data from SIMD to scalar
 *            registers, and in this case, mbedtls_xor_no_simd() may be faster. In other cases where
 *            the result is not used immediately (e.g., in AES-CTR), mbedtls_xor() may be faster.
 *            For targets without SIMD support, they will behave the same.
 */
 static inline void mbedtls_xor_no_simd(unsigned char *r,
                                       const unsigned char *a,
                                       const unsigned char *b,
                                       size_t n)
 {
    size_t i = 0;
 #if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
 #if defined(MBEDTLS_ARCH_IS_X64) || defined(MBEDTLS_ARCH_IS_ARM64)
    /* This codepath probably only makes sense on architectures with 64-bit registers */
    for (; (i + 8) <= n; i += 8) {
        uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
        mbedtls_put_unaligned_uint64(r + i, x);
    }
 #if defined(__IAR_SYSTEMS_ICC__)
    /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
     * where n is a constant multiple of 8.
     * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
     * constant, and is a very small perf regression if n is not a compile-time constant. */
    if (n % 8 == 0) {
        return;
    }
 #endif
 #else
    for (; (i + 4) <= n; i += 4) {
        uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
        mbedtls_put_unaligned_uint32(r + i, x);
    }
 #if defined(__IAR_SYSTEMS_ICC__)
    if (n % 4 == 0) {
        return;
    }
 #endif
 #endif
 #endif
    for (; i < n; i++) {
        r[i] = a[i] ^ b[i];
    }
 }
 /* Fix MSVC C99 compatible issue
 *      MSVC support __func__ from visual studio 2015( 1900 )
 *      Use MSVC predefine macro to avoid name check fail.
 */
 #if (defined(_MSC_VER) && (_MSC_VER <= 1900))
 #define /*no-check-names*/ __func__ __FUNCTION__
 #endif
 /* Define `asm` for compilers which don't define it. */
 /* *INDENT-OFF* */
 #ifndef asm
 #if defined(__IAR_SYSTEMS_ICC__)
 #define asm __asm
 #else
 #define asm __asm__
 #endif
 #endif
 /* *INDENT-ON* */
 /*
 * Define the constraint used for read-only pointer operands to aarch64 asm.
 *
 * This is normally the usual "r", but for aarch64_32 (aka ILP32,
 * as found in watchos), "p" is required to avoid warnings from clang.
 *
 * Note that clang does not recognise '+p' or '=p', and armclang
 * does not recognise 'p' at all. Therefore, to update a pointer from
 * aarch64 assembly, it is necessary to use something like:
 *
 * uintptr_t uptr = (uintptr_t) ptr;
 * asm( "ldr x4, [%x0], #8" ... : "+r" (uptr) : : )
 * ptr = (void*) uptr;
 *
 * Note that the "x" in "%x0" is neccessary; writing "%0" will cause warnings.
 */
 #if defined(__aarch64__) && defined(MBEDTLS_HAVE_ASM)
 #if UINTPTR_MAX == 0xfffffffful
 /* ILP32: Specify the pointer operand slightly differently, as per #7787. */
 #define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "p"
 #elif UINTPTR_MAX == 0xfffffffffffffffful
 /* Normal case (64-bit pointers): use "r" as the constraint for pointer operands to asm */
 #define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "r"
 #else
 #error "Unrecognised pointer size for aarch64"
 #endif
 #endif
 /* Always provide a static assert macro, so it can be used unconditionally.
 * It will expand to nothing on some systems.
 * Can be used outside functions (but don't add a trailing ';' in that case:
 * the semicolon is included here to avoid triggering -Wextra-semi when
 * MBEDTLS_STATIC_ASSERT() expands to nothing).
 * Can't use the C11-style `defined(static_assert)` on FreeBSD, since it
 * defines static_assert even with -std=c99, but then complains about it.
 */
 #if defined(static_assert) && !defined(__FreeBSD__)
 #define MBEDTLS_STATIC_ASSERT(expr, msg)    static_assert(expr, msg);
 #else
 #define MBEDTLS_STATIC_ASSERT(expr, msg)
 #endif
 #if defined(__has_builtin)
 #define MBEDTLS_HAS_BUILTIN(x) __has_builtin(x)
 #else
 #define MBEDTLS_HAS_BUILTIN(x) 0
 #endif
 /* Define compiler branch hints */
 #if MBEDTLS_HAS_BUILTIN(__builtin_expect)
 #define MBEDTLS_LIKELY(x)       __builtin_expect(!!(x), 1)
 #define MBEDTLS_UNLIKELY(x)     __builtin_expect(!!(x), 0)
 #else
 #define MBEDTLS_LIKELY(x)       x
 #define MBEDTLS_UNLIKELY(x)     x
 #endif
 /* MBEDTLS_ASSUME may be used to provide additional information to the compiler
 * which can result in smaller code-size. */
 #if MBEDTLS_HAS_BUILTIN(__builtin_assume)
 /* clang provides __builtin_assume */
 #define MBEDTLS_ASSUME(x)       __builtin_assume(x)
 #elif MBEDTLS_HAS_BUILTIN(__builtin_unreachable)
 /* gcc and IAR can use __builtin_unreachable */
 #define MBEDTLS_ASSUME(x)       do { if (!(x)) __builtin_unreachable(); } while (0)
 #elif defined(_MSC_VER)
 /* Supported by MSVC since VS 2005 */
 #define MBEDTLS_ASSUME(x)       __assume(x)
 #else
 #define MBEDTLS_ASSUME(x)       do { } while (0)
 #endif
 /* For gcc -Os, override with -O2 for a given function.
 *
 * This will not affect behaviour for other optimisation settings, e.g. -O0.
 */
 #if defined(MBEDTLS_COMPILER_IS_GCC) && defined(__OPTIMIZE_SIZE__)
 #define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE __attribute__((optimize("-O2")))
 #else
 #define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
 #endif
 /* Suppress compiler warnings for unused functions and variables. */
 #if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__has_attribute)
 #    if __has_attribute(unused)
 #        define MBEDTLS_MAYBE_UNUSED __attribute__((unused))
 #    endif
 #endif
 #if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__GNUC__)
 #    define MBEDTLS_MAYBE_UNUSED __attribute__((unused))
 #endif
 #if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__IAR_SYSTEMS_ICC__) && defined(__VER__)
 /* IAR does support __attribute__((unused)), but only if the -e flag (extended language support)
 * is given; the pragma always works.
 * Unfortunately the pragma affects the rest of the file where it is used, but this is harmless.
 * Check for version 5.2 or later - this pragma may be supported by earlier versions, but I wasn't
 * able to find documentation).
 */
 #    if (__VER__ >= 5020000)
 #        define MBEDTLS_MAYBE_UNUSED _Pragma("diag_suppress=Pe177")
 #    endif
 #endif
 #if !defined(MBEDTLS_MAYBE_UNUSED) && defined(_MSC_VER)
 #    define MBEDTLS_MAYBE_UNUSED __pragma(warning(suppress:4189))
 #endif
 #if !defined(MBEDTLS_MAYBE_UNUSED)
 #    define MBEDTLS_MAYBE_UNUSED
 #endif
 #endif /* MBEDTLS_LIBRARY_COMMON_H */
--- a/tf-psa-crypto/core/psa_crypto.c
+++ b/tf-psa-crypto/core/psa_crypto.c
--- a/tf-psa-crypto/core/psa_crypto_aead.c
+++ b/tf-psa-crypto/core/psa_crypto_aead.c
--- a/tf-psa-crypto/core/psa_crypto_aead.h
+++ b/tf-psa-crypto/core/psa_crypto_aead.h
--- a/tf-psa-crypto/core/psa_crypto_cipher.c
+++ b/tf-psa-crypto/core/psa_crypto_cipher.c
--- a/tf-psa-crypto/core/psa_crypto_cipher.h
+++ b/tf-psa-crypto/core/psa_crypto_cipher.h
--- a/tf-psa-crypto/core/psa_crypto_client.c
+++ b/tf-psa-crypto/core/psa_crypto_client.c
--- a/tf-psa-crypto/core/psa_crypto_core.h
+++ b/tf-psa-crypto/core/psa_crypto_core.h
--- a/tf-psa-crypto/core/psa_crypto_core_common.h
+++ b/tf-psa-crypto/core/psa_crypto_core_common.h
--- a/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.h
+++ b/tf-psa-crypto/core/psa_crypto_driver_wrappers_no_static.h
--- a/tf-psa-crypto/core/psa_crypto_ecp.c
+++ b/tf-psa-crypto/core/psa_crypto_ecp.c
--- a/tf-psa-crypto/core/psa_crypto_ecp.h
+++ b/tf-psa-crypto/core/psa_crypto_ecp.h
--- a/tf-psa-crypto/core/psa_crypto_ffdh.c
+++ b/tf-psa-crypto/core/psa_crypto_ffdh.c
--- a/tf-psa-crypto/core/psa_crypto_ffdh.h
+++ b/tf-psa-crypto/core/psa_crypto_ffdh.h
--- a/tf-psa-crypto/core/psa_crypto_hash.c
+++ b/tf-psa-crypto/core/psa_crypto_hash.c
--- a/tf-psa-crypto/core/psa_crypto_hash.h
+++ b/tf-psa-crypto/core/psa_crypto_hash.h
--- a/tf-psa-crypto/core/psa_crypto_invasive.h
+++ b/tf-psa-crypto/core/psa_crypto_invasive.h
--- a/tf-psa-crypto/core/psa_crypto_its.h
+++ b/tf-psa-crypto/core/psa_crypto_its.h
--- a/tf-psa-crypto/core/psa_crypto_mac.c
+++ b/tf-psa-crypto/core/psa_crypto_mac.c
--- a/tf-psa-crypto/core/psa_crypto_mac.h
+++ b/tf-psa-crypto/core/psa_crypto_mac.h
--- a/tf-psa-crypto/core/psa_crypto_pake.c
+++ b/tf-psa-crypto/core/psa_crypto_pake.c
--- a/tf-psa-crypto/core/psa_crypto_pake.h
+++ b/tf-psa-crypto/core/psa_crypto_pake.h
--- a/tf-psa-crypto/core/psa_crypto_random_impl.h
+++ b/tf-psa-crypto/core/psa_crypto_random_impl.h
--- a/tf-psa-crypto/core/psa_crypto_rsa.c
+++ b/tf-psa-crypto/core/psa_crypto_rsa.c
--- a/tf-psa-crypto/core/psa_crypto_rsa.h
+++ b/tf-psa-crypto/core/psa_crypto_rsa.h
--- a/tf-psa-crypto/core/psa_crypto_se.c
+++ b/tf-psa-crypto/core/psa_crypto_se.c
--- a/tf-psa-crypto/core/psa_crypto_se.h
+++ b/tf-psa-crypto/core/psa_crypto_se.h
--- a/tf-psa-crypto/core/psa_crypto_slot_management.c
+++ b/tf-psa-crypto/core/psa_crypto_slot_management.c
--- a/tf-psa-crypto/core/psa_crypto_slot_management.h
+++ b/tf-psa-crypto/core/psa_crypto_slot_management.h
--- a/tf-psa-crypto/core/psa_crypto_storage.c
+++ b/tf-psa-crypto/core/psa_crypto_storage.c
--- a/tf-psa-crypto/core/psa_crypto_storage.h
+++ b/tf-psa-crypto/core/psa_crypto_storage.h
--- a/tf-psa-crypto/core/psa_its_file.c
+++ b/tf-psa-crypto/core/psa_its_file.c
--- a/tf-psa-crypto/core/psa_util.c
+++ b/tf-psa-crypto/core/psa_util.c
--- a/tf-psa-crypto/core/psa_util_internal.h
+++ b/tf-psa-crypto/core/psa_util_internal.h
--- a/tf-psa-crypto/drivers/CMakeLists.txt
+++ b/tf-psa-crypto/drivers/CMakeLists.txt
@ -1,2 +1,3 @@
 add_subdirectory(builtin)
 add_subdirectory(everest)
 add_subdirectory(p256-m)
--- a/tf-psa-crypto/drivers/builtin/CMakeLists.txt
+++ b/tf-psa-crypto/drivers/builtin/CMakeLists.txt
@ -0,0 +1 @@
 add_subdirectory(src)
--- a/tf-psa-crypto/drivers/builtin/src/.gitignore
+++ b/tf-psa-crypto/drivers/builtin/src/.gitignore
@ -0,0 +1,4 @@
 ###START_GENERATED_FILES###
 /error.c
 /version_features.c
 ###END_GENERATED_FILES###
--- a/tf-psa-crypto/drivers/builtin/src/CMakeLists.txt
+++ b/tf-psa-crypto/drivers/builtin/src/CMakeLists.txt
--- a/tf-psa-crypto/drivers/builtin/src/aes.c
+++ b/tf-psa-crypto/drivers/builtin/src/aes.c
--- a/tf-psa-crypto/drivers/builtin/src/aesce.c
+++ b/tf-psa-crypto/drivers/builtin/src/aesce.c
--- a/tf-psa-crypto/drivers/builtin/src/aesce.h
+++ b/tf-psa-crypto/drivers/builtin/src/aesce.h
--- a/tf-psa-crypto/drivers/builtin/src/aesni.c
+++ b/tf-psa-crypto/drivers/builtin/src/aesni.c
--- a/tf-psa-crypto/drivers/builtin/src/aesni.h
+++ b/tf-psa-crypto/drivers/builtin/src/aesni.h
--- a/tf-psa-crypto/drivers/builtin/src/aria.c
+++ b/tf-psa-crypto/drivers/builtin/src/aria.c
--- a/tf-psa-crypto/drivers/builtin/src/asn1parse.c
+++ b/tf-psa-crypto/drivers/builtin/src/asn1parse.c
--- a/tf-psa-crypto/drivers/builtin/src/asn1write.c
+++ b/tf-psa-crypto/drivers/builtin/src/asn1write.c
--- a/tf-psa-crypto/drivers/builtin/src/base64.c
+++ b/tf-psa-crypto/drivers/builtin/src/base64.c
--- a/tf-psa-crypto/drivers/builtin/src/base64_internal.h
+++ b/tf-psa-crypto/drivers/builtin/src/base64_internal.h
--- a/tf-psa-crypto/drivers/builtin/src/bignum.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum.c
--- a/tf-psa-crypto/drivers/builtin/src/bignum_core.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.c
--- a/tf-psa-crypto/drivers/builtin/src/bignum_core.h
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.h
--- a/tf-psa-crypto/drivers/builtin/src/bignum_mod.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod.c
--- a/tf-psa-crypto/drivers/builtin/src/bignum_mod.h
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod.h
--- a/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.c
--- a/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.h
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw.h
--- a/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw_invasive.h
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_mod_raw_invasive.h
--- a/tf-psa-crypto/drivers/builtin/src/block_cipher.c
+++ b/tf-psa-crypto/drivers/builtin/src/block_cipher.c
--- a/tf-psa-crypto/drivers/builtin/src/block_cipher_internal.h
+++ b/tf-psa-crypto/drivers/builtin/src/block_cipher_internal.h
--- a/tf-psa-crypto/drivers/builtin/src/bn_mul.h
+++ b/tf-psa-crypto/drivers/builtin/src/bn_mul.h
--- a/tf-psa-crypto/drivers/builtin/src/camellia.c
+++ b/tf-psa-crypto/drivers/builtin/src/camellia.c
--- a/tf-psa-crypto/drivers/builtin/src/ccm.c
+++ b/tf-psa-crypto/drivers/builtin/src/ccm.c
--- a/Show More
+++ b/Show More
		`@ -1 +1 @@`
			`Subproject commit 8853c8471200e62448413d1f40d6801a19796a83`				`Subproject commit 9eeacb7125d6630a11e29d8a7aab5873b3638b6d`