diff --git a/framework b/framework
index 820a16cca7..92f5d45b22 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 820a16cca705c6842a5a79332c6d40644008c814
+Subproject commit 92f5d45b2293363952bdbe28a7b2fcfe4a0d163a
diff --git a/library/.gitignore b/library/.gitignore
index 9794129d94..92a33de2bc 100644
--- a/library/.gitignore
+++ b/library/.gitignore
@@ -4,6 +4,9 @@ libmbed*
 
 ###START_GENERATED_FILES###
 /error.c
+/mbedtls_config_check_before.h
+/mbedtls_config_check_final.h
+/mbedtls_config_check_user.h
 /version_features.c
 /ssl_debug_helpers_generated.c
 ###END_GENERATED_FILES###
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 5b8dc80b53..063703bfe8 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -73,6 +73,27 @@ if(GEN_FILES)
             ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/version_features.fmt
     )
 
+    execute_process(
+        COMMAND
+            ${MBEDTLS_PYTHON_EXECUTABLE}
+            ${MBEDTLS_DIR}/scripts/generate_config_checks.py
+            --list-for-cmake "${CMAKE_CURRENT_BINARY_DIR}"
+        WORKING_DIRECTORY
+            ${CMAKE_CURRENT_SOURCE_DIR}/..
+        OUTPUT_VARIABLE
+            MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS)
+
+    add_custom_command(
+        OUTPUT ${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}
+        COMMAND
+            ${MBEDTLS_PYTHON_EXECUTABLE}
+                ${MBEDTLS_DIR}/scripts/generate_config_checks.py
+                ${CMAKE_CURRENT_BINARY_DIR}
+        DEPENDS
+            ${MBEDTLS_DIR}/scripts/generate_config_checks.py
+            ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/config_checks_generator.py
+    )
+
     add_custom_command(
         OUTPUT
             ${CMAKE_CURRENT_BINARY_DIR}/ssl_debug_helpers_generated.c
@@ -89,6 +110,7 @@ if(GEN_FILES)
     add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedx509_generated_files_target
         DEPENDS
             ${CMAKE_CURRENT_BINARY_DIR}/error.c
+            ${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}
     )
 
     add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedtls_generated_files_target
diff --git a/library/Makefile b/library/Makefile
index f8729344b4..21f85b67d9 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -5,12 +5,24 @@ endif
 TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core
 TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src
 
+# List the generated files without running a script, so that this
+# works with no tooling dependencies when GEN_FILES is disabled.
 GENERATED_FILES := \
+	mbedtls_config_check_before.h \
+	mbedtls_config_check_final.h \
+	mbedtls_config_check_user.h \
 	error.c \
 	version_features.c \
-	ssl_debug_helpers_generated.c \
+	ssl_debug_helpers_generated.c
+
+# Also list the generated files from crypto that are needed in the build,
+# because we don't have the list in a consumable form.
+GENERATED_FILES += \
 	$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
-	$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c
+	$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c \
+	$(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_before.h \
+	$(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \
+	$(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h
 
 ifneq ($(GENERATED_FILES),$(wildcard $(GENERATED_FILES)))
     ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make))
@@ -326,6 +338,24 @@ $(GENERATED_WRAPPER_FILES):
 
 $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h
 
+GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) ../scripts/generate_config_checks.py --list .)
+$(GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \
+	$(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \
+	../framework/scripts/mbedtls_framework/config_checks_generator.py
+$(GENERATED_CONFIG_CHECK_FILES):
+	echo "  Gen   $(GENERATED_CONFIG_CHECK_FILES)"
+	$(PYTHON) ../scripts/generate_config_checks.py
+
+TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) \
+	$(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \
+	--list $(TF_PSA_CRYPTO_CORE_PATH))
+$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \
+	../scripts/generate_config_checks.py \
+	../framework/scripts/mbedtls_framework/config_checks_generator.py
+$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES):
+	echo "  Gen   $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES)"
+	$(PYTHON) $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py
+
 clean:
 ifndef WINDOWS
 	rm -f *.o *.s libmbed*
diff --git a/scripts/generate_config_checks.py b/scripts/generate_config_checks.py
new file mode 100755
index 0000000000..b0dc26b191
--- /dev/null
+++ b/scripts/generate_config_checks.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+
+"""Generate C preprocessor code to check for bad configurations.
+"""
+
+import framework_scripts_path # pylint: disable=unused-import
+from mbedtls_framework.config_checks_generator import * \
+    #pylint: disable=wildcard-import,unused-wildcard-import
+
+MBEDTLS_CHECKS = BranchData(
+    header_directory='library',
+    header_prefix='mbedtls_',
+    project_cpp_prefix='MBEDTLS',
+    checkers=[
+        Removed('MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', 'Mbed TLS 4.0'),
+        Removed('MBEDTLS_PADLOCK_C', 'Mbed TLS 4.0'),
+    ],
+)
+
+if __name__ == '__main__':
+    main(MBEDTLS_CHECKS)
diff --git a/tf-psa-crypto b/tf-psa-crypto
index 4cc5bb4295..9a43f3fe86 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit 4cc5bb429554ba14e36163ff3a82bf53766f7e24
+Subproject commit 9a43f3fe868ef6da5a312a3da076b9595e02a75e