diff --git a/modules/trusted-firmware-m/Kconfig b/modules/trusted-firmware-m/Kconfig
index 27b2f12713d1..907eb81b9751 100644
--- a/modules/trusted-firmware-m/Kconfig
+++ b/modules/trusted-firmware-m/Kconfig
@@ -188,7 +188,7 @@ config TFM_ITS_VALIDATE_METADATA_FROM_FLASH
 	  Validate filesystem metadata every time it is read from flash
 
 config TFM_ITS_MAX_ASSET_SIZE
-	range 512 4096
+	range 256 4096
 	default 512
 	help
 	  The maximum asset size to be stored in the Internal Trusted Storage. The maximum value
diff --git a/scripts/quarantine_zephyr.yaml b/scripts/quarantine_zephyr.yaml
index 2df12188610c..e93d461d748a 100644
--- a/scripts/quarantine_zephyr.yaml
+++ b/scripts/quarantine_zephyr.yaml
@@ -251,14 +251,6 @@
     - qemu_cortex_m3/ti_lm3s6965
   comment: "https://nordicsemi.atlassian.net/browse/NCSDK-31671"
 
-- scenarios:
-    - secure_storage.psa.its.secure_storage.*
-    - sample.psa.persistent_key.secure_storage.entropy_driver
-    - secure_storage.psa.crypto.secure_storage
-  platforms:
-    - native_sim/native
-  comment: "https://nordicsemi.atlassian.net/browse/NCSDK-31681"
-
 - scenarios:
     - init.check_init_priorities
     - shell.device_filter
@@ -438,12 +430,7 @@
     - net.http.server.crime
     - drivers.gpio.build
     - sample.perf
-    - sample.psa.its.secure_storage.entropy_not_secure
-    - sample.psa.persistent_key.secure_storage.entropy_not_secure
-    - secure_storage.psa.crypto.secure_storage
-    - secure_storage.psa.its.secure_storage.custom.both
-    - secure_storage.psa.its.secure_storage.custom.store
-    - secure_storage.psa.its.secure_storage.store.settings
+    - .*secure_storage.*
   platforms:
     - nrf54h20dk@0.9.0/nrf54h20/cpuppr
   comment: "region RAM/FLASH overflowed"
@@ -496,7 +483,7 @@
     - sample.shell.shell_module
     - sample.shell.shell_module.getopt
     - sample.shell.shell_module.login
-    - secure_storage.psa.its.secure_storage.custom.store
+    - .*secure_storage.*
   platforms:
     - nrf54l15dk/nrf54l15/cpuflpr
   comment: "region RAM/FLASH overflowed"
@@ -535,7 +522,7 @@
   comment: "Unsupported device"
 
 - scenarios:
-    - secure_storage.psa.its.secure_storage.*
+    - .*secure_storage.*
   platforms:
     - qemu_cortex_m3/ti_lm3s6965
     - mps2/an521/cpu0
diff --git a/subsys/nrf_security/Kconfig.psa.nordic b/subsys/nrf_security/Kconfig.psa.nordic
index 7a456d2ca358..503a6e489282 100644
--- a/subsys/nrf_security/Kconfig.psa.nordic
+++ b/subsys/nrf_security/Kconfig.psa.nordic
@@ -219,6 +219,42 @@ config PSA_WANT_ALG_XTS
 	bool "PSA XTS block cipher mode support" if !PSA_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
+config PSA_WANT_ALG_ECB_NO_PADDING
+	bool "PSA ECB support" if !PSA_PROMPTLESS
+	default y if PSA_CRYPTO_ENABLE_ALL
+	default y if MBEDTLS_BUILTIN && !MBEDTLS_FORCE_LEGACY_CIPHER && \
+		     PSA_WANT_KEY_TYPE_AES && (PSA_WANT_ALG_GCM || PSA_WANT_ALG_CCM)
+
+config PSA_WANT_ALG_CHACHA20
+	bool "PSA CHACHA20 stream cipher support" if !PSA_PROMPTLESS
+	default y if PSA_CRYPTO_ENABLE_ALL
+
+config PSA_WANT_ALG_SHAKE256_512
+	bool "PSA SHAKE256 512 bits support" if !PSA_PROMPTLESS
+	default y if PSA_CRYPTO_ENABLE_ALL
+
+config PSA_WANT_ALG_AES_KW
+	bool "AES key wrap support (NIST-SP-800-38F and RFC3394)" if !MBEDTLS_PROMPTLESS
+	select EXPERIMENTAL
+
+config PSA_WANT_ALG_AES_KWP
+	bool "AES key wrap support (NIST-SP-800-38F and RFC5649)" if !MBEDTLS_PROMPTLESS
+	select EXPERIMENTAL
+
+config PSA_WANT_ALG_WPA3_SAE_PT
+	bool "WPA3-SAE-PT support" if !MBEDTLS_PROMPTLESS
+	select EXPERIMENTAL
+
+config PSA_WANT_ALG_WPA3_SAE
+	bool "WPA3-SAE support" if !MBEDTLS_PROMPTLESS
+	select EXPERIMENTAL
+
+config PSA_WANT_ALG_SP800_108_COUNTER_CMAC
+	bool "NIST SP 800-108 conformant CMAC based KDF" if !MBEDTLS_PROMPTLESS
+
+config PSA_WANT_ALG_SP800_108_COUNTER_HMAC
+	bool "NIST SP 800-108 conformant HMAC based KDF" if !MBEDTLS_PROMPTLESS
+
 comment "Nordic added ECC curve types"
 
 config PSA_WANT_ECC_BRAINPOOL_P_R1_160
@@ -298,36 +334,6 @@ config PSA_WANT_ECC_SECT_R2_163
 config PSA_WANT_ECC_FRP_V1_256
 	bool "PSA ECC FRP256v1 support" if !PSA_PROMPTLESS
 
-config PSA_WANT_ALG_CHACHA20
-	bool "PSA CHACHA20 stream cipher support" if !PSA_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
-config PSA_WANT_ALG_SHAKE256_512
-	bool "PSA SHAKE256 512 bits support" if !PSA_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
-config PSA_WANT_ALG_AES_KW
-	bool "AES key wrap support (NIST-SP-800-38F and RFC3394)" if !MBEDTLS_PROMPTLESS
-	select EXPERIMENTAL
-
-config PSA_WANT_ALG_AES_KWP
-	bool "AES key wrap support (NIST-SP-800-38F and RFC5649)" if !MBEDTLS_PROMPTLESS
-	select EXPERIMENTAL
-
-config PSA_WANT_ALG_WPA3_SAE_PT
-	bool "WPA3-SAE-PT support" if !MBEDTLS_PROMPTLESS
-	select EXPERIMENTAL
-
-config PSA_WANT_ALG_WPA3_SAE
-	bool "WPA3-SAE support" if !MBEDTLS_PROMPTLESS
-	select EXPERIMENTAL
-
-config PSA_WANT_ALG_SP800_108_COUNTER_CMAC
-	bool "NIST SP 800-108 conformant CMAC based KDF" if !MBEDTLS_PROMPTLESS
-
-config PSA_WANT_ALG_SP800_108_COUNTER_HMAC
-	bool "NIST SP 800-108 conformant HMAC based KDF" if !MBEDTLS_PROMPTLESS
-
 comment "Nordic addded RNG configuration"
 
 config PSA_WANT_GENERATE_RANDOM
diff --git a/subsys/nrf_security/src/core/nrf_oberon/CMakeLists.txt b/subsys/nrf_security/src/core/nrf_oberon/CMakeLists.txt
index 50702f72589d..35eb09401597 100644
--- a/subsys/nrf_security/src/core/nrf_oberon/CMakeLists.txt
+++ b/subsys/nrf_security/src/core/nrf_oberon/CMakeLists.txt
@@ -40,6 +40,11 @@ target_compile_options(oberon_psa_core
     -Wno-strict-aliasing
 )
 
+target_compile_definitions(oberon_psa_core
+  PRIVATE
+    BUILDING_MBEDTLS_CRYPTO
+)
+
 target_link_libraries(oberon_psa_core
   PRIVATE
     psa_crypto_library_config
@@ -53,4 +58,3 @@ target_link_libraries(${mbedcrypto_target}
   PRIVATE
     oberon_psa_core
 )
-
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/aead.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/aead.c
index fb8e76629e04..5b5768bd9ba4 100644
--- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/aead.c
+++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/aead.c
@@ -516,6 +516,7 @@ psa_status_t cracen_aead_update(cracen_aead_operation_t *operation, const uint8_
 	 * of AD buffered before creating/verifying the tag
 	 */
 	if (input_length == 0) {
+		*output_length = 0;
 		return PSA_SUCCESS;
 	}
 
diff --git a/west.yml b/west.yml
index 280f57e5da32..c89fa84185e0 100644
--- a/west.yml
+++ b/west.yml
@@ -65,7 +65,7 @@ manifest:
     # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
     - name: zephyr
       repo-path: sdk-zephyr
-      revision: c9113a87822e123bd287568c957d92b35502e5d1
+      revision: bd1cf27b22f1003d58ecf4af81961722e1eb9949
       import:
         # In addition to the zephyr repository itself, NCS also
         # imports the contents of zephyr/west.yml at the above
@@ -136,7 +136,7 @@ manifest:
     - name: mbedtls
       path: modules/crypto/mbedtls
       repo-path: sdk-mbedtls
-      revision: v3.6.2-ncs2
+      revision: f109c9bac0bdb9699854e88a9c14772cbbdffb4f
     - name: oberon-psa-crypto
       path: modules/crypto/oberon-psa-crypto
       repo-path: sdk-oberon-psa-crypto