diff --git a/3rdparty/CMakeLists.txt b/3rdparty/CMakeLists.txt
index e81ff513a8..67db68da56 100644
--- a/3rdparty/CMakeLists.txt
+++ b/3rdparty/CMakeLists.txt
@@ -1,5 +1,10 @@
-execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE result)
+execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE everest_result)
+execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h get MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED RESULT_VARIABLE p256m_result)
 
-if(${result} EQUAL 0)
+if(${everest_result} EQUAL 0)
     add_subdirectory(everest)
 endif()
+
+if(${p256m_result} EQUAL 0)
+    add_subdirectory(p256-m)
+endif()
diff --git a/3rdparty/Makefile.inc b/3rdparty/Makefile.inc
index ea100f40f1..80dc126923 100644
--- a/3rdparty/Makefile.inc
+++ b/3rdparty/Makefile.inc
@@ -1,3 +1,3 @@
-THIRDPARTY_DIR = $(dir $(lastword $(MAKEFILE_LIST)))
+THIRDPARTY_DIR = $(dir $(word 2, $(MAKEFILE_LIST)))
 include $(THIRDPARTY_DIR)/everest/Makefile.inc
-include ../3rdparty/p256-m/Makefile.inc
+include $(THIRDPARTY_DIR)/p256-m/Makefile.inc
diff --git a/3rdparty/p256-m/CMakeLists.txt b/3rdparty/p256-m/CMakeLists.txt
new file mode 100644
index 0000000000..64d0d0f7ff
--- /dev/null
+++ b/3rdparty/p256-m/CMakeLists.txt
@@ -0,0 +1,25 @@
+add_library(p256m
+    p256-m_driver_entrypoints.c
+    p256-m/p256-m.c)
+
+target_include_directories(p256m
+  PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
+         $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m>
+         $<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
+         $<INSTALL_INTERFACE:include>
+  PRIVATE ${MBEDTLS_DIR}/library/)
+
+if(INSTALL_MBEDTLS_HEADERS)
+
+  install(DIRECTORY :${CMAKE_CURRENT_SOURCE_DIR}
+    DESTINATION include
+    FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
+    DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
+    FILES_MATCHING PATTERN "*.h")
+
+endif(INSTALL_MBEDTLS_HEADERS)
+
+install(TARGETS p256m
+EXPORT MbedTLSTargets
+DESTINATION ${CMAKE_INSTALL_LIBDIR}
+PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
\ No newline at end of file
diff --git a/3rdparty/p256-m/p256-m/p256-m.c b/3rdparty/p256-m/p256-m/p256-m.c
index 0360ea2470..abb9ab4ab6 100644
--- a/3rdparty/p256-m/p256-m/p256-m.c
+++ b/3rdparty/p256-m/p256-m/p256-m.c
@@ -11,6 +11,8 @@
 #include <stdlib.h>
 #include <string.h>
 
+#if defined (MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
+
 /*
  * Zeroize memory - this should not be optimized away
  */
@@ -1464,3 +1466,5 @@ int p256_ecdsa_verify(const uint8_t sig[64], const uint8_t pub[64],
 
     return P256_INVALID_SIGNATURE;
 }
+
+#endif
diff --git a/3rdparty/p256-m/p256-m_driver_entrypoints.c b/3rdparty/p256-m/p256-m_driver_entrypoints.c
index 4324858378..8df640cba8 100644
--- a/3rdparty/p256-m/p256-m_driver_entrypoints.c
+++ b/3rdparty/p256-m/p256-m_driver_entrypoints.c
@@ -23,6 +23,7 @@
 #include "p256-m/p256-m.h"
 #include "psa/crypto.h"
 #include "psa_crypto_driver_wrappers.h"
+#include <stddef.h>
 
 #if defined(MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED)
 
@@ -66,11 +67,7 @@ psa_status_t p256_transparent_generate_key(
      *  keys. Allocate a buffer to which the public key will be written. The
      *  private key will be written to key_buffer, which is passed to this
      *  function as an argument. */
-    uint8_t *public_key_buffer = NULL;
-    public_key_buffer = mbedtls_calloc(1, 64);
-    if (public_key_buffer == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
+    uint8_t public_key_buffer[64];
 
     status = p256_to_psa_error(
         p256_gen_keypair(key_buffer, public_key_buffer));
@@ -78,12 +75,6 @@ psa_status_t p256_transparent_generate_key(
         *key_buffer_length = 32;
     }
 
-    /*
-     *  The storage format for a SECP256R1 keypair is just the private key, so
-     *  the public key does not need to be passed back to the caller. Therefore
-     *  the buffer containing it can be freed. */
-    free(public_key_buffer);
-
     return status;
 }
 
@@ -190,18 +181,14 @@ psa_status_t p256_transparent_verify_hash(
     (void) alg;
 
     psa_status_t status;
-    uint8_t *public_key_buffer = NULL;
+    uint8_t public_key_buffer[65];
     size_t public_key_buffer_size = 65;
-    public_key_buffer = mbedtls_calloc(1, public_key_buffer_size);
-    if (public_key_buffer == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-    size_t *public_key_length = NULL;
-    public_key_length = mbedtls_calloc(1, sizeof(size_t));
-    if (public_key_length == NULL) {
-        return PSA_ERROR_INSUFFICIENT_MEMORY;
-    }
-    *public_key_length = 65;
+
+    size_t public_key_length = 65;
+    /* As p256-m doesn't require dynamic allocation, we want to avoid it in
+     * the entrypoint functions as well. psa_driver_wrapper_export_public_key()
+     * requires size_t*, so we use a pointer to a stack variable. */
+    size_t *public_key_length_ptr = &public_key_length;
 
     /*  The contents of key_buffer may either be the 32 byte private key
      *  (keypair representation), or the 65 byte public key. To ensure the
@@ -212,7 +199,7 @@ psa_status_t p256_transparent_verify_hash(
         key_buffer_size,
         public_key_buffer,
         public_key_buffer_size,
-        public_key_length);
+        public_key_length_ptr);
     if (status != PSA_SUCCESS) {
         goto exit;
     }
@@ -226,8 +213,6 @@ psa_status_t p256_transparent_verify_hash(
         signature_length);
 
 exit:
-    free(public_key_buffer);
-    free(public_key_length);
     return status;
 }
 
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 5359883032..a992d8a71a 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -272,6 +272,10 @@ if(USE_STATIC_MBEDTLS_LIBRARY)
         target_link_libraries(${mbedcrypto_static_target} PUBLIC everest)
     endif()
 
+    if(TARGET p256m)
+        target_link_libraries(${mbedcrypto_static_target} PUBLIC p256m)
+    endif()
+
     add_library(${mbedx509_static_target} STATIC ${src_x509})
     set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509)
     target_link_libraries(${mbedx509_static_target} PUBLIC ${libs} ${mbedcrypto_static_target})
@@ -291,6 +295,10 @@ if(USE_SHARED_MBEDTLS_LIBRARY)
         target_link_libraries(${mbedcrypto_target} PUBLIC everest)
     endif()
 
+    if(TARGET p256m)
+        target_link_libraries(${mbedcrypto_target} PUBLIC p256m)
+    endif()
+
     add_library(${mbedx509_target} SHARED ${src_x509})
     set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.4.0 SOVERSION 5)
     target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})