diff --git a/MAINTAINERS.yml b/MAINTAINERS.yml
index 5730c61536aca..b58d1ee5ce756 100644
--- a/MAINTAINERS.yml
+++ b/MAINTAINERS.yml
@@ -5857,7 +5857,8 @@ West:
     - ithinuel
   files:
     - modules/mbedtls/
-    - tests/crypto/mbedtls/
+    - tests/crypto/mbedtls_psa/
+    - tests/crypto/secp256r1/
     - tests/benchmarks/mbedtls/
   labels:
     - "area: mbedTLS / PSA Crypto"
diff --git a/doc/releases/migration-guide-4.3.rst b/doc/releases/migration-guide-4.3.rst
index fb03ee3f4a0d2..46ad5c486a72c 100644
--- a/doc/releases/migration-guide-4.3.rst
+++ b/doc/releases/migration-guide-4.3.rst
@@ -72,6 +72,11 @@ Comparator
   and :c:macro:`NRF_COMP_AIN_VDDH_DIV5` represents VDDH/5.
   The old ``string`` properties type is deprecated.
 
+Crypto
+======
+
+* Mbed TLS shim driver now uses PSA API as backend for hash operations.
+
 MFD
 ===
 
@@ -256,6 +261,19 @@ Cellular
  * :c:enum:`cellular_access_technology` values have been redefined to align with 3GPP TS 27.007.
  * :c:enum:`cellular_registration_status` values have been extended to align with 3GPP TS 27.007.
 
+Flash Map
+=========
+
+* ``CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS`` is removed. PSA API is used as default backend
+  for hash computations.
+* :kconfig:option:`CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA` is now promptless as it's automatically
+  enabled as soon as :kconfig:option:`CONFIG_FLASH_AREA_CHECK_INTEGRITY` is set.
+
+JWT
+===
+
+* Kconfig option ``CONFIG_JWT_SIGN_RSA_LEGACY`` is removed.
+
 Logging
 =======
 
@@ -274,6 +292,8 @@ MCUmgr
   but can still be used by enabling
   :kconfig:option:`CONFIG_MCUMGR_GRP_OS_INFO_HARDWARE_INFO_SHORT_HARDWARE_PLATFORM`.
 
+* PSA API are now used by default to perform hash hash computations.
+
 RTIO
 ====
 
@@ -303,6 +323,11 @@ Shell
   compatibility.
   (:github:`92677`).
 
+Update Hub
+==========
+
+* PSA API are now used by default to perform hash hash computations.
+
 .. zephyr-keep-sorted-stop
 
 Modules
@@ -311,6 +336,24 @@ Modules
 * The TinyCrypt library was removed as the upstream version is no longer maintained.
   PSA Crypto API is now the recommended cryptographic library for Zephyr.
 
+* In order to prepare for the next Mbed TLS release where all legacy cryptographic
+  support was removed in favor of PSA API, following Kconfig symbols are
+  deprecated:
+    * :kconfig:option:`CONFIG_MBEDTLS_MD5`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_MD5`.
+    * :kconfig:option:`CONFIG_MBEDTLS_SHA1`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_SHA_1`.
+    * :kconfig:option:`CONFIG_MBEDTLS_SHA224`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_SHA_224`.
+    * :kconfig:option:`CONFIG_MBEDTLS_SHA256`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_SHA_256`.
+    * :kconfig:option:`CONFIG_MBEDTLS_SHA384`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_SHA_384`.
+    * :kconfig:option:`CONFIG_MBEDTLS_SHA512`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_SHA_512`.
+    * :kconfig:option:`CONFIG_MBEDTLS_HASH_ALL_ENABLED`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_HASH_ALL`.
+
 Silabs
 ======
 
diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index 5f3c74ee77f14..f83a6c2b5912b 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -24,8 +24,9 @@ source "subsys/logging/Kconfig.template.log_config"
 config CRYPTO_MBEDTLS_SHIM
 	bool "MbedTLS shim driver [EXPERIMENTAL]"
 	select MBEDTLS
+	select MBEDTLS_PSA_CRYPTO_C
+	select PSA_WANT_ALG_SHA_256
 	select MBEDTLS_ENABLE_HEAP
-	select MBEDTLS_SHA512
 	select MBEDTLS_CIPHER_AES_ENABLED
 	select EXPERIMENTAL
 	help
diff --git a/drivers/crypto/crypto_mtls_shim.c b/drivers/crypto/crypto_mtls_shim.c
index 2031e7d7c987b..21e7146923a19 100644
--- a/drivers/crypto/crypto_mtls_shim.c
+++ b/drivers/crypto/crypto_mtls_shim.c
@@ -26,8 +26,7 @@
 #endif
 #include <mbedtls/aes.h>
 
-#include <mbedtls/sha256.h>
-#include <mbedtls/sha512.h>
+#include <psa/crypto.h>
 
 #define MTLS_SUPPORT (CAP_RAW_KEY | CAP_SEPARATE_IO_BUFS | CAP_SYNC_OPS | \
 		      CAP_NO_IV_PREFIX)
@@ -43,13 +42,12 @@ struct mtls_shim_session {
 		mbedtls_gcm_context mtls_gcm;
 #endif
 		mbedtls_aes_context mtls_aes;
-		mbedtls_sha256_context mtls_sha256;
-		mbedtls_sha512_context mtls_sha512;
+		psa_hash_operation_t hash_op;
 	};
 	bool in_use;
 	union {
 		enum cipher_mode mode;
-		enum hash_algo algo;
+		psa_algorithm_t psa_alg;
 	};
 };
 
@@ -462,60 +460,17 @@ static int mtls_session_free(const struct device *dev, struct cipher_ctx *ctx)
 	return 0;
 }
 
-static int mtls_sha256_compute(struct hash_ctx *ctx, struct hash_pkt *pkt,
-			       bool finish)
+static int mtls_hash_compute(struct hash_ctx *ctx, struct hash_pkt *pkt, bool finish)
 {
-	int ret;
-	mbedtls_sha256_context *sha256_ctx = MTLS_GET_CTX(ctx, sha256);
-
-
-	if (!ctx->started) {
-		ret = mbedtls_sha256_starts(sha256_ctx,
-					    MTLS_GET_ALGO(ctx) == CRYPTO_HASH_ALGO_SHA224);
-		if (ret != 0) {
-			LOG_ERR("Could not compute the hash");
-			return -EINVAL;
-		}
-		ctx->started = true;
-	}
-
-	ret = mbedtls_sha256_update(sha256_ctx, pkt->in_buf, pkt->in_len);
-	if (ret != 0) {
-		LOG_ERR("Could not update the hash");
-		ctx->started = false;
-		return -EINVAL;
-	}
-
-	if (finish) {
-		ctx->started = false;
-		ret = mbedtls_sha256_finish(sha256_ctx, pkt->out_buf);
-		if (ret != 0) {
-			LOG_ERR("Could not compute the hash");
-			return -EINVAL;
-		}
-	}
-
-	return 0;
-}
-
-static int mtls_sha512_compute(struct hash_ctx *ctx, struct hash_pkt *pkt,
-			       bool finish)
-{
-	int ret;
-	mbedtls_sha512_context *sha512_ctx = MTLS_GET_CTX(ctx, sha512);
+	struct mtls_shim_session *mtls_session =
+		(struct mtls_shim_session *)ctx->drv_sessn_state;
+	size_t hash_out_len;
 
 	if (!ctx->started) {
-		ret = mbedtls_sha512_starts(sha512_ctx,
-					    MTLS_GET_ALGO(ctx) == CRYPTO_HASH_ALGO_SHA384);
-		if (ret != 0) {
-			LOG_ERR("Could not compute the hash");
-			return -EINVAL;
-		}
 		ctx->started = true;
 	}
 
-	ret = mbedtls_sha512_update(sha512_ctx, pkt->in_buf, pkt->in_len);
-	if (ret != 0) {
+	if (psa_hash_update(&mtls_session->hash_op, pkt->in_buf, pkt->in_len) != PSA_SUCCESS) {
 		LOG_ERR("Could not update the hash");
 		ctx->started = false;
 		return -EINVAL;
@@ -523,8 +478,13 @@ static int mtls_sha512_compute(struct hash_ctx *ctx, struct hash_pkt *pkt,
 
 	if (finish) {
 		ctx->started = false;
-		ret = mbedtls_sha512_finish(sha512_ctx, pkt->out_buf);
-		if (ret != 0) {
+		/* Here Zephyr API assume that the output buffer is large enough to
+		 * contain all data, but there's no way to check this. This may lead
+		 * to buffer overrun...
+		 */
+		if (psa_hash_finish(&mtls_session->hash_op, pkt->out_buf,
+				    PSA_HASH_LENGTH(mtls_session->psa_alg),
+				    &hash_out_len) != PSA_SUCCESS) {
 			LOG_ERR("Could not compute the hash");
 			return -EINVAL;
 		}
@@ -537,6 +497,7 @@ static int mtls_hash_session_setup(const struct device *dev,
 				   struct hash_ctx *ctx,
 				   enum hash_algo algo)
 {
+	struct mtls_shim_session *mtls_session;
 	int ctx_idx;
 
 	if (ctx->flags & ~(MTLS_SUPPORT)) {
@@ -544,36 +505,41 @@ static int mtls_hash_session_setup(const struct device *dev,
 		return -EINVAL;
 	}
 
-	if ((algo != CRYPTO_HASH_ALGO_SHA224) &&
-	    (algo != CRYPTO_HASH_ALGO_SHA256) &&
-	    (algo != CRYPTO_HASH_ALGO_SHA384) &&
-	    (algo != CRYPTO_HASH_ALGO_SHA512)) {
-		LOG_ERR("Unsupported algo: %d", algo);
-		return -EINVAL;
-	}
-
 	ctx_idx = mtls_get_unused_session_index();
 	if (ctx_idx < 0) {
 		LOG_ERR("No free session for now");
 		return -ENOSPC;
 	}
 
-	mtls_sessions[ctx_idx].algo = algo;
-	ctx->drv_sessn_state = &mtls_sessions[ctx_idx];
-	ctx->started = false;
+	mtls_session = &mtls_sessions[ctx_idx];
+	mtls_session->hash_op = psa_hash_operation_init();
+	switch (algo) {
+	case CRYPTO_HASH_ALGO_SHA224:
+		mtls_session->psa_alg = PSA_ALG_SHA_224;
+		break;
+	case CRYPTO_HASH_ALGO_SHA256:
+		mtls_session->psa_alg = PSA_ALG_SHA_256;
+		break;
+	case CRYPTO_HASH_ALGO_SHA384:
+		mtls_session->psa_alg = PSA_ALG_SHA_384;
+		break;
+	case CRYPTO_HASH_ALGO_SHA512:
+		mtls_session->psa_alg = PSA_ALG_SHA_512;
+		break;
+	default:
+		LOG_ERR("Unsupported algo: %d", algo);
+		return -EINVAL;
+	}
 
-	if ((algo == CRYPTO_HASH_ALGO_SHA224) ||
-	    (algo == CRYPTO_HASH_ALGO_SHA256)) {
-		mbedtls_sha256_context *sha256_ctx =
-			&mtls_sessions[ctx_idx].mtls_sha256;
-		mbedtls_sha256_init(sha256_ctx);
-		ctx->hash_hndlr = mtls_sha256_compute;
-	} else {
-		mbedtls_sha512_context *sha512_ctx =
-			&mtls_sessions[ctx_idx].mtls_sha512;
-		mbedtls_sha512_init(sha512_ctx);
-		ctx->hash_hndlr = mtls_sha512_compute;
+	if (psa_hash_setup(mtls_session->hash_op, mtls_session->psa_alg) != PSA_SUCCESS) {
+		LOG_ERR("PSA hash operation setup failed");
+		return -EIO;
 	}
+	mtls_session->in_use = true;
+
+	ctx->hash_hndlr = mtls_hash_compute;
+	ctx->drv_sessn_state = mtls_session;
+	ctx->started = false;
 
 	return 0;
 }
@@ -583,10 +549,9 @@ static int mtls_hash_session_free(const struct device *dev, struct hash_ctx *ctx
 	struct mtls_shim_session *mtls_session =
 		(struct mtls_shim_session *)ctx->drv_sessn_state;
 
-	if (mtls_session->algo == CRYPTO_HASH_ALGO_SHA256) {
-		mbedtls_sha256_free(&mtls_session->mtls_sha256);
-	} else {
-		mbedtls_sha512_free(&mtls_session->mtls_sha512);
+	if (psa_hash_abort(mtls_session->hash_op) != PSA_SUCCESS) {
+		LOG_ERR("PSA hash abort failed");
+		return -EIO;
 	}
 	mtls_session->in_use = false;
 
diff --git a/lib/uuid/Kconfig b/lib/uuid/Kconfig
index 927d8af2ddbaa..8e1be8ff51106 100644
--- a/lib/uuid/Kconfig
+++ b/lib/uuid/Kconfig
@@ -23,8 +23,8 @@ config UUID_V5
 	select EXPERIMENTAL
 	depends on UUID
 	depends on MBEDTLS
-	depends on MBEDTLS_MD
-	depends on MBEDTLS_SHA1
+	depends on MBEDTLS_PSA_CRYPTO_C
+	depends on PSA_WANT_ALG_SHA_1
 	# When TF-M is enabled, Mbed TLS's MD module (which is used to generate
 	# v5 UUIDs) will dispacth hash operations to TF-M. Unfortunately TF-M
 	# does not support SHA-1 (because it's a weak algorithm) so the
diff --git a/lib/uuid/uuid.c b/lib/uuid/uuid.c
index 091e76ec786f4..8826c002a02d1 100644
--- a/lib/uuid/uuid.c
+++ b/lib/uuid/uuid.c
@@ -15,7 +15,7 @@
 #endif
 
 #if defined(CONFIG_UUID_V5)
-#include <mbedtls/md.h>
+#include <psa/crypto.h>
 #endif
 
 #if defined(CONFIG_UUID_BASE64)
@@ -82,54 +82,34 @@ int uuid_generate_v4(struct uuid *out)
 int uuid_generate_v5(const struct uuid *ns, const void *data, size_t data_size,
 		     struct uuid *out)
 {
+	uint8_t sha_result[PSA_HASH_LENGTH(PSA_ALG_SHA_1)];
+	size_t sha_len = 0;
+	psa_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
+	psa_status_t status;
+	int ret = 0;
+
 	if (out == NULL) {
 		return -EINVAL;
 	}
-	int ret = 0;
-	int mbedtls_err = 0;
-	mbedtls_md_context_t ctx = {0};
-	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
-	const size_t sha_1_bytes = 20;
-	uint8_t sha_result[sha_1_bytes];
-
-	mbedtls_md_init(&ctx);
-	mbedtls_err = mbedtls_md_setup(&ctx, md_info, 0);
-	/* Might return: MBEDTLS_ERR_MD_BAD_INPUT_DATA or MBEDTLS_ERR_MD_ALLOC_FAILED */
-	switch (mbedtls_err) {
-	case 0:
-		break;
-	case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
-		ret = -EINVAL;
-		goto exit;
-	case MBEDTLS_ERR_MD_ALLOC_FAILED:
-		ret = -ENOMEM;
-		goto exit;
-	default:
-		ret = -ENOTSUP;
-		goto exit;
-	}
-	mbedtls_err = mbedtls_md_starts(&ctx);
-	if (mbedtls_err != 0) {
-		/* Might return MBEDTLS_ERR_MD_BAD_INPUT_DATA */
-		ret = -EINVAL;
+
+	status = psa_hash_operation_setup(&hash_operation, PSA_ALG_SHA1);
+	if (status != PSA_SUCCESS) {
 		goto exit;
 	}
-	mbedtls_err = mbedtls_md_update(&ctx, ns->val, UUID_SIZE);
-	if (mbedtls_err != 0) {
-		/* Might return MBEDTLS_ERR_MD_BAD_INPUT_DATA */
-		ret = -EINVAL;
+
+	status = psa_hash_operation_update(&hash_operation, ns->val, UUID_SIZE);
+	if (status != PSA_SUCCESS) {
 		goto exit;
 	}
-	mbedtls_err = mbedtls_md_update(&ctx, data, data_size);
-	if (mbedtls_err != 0) {
-		/* Might return MBEDTLS_ERR_MD_BAD_INPUT_DATA */
-		ret = -EINVAL;
+
+	status = psa_hash_operation_update(&hash_operation, data, data_size);
+	if (status != PSA_SUCCESS) {
 		goto exit;
 	}
-	mbedtls_err = mbedtls_md_finish(&ctx, sha_result);
-	if (mbedtls_err != 0) {
-		/* Might return MBEDTLS_ERR_MD_BAD_INPUT_DATA */
-		ret = -EINVAL;
+
+	status = psa_hash_operation_finish(&hash_operation, sha_result,
+					   sizeof(sha_result), &sha_len);
+	if (status != PSA_SUCCESS) {
 		goto exit;
 	}
 
@@ -141,8 +121,9 @@ int uuid_generate_v5(const struct uuid *ns, const void *data, size_t data_size,
 	overwrite_uuid_version_and_variant(UUID_V5_VERSION, UUID_V5_VARIANT, out);
 
 exit:
-	mbedtls_md_free(&ctx);
-	return ret;
+	psa_hash_abort(&hash_operation);
+
+	return -EINVAL;
 }
 #endif
 
diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
index b29f76079e27c..9cab606a208c8 100644
--- a/modules/hostap/Kconfig
+++ b/modules/hostap/Kconfig
@@ -167,13 +167,14 @@ choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
 	bool "Crypto Mbedtls alt support for WiFi"
 	select MBEDTLS
+	select MBEDTLS_PSA_CRYPTO_C
 	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
 	select MBEDTLS_CIPHER_MODE_CBC_ENABLED
 	select MBEDTLS_CIPHER_AES_ENABLED
 	select MBEDTLS_CIPHER_DES_ENABLED
-	select MBEDTLS_MD5
-	select MBEDTLS_SHA1
-	select MBEDTLS_SHA384
+	select PSA_WANT_ALG_MD5
+	select PSA_WANT_ALG_SHA_1
+	select PSA_WANT_ALG_SHA_384
 	select MBEDTLS_ENTROPY_C
 	select MBEDTLS_CIPHER
 	select MBEDTLS_ECP_C
diff --git a/modules/mbedtls/Kconfig b/modules/mbedtls/Kconfig
index bf165473f17f2..96d176c1ebde0 100644
--- a/modules/mbedtls/Kconfig
+++ b/modules/mbedtls/Kconfig
@@ -62,6 +62,7 @@ config MBEDTLS_CFG_FILE
 	  alternative config.
 
 rsource "Kconfig.mbedtls"
+rsource "Kconfig.deprecated"
 
 config MBEDTLS_SSL_MAX_CONTENT_LEN
 	int "Max payload size for TLS protocol message"
diff --git a/modules/mbedtls/Kconfig.deprecated b/modules/mbedtls/Kconfig.deprecated
new file mode 100644
index 0000000000000..2fa5c9b91a6ac
--- /dev/null
+++ b/modules/mbedtls/Kconfig.deprecated
@@ -0,0 +1,59 @@
+# Copyright (c) 2025 BayLibre SAS
+
+# SPDX-License-Identifier: Apache-2.0
+
+config MBEDTLS_MD5
+	bool "MD5 hash algorithm"
+	select DEPRECATED
+	help
+	  Legacy crypto support is going to be removed starting from the next
+	  Mbed TLS release. Please switch to PSA API.
+
+config MBEDTLS_SHA1
+	bool "SHA-1 hash algorithm"
+	select DEPRECATED
+	help
+	  Legacy crypto support is going to be removed starting from the next
+	  Mbed TLS release. Please switch to PSA API.
+
+config MBEDTLS_SHA224
+	bool "SHA-224 hash algorithm"
+	select DEPRECATED
+	help
+	  Legacy crypto support is going to be removed starting from the next
+	  Mbed TLS release. Please switch to PSA API.
+
+config MBEDTLS_SHA256
+	bool "SHA-256 hash algorithm"
+	select DEPRECATED
+	help
+	  Legacy crypto support is going to be removed starting from the next
+	  Mbed TLS release. Please switch to PSA API.
+
+config MBEDTLS_SHA384
+	bool "SHA-384 hash algorithm"
+	select DEPRECATED
+	help
+	  Legacy crypto support is going to be removed starting from the next
+	  Mbed TLS release. Please switch to PSA API.
+
+config MBEDTLS_SHA512
+	bool "SHA-512 hash algorithm"
+	select DEPRECATED
+	help
+	  Legacy crypto support is going to be removed starting from the next
+	  Mbed TLS release. Please switch to PSA API.
+
+config MBEDTLS_HASH_ALL_ENABLED
+	bool "All available MAC methods"
+	select MBEDTLS_MD5
+	select MBEDTLS_SHA1
+	select MBEDTLS_SHA224
+	select MBEDTLS_SHA256
+	select MBEDTLS_SHA384
+	select MBEDTLS_SHA512
+	select MBEDTLS_POLY1305
+	help
+	  Enables all legacy hash crypto support which is going to be removed
+	  staring from the next Mbed TLS release. Please switch to
+	  PSA_WANT_ALG_HASH_ALL instead.
diff --git a/modules/mbedtls/Kconfig.mbedtls b/modules/mbedtls/Kconfig.mbedtls
index 4a71ec4961421..04f9edaa9aeb6 100644
--- a/modules/mbedtls/Kconfig.mbedtls
+++ b/modules/mbedtls/Kconfig.mbedtls
@@ -330,43 +330,14 @@ config MBEDTLS_CMAC
 
 comment "Supported hash algorithms"
 
-config MBEDTLS_HASH_ALL_ENABLED
-	bool "All available MAC methods"
-	select MBEDTLS_MD5
-	select MBEDTLS_SHA1
-	select MBEDTLS_SHA224
-	select MBEDTLS_SHA256
-	select MBEDTLS_SHA384
-	select MBEDTLS_SHA512
-	select MBEDTLS_POLY1305
-
-config MBEDTLS_MD5
-	bool "MD5 hash algorithm"
-
-config MBEDTLS_SHA1
-	bool "SHA-1 hash algorithm"
-
-config MBEDTLS_SHA224
-	bool "SHA-224 hash algorithm"
-
-config MBEDTLS_SHA256
-	bool "SHA-256 hash algorithm"
-	default y
-
 config MBEDTLS_SHA256_SMALLER
 	bool "Smaller SHA-256 implementation"
-	depends on MBEDTLS_SHA256
+	depends on MBEDTLS_SHA256 || PSA_WANT_ALG_SHA_256
 	default y
 	help
 	  Enable an implementation of SHA-256 that has a
 	  smaller ROM footprint but also lower performance.
 
-config MBEDTLS_SHA384
-	bool "SHA-384 hash algorithm"
-
-config MBEDTLS_SHA512
-	bool "SHA-512 hash algorithm"
-
 config MBEDTLS_POLY1305
 	bool "Poly1305 hash family"
 
@@ -603,7 +574,6 @@ config MBEDTLS_PSA_CRYPTO_CLIENT
 config MBEDTLS_LMS
 	bool "Support LMS signature schemes"
 	depends on MBEDTLS_PSA_CRYPTO_CLIENT
-	depends on MBEDTLS_SHA256
 	select PSA_WANT_ALG_SHA_256
 
 if MBEDTLS_PSA_CRYPTO_C
diff --git a/modules/mbedtls/Kconfig.psa.logic b/modules/mbedtls/Kconfig.psa.logic
index dcea9e3540527..ee424b17eb178 100644
--- a/modules/mbedtls/Kconfig.psa.logic
+++ b/modules/mbedtls/Kconfig.psa.logic
@@ -25,3 +25,12 @@ config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC
 	depends on PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT || \
 		   PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT || \
 		   PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
+
+config PSA_WANT_ALG_HASH_ALL
+	bool "All hash algorithms"
+	imply PSA_WANT_ALG_MD5
+	imply PSA_WANT_ALG_SHA_1
+	imply PSA_WANT_ALG_SHA_224
+	imply PSA_WANT_ALG_SHA_256
+	imply PSA_WANT_ALG_SHA_384
+	imply PSA_WANT_ALG_SHA_512
diff --git a/modules/openthread/Kconfig b/modules/openthread/Kconfig
index 02a997028db40..c725ba9e60fa9 100644
--- a/modules/openthread/Kconfig
+++ b/modules/openthread/Kconfig
@@ -170,11 +170,11 @@ endchoice
 
 config OPENTHREAD_MBEDTLS
 	bool
+	select OPENTHREAD_CRYPTO_PSA
 	select MBEDTLS
 	select MBEDTLS_ENABLE_HEAP
 	select MBEDTLS_CIPHER_AES_ENABLED
 	select MBEDTLS_CIPHER_CCM_ENABLED
-	select MBEDTLS_SHA256
 	select MBEDTLS_ENTROPY_C
 	select MBEDTLS_CMAC
 	select MBEDTLS_CIPHER
@@ -319,8 +319,8 @@ config OPENTHREAD_MAC_SOFTWARE_CSMA_BACKOFF_ENABLE
 	  the radio has hardware support for this feature (IEEE802154_HW_CSMA).
 
 config OPENTHREAD_CRYPTO_PSA
-	bool "ARM PSA crypto API"
-	depends on MBEDTLS_PSA_CRYPTO_CLIENT
+	bool
+	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
 	select OPENTHREAD_PLATFORM_KEY_REF if !OPENTHREAD_COPROCESSOR_RCP
 	imply OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE
 	help
diff --git a/samples/net/cloud/mqtt_azure/prj.conf b/samples/net/cloud/mqtt_azure/prj.conf
index 87fce73d774b1..415181362cb32 100644
--- a/samples/net/cloud/mqtt_azure/prj.conf
+++ b/samples/net/cloud/mqtt_azure/prj.conf
@@ -33,8 +33,8 @@ CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=100000
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=10240
 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
-CONFIG_MBEDTLS_SHA1=y
-CONFIG_MBEDTLS_SHA384=y
+CONFIG_PSA_WANT_ALG_SHA_1=y
+CONFIG_PSA_WANT_ALG_SHA_384=y
 CONFIG_MBEDTLS_RSA_C=y
 CONFIG_MBEDTLS_PKCS1_V15=y
 CONFIG_MBEDTLS_PKCS1_V21=y
diff --git a/samples/net/sockets/big_http_download/overlay-tls.conf b/samples/net/sockets/big_http_download/overlay-tls.conf
index 78d1a7cef13b1..6f4422126ee35 100644
--- a/samples/net/sockets/big_http_download/overlay-tls.conf
+++ b/samples/net/sockets/big_http_download/overlay-tls.conf
@@ -8,6 +8,8 @@ CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=65000
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
+CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
 
 CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
 
diff --git a/samples/net/sockets/big_http_download/src/big_http_download.c b/samples/net/sockets/big_http_download/src/big_http_download.c
index c6430861f9e46..5c5224cf0b7ad 100644
--- a/samples/net/sockets/big_http_download/src/big_http_download.c
+++ b/samples/net/sockets/big_http_download/src/big_http_download.c
@@ -11,7 +11,7 @@
 #include <ctype.h>
 #include <errno.h>
 
-#include "mbedtls/md.h"
+#include "psa/crypto.h"
 
 #if !defined(__ZEPHYR__) || defined(CONFIG_POSIX_API)
 
@@ -79,8 +79,8 @@ const char *port;
 const char *uri_path = "";
 static char response[1024];
 static char response_hash[32];
-mbedtls_md_context_t hash_ctx;
-const mbedtls_md_info_t *hash_info;
+size_t response_hash_len;
+psa_hash_operation_t hash_op = PSA_HASH_OPERATION_INIT;
 unsigned int cur_bytes;
 
 void dump_addrinfo(const struct addrinfo *ai)
@@ -256,6 +256,7 @@ bool download(struct addrinfo *ai, bool is_tls, bool *redirect)
 	struct timeval timeout = {
 		.tv_sec = 5
 	};
+	psa_status_t status;
 
 	cur_bytes = 0U;
 	*redirect = false;
@@ -313,8 +314,6 @@ bool download(struct addrinfo *ai, bool is_tls, bool *redirect)
 		goto error;
 	}
 
-	mbedtls_md_starts(&hash_ctx);
-
 	while (1) {
 		int len = recv(sock, response, sizeof(response) - 1, 0);
 
@@ -332,7 +331,11 @@ bool download(struct addrinfo *ai, bool is_tls, bool *redirect)
 			break;
 		}
 
-		mbedtls_md_update(&hash_ctx, response, len);
+		status = psa_hash_update(&hash_op, response, len);
+		if (status != PSA_SUCCESS) {
+			printf("Error: psa_hash_update() failed\n");
+			goto error;
+		}
 
 		cur_bytes += len;
 		printf("Download progress: %u Bytes; %u KiB; %u MiB\r",
@@ -344,14 +347,17 @@ bool download(struct addrinfo *ai, bool is_tls, bool *redirect)
 
 	printf("\n");
 
-	mbedtls_md_finish(&hash_ctx, response_hash);
+	status = psa_hash_finish(&hash_op, response_hash, sizeof(response_hash), response_hash_len);
+	if (status != PSA_SUCCESS) {
+		printf("Error: psa_hash_finish() failed\n");
+		goto error;
+	}
 
 	printf("Hash: ");
-	print_hex(response_hash, mbedtls_md_get_size(hash_info));
+	print_hex(response_hash, response_hash_len);
 	printf("\n");
 
-	if (memcmp(response_hash, download_hash,
-		   mbedtls_md_get_size(hash_info)) != 0) {
+	if (memcmp(response_hash, download_hash, response_hash_len) != 0) {
 		printf("HASH MISMATCH!\n");
 	}
 
@@ -372,6 +378,7 @@ int main(void)
 	bool is_tls = false;
 	unsigned int num_iterations = NUM_ITER;
 	bool redirect = false;
+	psa_status_t status;
 
 #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
 	for (int i = 0; i < ARRAY_SIZE(ca_certificates); i++) {
@@ -449,14 +456,9 @@ int main(void)
 
 	dump_addrinfo(res);
 
-	hash_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
-	if (!hash_info) {
-		fatal("Unable to request hash type from mbedTLS");
-	}
-
-	mbedtls_md_init(&hash_ctx);
-	if (mbedtls_md_setup(&hash_ctx, hash_info, 0) < 0) {
-		fatal("Can't setup mbedTLS hash engine");
+	status = psa_hash_setup(&hash_op, PSA_ALG_SHA_256);
+	if (status != PSA_SUCCESS) {
+		fatal("Hash operation setup failed");
 	}
 
 	const uint32_t total_iterations = num_iterations;
@@ -484,7 +486,7 @@ int main(void)
 
 	printf("Finished downloading.\n");
 
-	mbedtls_md_free(&hash_ctx);
+	psa_hash_abort(&hash_op);
 	freeaddrinfo(res);
 
 	return 0;
diff --git a/samples/net/sockets/http_get/overlay-tls.conf b/samples/net/sockets/http_get/overlay-tls.conf
index 70da57986639c..f4b6be045b8f6 100644
--- a/samples/net/sockets/http_get/overlay-tls.conf
+++ b/samples/net/sockets/http_get/overlay-tls.conf
@@ -2,11 +2,12 @@ CONFIG_MAIN_STACK_SIZE=4096
 
 # TLS configuration
 CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=60000
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=7168
-CONFIG_MBEDTLS_HASH_ALL_ENABLED=y
+CONFIG_PSA_WANT_ALG_HASH_ALL=y
 CONFIG_MBEDTLS_CMAC=y
 
 CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
diff --git a/samples/subsys/uuid/prj.conf b/samples/subsys/uuid/prj.conf
index e68bba789fbcf..3db888b9f805e 100644
--- a/samples/subsys/uuid/prj.conf
+++ b/samples/subsys/uuid/prj.conf
@@ -6,8 +6,8 @@ CONFIG_UUID_BASE64=y
 CONFIG_ENTROPY_GENERATOR=y
 
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_MD=y
-CONFIG_MBEDTLS_SHA1=y
+CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_WANT_ALG_SHA_1=y
 CONFIG_BASE64=y
 
 CONFIG_LOG=y
diff --git a/subsys/jwt/CMakeLists.txt b/subsys/jwt/CMakeLists.txt
index 6bc93cd92b8c1..f7bd4bb66f994 100644
--- a/subsys/jwt/CMakeLists.txt
+++ b/subsys/jwt/CMakeLists.txt
@@ -2,11 +2,6 @@
 
 zephyr_library()
 zephyr_library_sources(jwt.c)
-
-zephyr_library_sources_ifdef(CONFIG_JWT_SIGN_RSA_LEGACY jwt_legacy_rsa.c)
-
-if (CONFIG_JWT_SIGN_RSA_PSA OR CONFIG_JWT_SIGN_ECDSA_PSA)
-  zephyr_library_sources(jwt_psa.c)
-endif()
+zephyr_library_sources(jwt_psa.c)
 
 zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS)
diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig
index 052908a777545..5d917f4324e46 100644
--- a/subsys/jwt/Kconfig
+++ b/subsys/jwt/Kconfig
@@ -16,16 +16,6 @@ choice
 	help
 	  Select which algorithm to use for signing JWT tokens.
 
-config JWT_SIGN_RSA_LEGACY
-	bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library."
-	depends on CSPRNG_AVAILABLE
-	select MBEDTLS
-	select MBEDTLS_MD
-	select MBEDTLS_RSA_C
-	select MBEDTLS_PKCS1_V15
-	select MBEDTLS_PKCS1_V21
-	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-
 config JWT_SIGN_RSA_PSA
 	bool "Use RSA signature (RS-256). Use PSA Crypto API."
 	select MBEDTLS if !BUILD_WITH_TFM
diff --git a/subsys/jwt/jwt_legacy_rsa.c b/subsys/jwt/jwt_legacy_rsa.c
deleted file mode 100644
index 2eb0adc0ede9f..0000000000000
--- a/subsys/jwt/jwt_legacy_rsa.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2024 BayLibre SAS
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-
-#include <string.h>
-#include <zephyr/types.h>
-#include <errno.h>
-
-#include <zephyr/data/jwt.h>
-#include <zephyr/data/json.h>
-
-#include <mbedtls/pk.h>
-#include <mbedtls/rsa.h>
-#include <mbedtls/sha256.h>
-#include <zephyr/random/random.h>
-
-#include "jwt.h"
-
-static int csprng_wrapper(void *ctx, unsigned char *dest, size_t size)
-{
-	ARG_UNUSED(ctx);
-
-	return sys_csrand_get((void *)dest, size);
-}
-
-int jwt_sign_impl(struct jwt_builder *builder, const unsigned char *der_key, size_t der_key_len,
-		  unsigned char *sig, size_t sig_size)
-{
-	int res;
-	mbedtls_pk_context ctx;
-	size_t sig_len_out;
-
-	mbedtls_pk_init(&ctx);
-
-	res = mbedtls_pk_parse_key(&ctx, der_key, der_key_len, NULL, 0, csprng_wrapper, NULL);
-	if (res != 0) {
-		return res;
-	}
-
-	uint8_t hash[32];
-
-	/*
-	 * The '0' indicates to mbedtls to do a SHA256, instead of
-	 * 224.
-	 */
-	res = mbedtls_sha256(builder->base, builder->buf - builder->base, hash, 0);
-	if (res != 0) {
-		return res;
-	}
-
-	res = mbedtls_pk_sign(&ctx, MBEDTLS_MD_SHA256, hash, sizeof(hash), sig, sig_size,
-			      &sig_len_out, csprng_wrapper, NULL);
-	return res;
-}
diff --git a/subsys/mgmt/mcumgr/grp/fs_mgmt/CMakeLists.txt b/subsys/mgmt/mcumgr/grp/fs_mgmt/CMakeLists.txt
index 234d6693972f7..ed48353d5c078 100644
--- a/subsys/mgmt/mcumgr/grp/fs_mgmt/CMakeLists.txt
+++ b/subsys/mgmt/mcumgr/grp/fs_mgmt/CMakeLists.txt
@@ -14,10 +14,8 @@ zephyr_library_sources_ifdef(CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH src/fs_mgmt_hash
 zephyr_library_sources_ifdef(CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32 src/fs_mgmt_hash_checksum_crc32.c)
 zephyr_library_sources_ifdef(CONFIG_MCUMGR_GRP_FS_HASH_SHA256 src/fs_mgmt_hash_checksum_sha256.c)
 
-if(CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH AND CONFIG_MCUMGR_GRP_FS_HASH_SHA256)
-  if(CONFIG_MBEDTLS_SHA256)
-    zephyr_library_link_libraries(mbedTLS)
-  endif()
+if(CONFIG_MCUMGR_GRP_FS_HASH_SHA256 AND NOT CONFIG_BUILD_WITH_TFM)
+  zephyr_library_link_libraries(mbedTLS)
 endif()
 
 zephyr_library_include_directories(include)
diff --git a/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig b/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig
index 5be0ab44efd38..6d504f13c8003 100644
--- a/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig
+++ b/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig
@@ -125,8 +125,7 @@ config MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32
 
 config MCUMGR_GRP_FS_HASH_SHA256
 	bool "SHA256 hash support"
-	depends on BUILD_WITH_TFM || MBEDTLS_SHA256
-	select PSA_WANT_ALG_SHA_256 if BUILD_WITH_TFM
+	select PSA_WANT_ALG_SHA_256
 	help
 	  Enable SHA256 hash support for MCUmgr.
 
diff --git a/subsys/mgmt/mcumgr/grp/fs_mgmt/src/fs_mgmt_hash_checksum_sha256.c b/subsys/mgmt/mcumgr/grp/fs_mgmt/src/fs_mgmt_hash_checksum_sha256.c
index 5005067f38c16..d2bf375325da1 100644
--- a/subsys/mgmt/mcumgr/grp/fs_mgmt/src/fs_mgmt_hash_checksum_sha256.c
+++ b/subsys/mgmt/mcumgr/grp/fs_mgmt/src/fs_mgmt_hash_checksum_sha256.c
@@ -13,18 +13,10 @@
 #include <mgmt/mcumgr/grp/fs_mgmt/fs_mgmt_config.h>
 #include <mgmt/mcumgr/grp/fs_mgmt/fs_mgmt_hash_checksum_sha256.h>
 
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 #include <psa/crypto.h>
 typedef psa_hash_operation_t hash_ctx_t;
 #define SUCCESS_VALUE PSA_SUCCESS
 
-#else
-#include <mbedtls/sha256.h>
-typedef mbedtls_sha256_context hash_ctx_t;
-#define SUCCESS_VALUE 0
-
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
-
 #define SHA256_DIGEST_SIZE 32
 
 /* The API that the different hash implementations provide further down. */
@@ -99,8 +91,6 @@ void fs_mgmt_hash_checksum_unregister_sha256(void)
 	fs_mgmt_hash_checksum_unregister_group(&sha256);
 }
 
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
-
 static int hash_setup(psa_hash_operation_t *ctx)
 {
 	*ctx = psa_hash_operation_init();
@@ -120,25 +110,3 @@ static void hash_teardown(psa_hash_operation_t *ctx)
 {
 	psa_hash_abort(ctx);
 }
-
-#else
-
-static int hash_setup(mbedtls_sha256_context *ctx)
-{
-	mbedtls_sha256_init(ctx);
-	return mbedtls_sha256_starts(ctx, false);
-}
-static int hash_update(mbedtls_sha256_context *ctx, const uint8_t *input, size_t ilen)
-{
-	return mbedtls_sha256_update(ctx, input, ilen);
-}
-static int hash_finish(mbedtls_sha256_context *ctx, uint8_t *output)
-{
-	return mbedtls_sha256_finish(ctx, output);
-}
-static void hash_teardown(mbedtls_sha256_context *ctx)
-{
-	mbedtls_sha256_free(ctx);
-}
-
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
diff --git a/subsys/mgmt/updatehub/Kconfig b/subsys/mgmt/updatehub/Kconfig
index eb19b6442edc3..762ca7963ebf5 100644
--- a/subsys/mgmt/updatehub/Kconfig
+++ b/subsys/mgmt/updatehub/Kconfig
@@ -17,8 +17,8 @@ menuconfig UPDATEHUB
 	select REQUIRES_FULL_LIBC
 	select IMG_ENABLE_IMAGE_CHECK
 	select MPU_ALLOW_FLASH_WRITE
+	select PSA_WANT_ALG_SHA_256
 	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_SHA256 if !PSA_CRYPTO_CLIENT
 	help
 	  UpdateHub is an enterprise-grade solution which makes simple to
 	  remotely update all your embedded devices in the field. It
diff --git a/subsys/mgmt/updatehub/updatehub_integrity.c b/subsys/mgmt/updatehub/updatehub_integrity.c
index dcebcf6d39d61..a736c0aaf7b5c 100644
--- a/subsys/mgmt/updatehub/updatehub_integrity.c
+++ b/subsys/mgmt/updatehub/updatehub_integrity.c
@@ -9,12 +9,6 @@ LOG_MODULE_DECLARE(updatehub, CONFIG_UPDATEHUB_LOG_LEVEL);
 
 #include "updatehub_integrity.h"
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
-#define SUCCESS_VALUE PSA_SUCCESS
-#else
-#define SUCCESS_VALUE 0
-#endif
-
 int updatehub_integrity_init(updatehub_crypto_context_t *ctx)
 {
 	int ret;
@@ -24,14 +18,9 @@ int updatehub_integrity_init(updatehub_crypto_context_t *ctx)
 		return -EINVAL;
 	}
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
 	*ctx = psa_hash_operation_init();
 	ret = psa_hash_setup(ctx, PSA_ALG_SHA_256);
-#else
-	mbedtls_sha256_init(ctx);
-	ret = mbedtls_sha256_starts(ctx, false);
-#endif
-	if (ret != SUCCESS_VALUE) {
+	if (ret != PSA_SUCCESS) {
 		LOG_DBG("Failed to %s SHA-256 operation. (%d)", "set up", ret);
 		return -EFAULT;
 	}
@@ -53,19 +42,9 @@ int updatehub_integrity_update(updatehub_crypto_context_t *ctx,
 		return 0;
 	}
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
 	ret = psa_hash_update(ctx, buffer, len);
 	if (ret != PSA_SUCCESS) {
 		psa_hash_abort(ctx);
-	}
-#else
-	ret = mbedtls_sha256_update(ctx, buffer, len);
-	if (ret != 0) {
-		mbedtls_sha256_free(ctx);
-	}
-#endif
-
-	if (ret != SUCCESS_VALUE) {
 		LOG_DBG("Failed to %s SHA-256 operation. (%d)", "update", ret);
 		return -EFAULT;
 	}
@@ -76,6 +55,7 @@ int updatehub_integrity_update(updatehub_crypto_context_t *ctx,
 int updatehub_integrity_finish(updatehub_crypto_context_t *ctx,
 			       uint8_t *hash, const uint32_t size)
 {
+	size_t hash_len;
 	int ret;
 
 	if (ctx == NULL || hash == NULL) {
@@ -87,19 +67,10 @@ int updatehub_integrity_finish(updatehub_crypto_context_t *ctx,
 		return -EINVAL;
 	}
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
-	size_t hash_len;
-
 	ret = psa_hash_finish(ctx, hash, size, &hash_len);
 	if (ret != PSA_SUCCESS) {
-		psa_hash_abort(ctx);
-	}
-#else
-	ret = mbedtls_sha256_finish(ctx, hash);
-	mbedtls_sha256_free(ctx);
-#endif
-	if (ret != SUCCESS_VALUE) {
 		LOG_DBG("Failed to %s SHA-256 operation. (%d)", "finish", ret);
+		psa_hash_abort(ctx);
 		return -EFAULT;
 	}
 
diff --git a/subsys/mgmt/updatehub/updatehub_integrity.h b/subsys/mgmt/updatehub/updatehub_integrity.h
index dcec7ecdb286c..2b15a80356a8f 100644
--- a/subsys/mgmt/updatehub/updatehub_integrity.h
+++ b/subsys/mgmt/updatehub/updatehub_integrity.h
@@ -20,11 +20,7 @@ extern "C" {
 #define SHA256_BIN_DIGEST_SIZE	(32)
 #define SHA256_HEX_DIGEST_SIZE	((SHA256_BIN_DIGEST_SIZE * 2) + 1)
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
 typedef psa_hash_operation_t updatehub_crypto_context_t;
-#else
-typedef mbedtls_sha256_context updatehub_crypto_context_t;
-#endif
 
 int updatehub_integrity_init(updatehub_crypto_context_t *ctx);
 int updatehub_integrity_update(updatehub_crypto_context_t *ctx,
diff --git a/subsys/net/ip/Kconfig.ipv6 b/subsys/net/ip/Kconfig.ipv6
index 945438dbc0feb..2d05087d956c5 100644
--- a/subsys/net/ip/Kconfig.ipv6
+++ b/subsys/net/ip/Kconfig.ipv6
@@ -224,7 +224,10 @@ config NET_IPV6_IID_EUI_64
 config NET_IPV6_IID_STABLE
 	bool "Generate stable IID [EXPERIMENTAL]"
 	select MBEDTLS
-	select MBEDTLS_MD
+	select MBEDTLS_PSA_CRYPTO_C
+	select PSA_WANT_KEY_TYPE_HMAC
+	select PSA_WANT_ALG_HMAC
+	select PSA_WANT_ALG_SHA_256
 	select EXPERIMENTAL
 	depends on !NET_6LO
 	help
@@ -246,7 +249,10 @@ endchoice
 config NET_IPV6_PE
 	bool "Privacy extension (RFC 8981) support [EXPERIMENTAL]"
 	select MBEDTLS
-	select MBEDTLS_MD
+	select MBEDTLS_PSA_CRYPTO_C
+	select PSA_WANT_KEY_TYPE_HMAC
+	select PSA_WANT_ALG_HMAC
+	select PSA_WANT_ALG_SHA_256
 	select EXPERIMENTAL
 	select NET_MGMT
 	select NET_MGMT_EVENT
diff --git a/subsys/net/ip/ipv6.c b/subsys/net/ip/ipv6.c
index e481f2ed84208..4fcd6a088a340 100644
--- a/subsys/net/ip/ipv6.c
+++ b/subsys/net/ip/ipv6.c
@@ -21,7 +21,7 @@ LOG_MODULE_REGISTER(net_ipv6, CONFIG_NET_IPV6_LOG_LEVEL);
 
 #if defined(CONFIG_NET_IPV6_IID_STABLE)
 #include <zephyr/random/random.h>
-#include <mbedtls/md.h>
+#include <psa/crypto.h>
 #endif /* CONFIG_NET_IPV6_IID_STABLE */
 
 #include <zephyr/net/net_core.h>
@@ -875,9 +875,12 @@ static int gen_stable_iid(uint8_t if_index,
 			  size_t stable_iid_len)
 {
 #if defined(CONFIG_NET_IPV6_IID_STABLE)
-	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
-	mbedtls_md_context_t ctx;
+	psa_key_id_t key_id = PSA_KEY_ID_NULL;
+	psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+	psa_mac_operation_t mac_op = PSA_MAC_OPERATION_INIT;
+	psa_status_t status;
 	uint8_t digest[32];
+	size_t digest_len;
 	int ret;
 	static bool once;
 	static uint8_t secret_key[16]; /* Min 128 bits, RFC 7217 ch 5 */
@@ -909,27 +912,29 @@ static int gen_stable_iid(uint8_t if_index,
 		once = true;
 	}
 
-	mbedtls_md_init(&ctx);
-	ret = mbedtls_md_setup(&ctx, md_info, true);
-	if (ret != 0) {
-		NET_DBG("Cannot %s hmac (%d)", "setup", ret);
+	psa_set_key_type(&key_attr, PSA_KEY_TYPE_HMAC);
+	psa_set_key_algorithm(&key_attr, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+	psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_SIGN_MESSAGE);
+	status = psa_import_key(&key_attr, secret_key, sizeof(secret_key), &key_id);
+	if (status != PSA_SUCCESS) {
+		NET_DBG("Cannot %s hmac (%d)", "import key", ret);
 		goto err;
 	}
 
-	ret = mbedtls_md_hmac_starts(&ctx, secret_key, sizeof(secret_key));
-	if (ret != 0) {
-		NET_DBG("Cannot %s hmac (%d)", "start", ret);
+	status = psa_mac_sign_setup(&mac_op, key_id, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+	if (status != PSA_SUCCESS) {
+		NET_DBG("Cannot %s hmac (%d)", "setup", ret);
 		goto err;
 	}
 
-	ret = mbedtls_md_hmac_update(&ctx, (uint8_t *)&buf, sizeof(buf));
-	if (ret != 0) {
+	status = psa_mac_update(&mac_op, (uint8_t *)&buf, sizeof(buf));
+	if (status != PSA_SUCCESS) {
 		NET_DBG("Cannot %s hmac (%d)", "update", ret);
 		goto err;
 	}
 
-	ret = mbedtls_md_hmac_finish(&ctx, digest);
-	if (ret != 0) {
+	status = psa_mac_sign_finish(&mac_op, digest, sizeof(digest), &digest_len);
+	if (status != PSA_SUCCESS) {
 		NET_DBG("Cannot %s hmac (%d)", "finish", ret);
 		goto err;
 	}
@@ -945,7 +950,8 @@ static int gen_stable_iid(uint8_t if_index,
 	}
 
 err:
-	mbedtls_md_free(&ctx);
+	psa_mac_abort(&mac_op);
+	psa_destroy_key(&key_id);
 
 	return ret;
 #else
diff --git a/subsys/net/ip/ipv6_pe.c b/subsys/net/ip/ipv6_pe.c
index bb03683db39f9..f9e50e6b8da8d 100644
--- a/subsys/net/ip/ipv6_pe.c
+++ b/subsys/net/ip/ipv6_pe.c
@@ -18,7 +18,7 @@ LOG_MODULE_REGISTER(net_ipv6_pe, CONFIG_NET_IPV6_PE_LOG_LEVEL);
 #include <zephyr/kernel.h>
 #include <zephyr/random/random.h>
 
-#include <mbedtls/md.h>
+#include <psa/crypto.h>
 
 #include <zephyr/net/net_core.h>
 #include <zephyr/net/net_pkt.h>
@@ -223,9 +223,12 @@ static int gen_temporary_iid(struct net_if *iface,
 			     uint8_t *temporary_iid,
 			     size_t temporary_iid_len)
 {
-	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
-	mbedtls_md_context_t ctx;
+	psa_key_id_t key_id = PSA_KEY_ID_NULL;
+	psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+	psa_mac_operation_t mac_op = PSA_MAC_OPERATION_INIT;
+	psa_status_t status;
 	uint8_t digest[32];
+	size_t digest_len;
 	int ret;
 	static bool once;
 	static uint8_t secret_key[16]; /* Min 128 bits, RFC 8981 ch 3.3.2 */
@@ -255,27 +258,29 @@ static int gen_temporary_iid(struct net_if *iface,
 		once = true;
 	}
 
-	mbedtls_md_init(&ctx);
-	ret = mbedtls_md_setup(&ctx, md_info, true);
-	if (ret != 0) {
-		NET_DBG("Cannot %s hmac (%d)", "setup", ret);
+	psa_set_key_type(&key_attr, PSA_KEY_TYPE_HMAC);
+	psa_set_key_algorithm(&key_attr, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+	psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_SIGN_MESSAGE);
+	status = psa_import_key(&key_attr, secret_key, sizeof(secret_key), &key_id);
+	if (status != PSA_SUCCESS) {
+		NET_DBG("Cannot %s hmac (%d)", "import key", ret);
 		goto err;
 	}
 
-	ret = mbedtls_md_hmac_starts(&ctx, secret_key, sizeof(secret_key));
-	if (ret != 0) {
-		NET_DBG("Cannot %s hmac (%d)", "start", ret);
+	status = psa_mac_sign_setup(&mac_op, key_id, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+	if (status != PSA_SUCCESS) {
+		NET_DBG("Cannot %s hmac (%d)", "setup", ret);
 		goto err;
 	}
 
-	ret = mbedtls_md_hmac_update(&ctx, (uint8_t *)&buf, sizeof(buf));
-	if (ret != 0) {
+	status = psa_mac_update(&mac_op, (uint8_t *)&buf, sizeof(buf));
+	if (status != PSA_SUCCESS) {
 		NET_DBG("Cannot %s hmac (%d)", "update", ret);
 		goto err;
 	}
 
-	ret = mbedtls_md_hmac_finish(&ctx, digest);
-	if (ret != 0) {
+	status = psa_mac_sign_finish(&mac_op, digest, sizeof(digest), &digest_len);
+	if (status != PSA_SUCCESS) {
 		NET_DBG("Cannot %s hmac (%d)", "finish", ret);
 		goto err;
 	}
@@ -283,7 +288,8 @@ static int gen_temporary_iid(struct net_if *iface,
 	memcpy(temporary_iid, digest, MIN(sizeof(digest), temporary_iid_len));
 
 err:
-	mbedtls_md_free(&ctx);
+	psa_mac_abort(&mac_op);
+	psa_destroy_key(&key_id);
 
 	return ret;
 }
diff --git a/subsys/net/lib/http/http_server_ws.c b/subsys/net/lib/http/http_server_ws.c
index 0eee1e020034d..410272549d0da 100644
--- a/subsys/net/lib/http/http_server_ws.c
+++ b/subsys/net/lib/http/http_server_ws.c
@@ -15,7 +15,7 @@
 #include <zephyr/logging/log.h>
 #include <zephyr/net/http/service.h>
 #include <zephyr/sys/base64.h>
-#include <mbedtls/sha1.h>
+#include <psa/crypto.h>
 #include <zephyr/net/websocket.h>
 
 LOG_MODULE_DECLARE(net_http_server, CONFIG_NET_HTTP_SERVER_LOG_LEVEL);
@@ -39,10 +39,12 @@ int handle_http1_to_websocket_upgrade(struct http_client_ctx *client)
 		"Upgrade: websocket\r\n"
 		"Sec-WebSocket-Accept: ";
 	char key_accept[HTTP_SERVER_WS_MAX_SEC_KEY_LEN + sizeof(WS_MAGIC)];
-	char accept[20];
+	char accept[PSA_HASH_LENGTH(PSA_ALG_SHA_1)];
+	size_t accept_len;
 	char tmp[64];
 	size_t key_len;
 	size_t olen;
+	psa_status_t status;
 	int ret;
 
 	key_len = MIN(sizeof(key_accept) - 1, sizeof(client->ws_sec_key));
@@ -52,7 +54,12 @@ int handle_http1_to_websocket_upgrade(struct http_client_ctx *client)
 	olen = MIN(sizeof(key_accept) - 1 - key_len, sizeof(WS_MAGIC) - 1);
 	strncpy(key_accept + key_len, WS_MAGIC, olen);
 
-	mbedtls_sha1(key_accept, olen + key_len, accept);
+	status = psa_hash_compute(PSA_ALG_SHA_1, key_accept, olen + key_len,
+				  accept, sizeof(accept), &accept_len);
+	if (status != PSA_SUCCESS) {
+		NET_DBG("SHA1 failed (%d)", status);
+		goto error;
+	};
 
 	ret = base64_encode(tmp, sizeof(tmp) - 1, &olen, accept, sizeof(accept));
 	if (ret) {
diff --git a/subsys/net/lib/websocket/Kconfig b/subsys/net/lib/websocket/Kconfig
index 457cbc0c42b5d..a8c9ea90a10f6 100644
--- a/subsys/net/lib/websocket/Kconfig
+++ b/subsys/net/lib/websocket/Kconfig
@@ -7,9 +7,10 @@ config WEBSOCKET_CLIENT
 	select HTTP_PARSER
 	select HTTP_PARSER_URL
 	select HTTP_CLIENT
-	select MBEDTLS
 	select BASE64
-	select MBEDTLS_SHA1 if MBEDTLS_BUILTIN
+	select MBEDTLS if !BUILD_WITH_TFM
+	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_WANT_ALG_SHA_1
 	select EXPERIMENTAL
 	help
 	  Enable Websocket client library.
diff --git a/subsys/net/lib/websocket/websocket.c b/subsys/net/lib/websocket/websocket.c
index bf395190744a2..a433188e1b42b 100644
--- a/subsys/net/lib/websocket/websocket.c
+++ b/subsys/net/lib/websocket/websocket.c
@@ -215,7 +215,7 @@ static int on_header_value(struct http_parser *parser, const char *at,
 
 		ret = base64_encode(str, sizeof(str) - 1, &olen,
 				    ctx->sec_accept_key,
-				    WS_SHA1_OUTPUT_LEN);
+				    PSA_HASH_LENGTH(PSA_ALG_SHA_1));
 		if (ret == 0) {
 			if (strncmp(at, str, length)) {
 				NET_DBG("[%p] Security keys do not match "
@@ -241,7 +241,8 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 	 * of this function call so there is no issue even if this variable
 	 * is allocated from stack.
 	 */
-	uint8_t sec_accept_key[WS_SHA1_OUTPUT_LEN];
+	uint8_t sec_accept_key[PSA_HASH_LENGTH(PSA_ALG_SHA_1)];
+	size_t sec_accept_key_len;
 	struct http_parser_settings http_parser_settings;
 	struct websocket_context *ctx;
 	struct http_request req;
@@ -289,7 +290,6 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 	ctx->http_cb = wreq->http_cb;
 	ctx->is_client = 1;
 
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 	psa_status = psa_hash_compute(PSA_ALG_SHA_1, (const uint8_t *)&rnd_value, sizeof(rnd_value),
 				      sec_accept_key, sizeof(sec_accept_key), &hash_length);
 	if (psa_status != PSA_SUCCESS) {
@@ -297,15 +297,6 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 		ret = -EPROTO;
 		goto out;
 	}
-#else
-	ret = mbedtls_sha1((const unsigned char *)&rnd_value, sizeof(rnd_value), sec_accept_key);
-	if (ret != 0) {
-		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, ret);
-		ret = -EPROTO;
-		goto out;
-	}
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
-
 
 	ret = base64_encode(sec_ws_key + sizeof("Sec-Websocket-Key: ") - 1,
 			    sizeof(sec_ws_key) -
@@ -368,7 +359,6 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 	strncpy(key_accept + key_len, WS_MAGIC, olen);
 
 	/* This SHA-1 value is then checked when we receive the response */
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 	psa_status = psa_hash_compute(PSA_ALG_SHA_1, (const uint8_t *)key_accept, olen + key_len,
 				      sec_accept_key, sizeof(sec_accept_key), &hash_length);
 	if (psa_status != PSA_SUCCESS) {
@@ -376,14 +366,6 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 		ret = -EPROTO;
 		goto out;
 	}
-#else
-	ret = mbedtls_sha1(key_accept, olen + key_len, sec_accept_key);
-	if (ret != 0) {
-		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, ret);
-		ret = -EPROTO;
-		goto out;
-	}
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
 
 	ret = http_client_req(sock, &req, timeout, ctx);
 	if (ret < 0) {
diff --git a/subsys/net/lib/websocket/websocket_internal.h b/subsys/net/lib/websocket/websocket_internal.h
index 50f2fee37973f..d1065c081ecbb 100644
--- a/subsys/net/lib/websocket/websocket_internal.h
+++ b/subsys/net/lib/websocket/websocket_internal.h
@@ -12,8 +12,6 @@
 
 #include <zephyr/toolchain/common.h>
 
-#define WS_SHA1_OUTPUT_LEN 20
-
 /* Min Websocket header length */
 #define MIN_HEADER_LEN 2
 
diff --git a/subsys/storage/flash_map/Kconfig b/subsys/storage/flash_map/Kconfig
index b29da6da971da..122fa13ad72a6 100644
--- a/subsys/storage/flash_map/Kconfig
+++ b/subsys/storage/flash_map/Kconfig
@@ -42,28 +42,11 @@ config FLASH_MAP_LABELS
 	  at runtime. The available labels will also be displayed in the
 	  flash_map list shell command.
 
-if FLASH_AREA_CHECK_INTEGRITY
-
-choice FLASH_AREA_CHECK_INTEGRITY_BACKEND
-	prompt "Crypto backend for the flash check functions"
-	default FLASH_AREA_CHECK_INTEGRITY_PSA if BUILD_WITH_TFM
-	default FLASH_AREA_CHECK_INTEGRITY_MBEDTLS if !BUILD_WITH_TFM
-
 config FLASH_AREA_CHECK_INTEGRITY_PSA
-	bool "Use PSA"
+	bool
+	depends on FLASH_AREA_CHECK_INTEGRITY
 	select PSA_WANT_ALG_SHA_256
 	help
 	  Use the PSA API to perform the integrity check.
 
-config FLASH_AREA_CHECK_INTEGRITY_MBEDTLS
-	bool "Use Mbed TLS"
-	select MBEDTLS
-	select MBEDTLS_SHA256
-	help
-	  Use the Mbed TLS library to perform the integrity check.
-
-endchoice
-
-endif # FLASH_AREA_CHECK_INTEGRITY
-
 endif
diff --git a/subsys/storage/flash_map/flash_map_integrity.c b/subsys/storage/flash_map/flash_map_integrity.c
index 7e512e759db26..cce9e72fc1b3a 100644
--- a/subsys/storage/flash_map/flash_map_integrity.c
+++ b/subsys/storage/flash_map/flash_map_integrity.c
@@ -32,11 +32,8 @@ int flash_area_check_int_sha256(const struct flash_area *fa,
 				const struct flash_area_check *fac)
 {
 	unsigned char hash[SHA256_DIGEST_SIZE];
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
 	psa_hash_operation_t hash_ctx;
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-	mbedtls_sha256_context hash_ctx;
-#endif
+	size_t hash_len;
 	int to_read;
 	int pos;
 	int rc;
@@ -50,13 +47,8 @@ int flash_area_check_int_sha256(const struct flash_area *fa,
 		return -EINVAL;
 	}
 
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
 	hash_ctx = psa_hash_operation_init();
 	rc = psa_hash_setup(&hash_ctx, PSA_ALG_SHA_256);
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-	mbedtls_sha256_init(&hash_ctx);
-	rc = mbedtls_sha256_starts(&hash_ctx, false);
-#endif
 	if (rc != SUCCESS_VALUE) {
 		return -ESRCH;
 	}
@@ -74,44 +66,26 @@ int flash_area_check_int_sha256(const struct flash_area *fa,
 			goto error;
 		}
 
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
 		rc = psa_hash_update(&hash_ctx, fac->rbuf, to_read);
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-		rc = mbedtls_sha256_update(&hash_ctx, fac->rbuf, to_read);
-#endif
 		if (rc != SUCCESS_VALUE) {
 			rc = -ESRCH;
 			goto error;
 		}
 	}
 
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
-	size_t hash_len;
-
 	rc = psa_hash_finish(&hash_ctx, hash, sizeof(hash), &hash_len);
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-	rc = mbedtls_sha256_finish(&hash_ctx, hash);
-#endif
 	if (rc != SUCCESS_VALUE) {
 		rc = -ESRCH;
 		goto error;
 	}
 
 	if (memcmp(hash, fac->match, SHA256_DIGEST_SIZE)) {
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
 		/* The operation has already been terminated. */
 		return -EILSEQ;
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-		rc = -EILSEQ;
-		goto error;
-#endif
 	}
 
 error:
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
 	psa_hash_abort(&hash_ctx);
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-	mbedtls_sha256_free(&hash_ctx);
-#endif
+
 	return rc;
 }
diff --git a/tests/benchmarks/mbedtls/prj.conf b/tests/benchmarks/mbedtls/prj.conf
index ffc9e160d8e57..2ab2da9fd3815 100644
--- a/tests/benchmarks/mbedtls/prj.conf
+++ b/tests/benchmarks/mbedtls/prj.conf
@@ -1,31 +1,17 @@
 CONFIG_TEST=y
 
-# Kernel options
-CONFIG_MAIN_STACK_SIZE=10000
-CONFIG_ENTROPY_GENERATOR=y
-CONFIG_INIT_STACKS=y
-
-# Logging
 CONFIG_PRINTK=y
-CONFIG_MBEDTLS_DEBUG=y
-CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
+CONFIG_MBEDTLS_SHA256=y
 
-# TLS configuration
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_BUILTIN=y
-CONFIG_MBEDTLS_ENABLE_HEAP=y
-CONFIG_MBEDTLS_HEAP_SIZE=64000
-CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
+CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_WANT_ALG_SHA_1=y
+CONFIG_PSA_WANT_ALG_SHA_224=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
+CONFIG_PSA_WANT_ALG_SHA_384=y
+CONFIG_PSA_WANT_ALG_SHA_512=y
 
-CONFIG_MBEDTLS_TLS_VERSION_1_2=y
-CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED=y
-CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y
-CONFIG_MBEDTLS_ECP_ALL_ENABLED=y
-CONFIG_MBEDTLS_HASH_ALL_ENABLED=y
-CONFIG_MBEDTLS_CMAC=y
-CONFIG_MBEDTLS_GENPRIME_ENABLED=y
-CONFIG_MBEDTLS_HMAC_DRBG_ENABLED=y
-CONFIG_MBEDTLS_ECDH_C=y
-CONFIG_MBEDTLS_ECDSA_C=y
-CONFIG_MBEDTLS_ECJPAKE_C=y
-CONFIG_MBEDTLS_ECP_C=y
+CONFIG_PSA_WANT_KEY_TYPE_AES=y
+CONFIG_PSA_WANT_KEY_TYPE_ARIA=y
+CONFIG_PSA_WANT_KEY_TYPE_CAMELLIA=y
+CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
diff --git a/tests/benchmarks/mbedtls/src/benchmark.c b/tests/benchmarks/mbedtls/src/benchmark.c
index 0694eea1eee7f..14c535d79fa3f 100644
--- a/tests/benchmarks/mbedtls/src/benchmark.c
+++ b/tests/benchmarks/mbedtls/src/benchmark.c
@@ -1,1019 +1,141 @@
 /*
- *  Benchmark demonstration program
- *
- *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ * Copyright (C) 2025, BayLibre SAS
+ * SPDX-License-Identifier: Apache-2.0
  */
 
-#if !defined(MBEDTLS_ALLOW_PRIVATE_ACCESS)
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-#endif	/* MBEDTLS_ALLOW_PRIVATE_ACCESS */
-
-#if !defined(CONFIG_MBEDTLS_CFG_FILE)
-#include "mbedtls/config.h"
-#else
-#include CONFIG_MBEDTLS_CFG_FILE
-#endif /* CONFIG_MBEDTLS_CFG_FILE */
-
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_exit       exit
-#define mbedtls_printf     printf
-#define mbedtls_snprintf   snprintf
-#define mbedtls_free       free
-#endif
-
-#include <string.h>
-#include <stdlib.h>
-
-#include "mbedtls/ssl.h"
-#include "mbedtls/debug.h"
-#include "mbedtls/timing.h"
-#include "mbedtls/md5.h"
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/sha1.h"
-#include "mbedtls/sha256.h"
-#include "mbedtls/sha512.h"
-#include "mbedtls/des.h"
-#include "mbedtls/aes.h"
-#include "mbedtls/aria.h"
-#include "mbedtls/camellia.h"
-#include "mbedtls/chacha20.h"
-#include "mbedtls/gcm.h"
-#include "mbedtls/ccm.h"
-#include "mbedtls/chachapoly.h"
-#include "mbedtls/cmac.h"
-#include "mbedtls/poly1305.h"
-#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/hmac_drbg.h"
-#include "mbedtls/rsa.h"
-#include "mbedtls/dhm.h"
-#include "mbedtls/ecdsa.h"
-#include "mbedtls/ecdh.h"
-#include "mbedtls/error.h"
-
-#include <zephyr/types.h>
-#include <zephyr/sys/byteorder.h>
-#include <zephyr/random/random.h>
-
+#include <errno.h>
 #include <zephyr/kernel.h>
+#include <psa/crypto.h>
 
-#include <zephyr/sys/printk.h>
-#define  MBEDTLS_PRINT ((int(*)(const char *, ...)) printk)
-
-static void my_debug(void *ctx, int level,
-		     const char *file, int line, const char *str)
-{
-	const char *p, *basename;
-	int len;
-
-	ARG_UNUSED(ctx);
-
-	/* Extract basename from file */
-	for (p = basename = file; *p != '\0'; p++) {
-		if (*p == '/' || *p == '\\') {
-			basename = p + 1;
-		}
-	}
-
-	/* Avoid printing double newlines */
-	len = strlen(str);
-	if (str[len - 1] == '\n') {
-		((char *)str)[len - 1] = '\0';
-	}
-
-	mbedtls_printf("%s:%04d: |%d| %s\n", basename, line, level, str);
-}
-
-/* mbedtls in Zephyr doesn't have timing.c implemented. So for sample
- * purpose implementing necessary functions.
- */
-
-volatile int mbedtls_timing_alarmed;
-
-static struct k_work_delayable mbedtls_alarm;
-static void mbedtls_alarm_timeout(struct k_work *work);
-
-/* Work synchronization objects must be in cache-coherent memory,
- * which excludes stacks on some architectures.
- */
-static struct k_work_sync work_sync;
+#define BUF_SIZE	1024
+#define LABEL_FORMAT   "%-24s:  "
 
-static void mbedtls_alarm_timeout(struct k_work *work)
+#define TIMER_DURATION		K_MSEC(1000)
+#define TIMER_PERIOD		TIMER_DURATION
+volatile int timer_expired;
+void timer_expired_callback(struct k_timer *timer)
 {
-	mbedtls_timing_alarmed = 1;
-}
-
-void mbedtls_set_alarm(int seconds)
-{
-	mbedtls_timing_alarmed = 0;
-
-	k_work_schedule(&mbedtls_alarm, K_SECONDS(seconds));
-}
-
-/*
- * For heap usage estimates, we need an estimate of the overhead per allocated
- * block. ptmalloc2/3 (used in gnu libc for instance) uses 2 size_t per block,
- * so use that as our baseline.
- */
-#define MEM_BLOCK_OVERHEAD  (2 * sizeof(size_t))
-
-#define BUFSIZE         1024
-#define HEADER_FORMAT   "  %-24s :  "
-#define TITLE_LEN       25
-
-#define OPTIONS                                                    \
-	"md5, ripemd160, sha1, sha256, sha512,\n"             \
-	"des3, des, camellia, chacha20,\n"         \
-	"aes_cbc, aes_gcm, aes_ccm, aes_ctx, chachapoly,\n"        \
-	"aes_cmac, des3_cmac, poly1305,\n"                         \
-	"havege, ctr_drbg, hmac_drbg,\n"                           \
-	"rsa, dhm, ecdsa, ecdh.\n"
-
-#if defined(MBEDTLS_ERROR_C)
-#define PRINT_ERROR {                                            \
-	mbedtls_strerror(ret, (char *)tmp, sizeof(tmp));         \
-	mbedtls_printf("FAILED: %s\n", tmp);                     \
-	}
-#else
-#define PRINT_ERROR {                                            \
-	mbedtls_printf("FAILED: -0x%04x\n", -ret);               \
-	}
-#endif
-
-#define TIME_AND_TSC(TITLE, CODE)                                     \
-do {                                                                  \
-	unsigned long ii, jj;                                         \
-	uint32_t tsc;                                                    \
-	uint64_t delta;                                                  \
-	int ret = 0;                                                  \
-								      \
-	mbedtls_printf(HEADER_FORMAT, TITLE);                         \
-								      \
-	mbedtls_set_alarm(1);                                         \
-	for (ii = 1; ret == 0 && !mbedtls_timing_alarmed; ii++) {     \
-		ret = CODE;                                           \
-	}                                                             \
-								      \
-	tsc = k_cycle_get_32();                                       \
-	for (jj = 0; ret == 0 && jj < 1024; jj++) {                   \
-		ret = CODE;                                           \
-	}                                                             \
-								      \
-	if (ret != 0) {                                               \
-		PRINT_ERROR;                                          \
-	}                                                             \
-								      \
-	delta = k_cycle_get_32() - tsc;                               \
-	delta = k_cyc_to_ns_floor64(delta);                   \
-								      \
-	(void)k_work_cancel_delayable_sync(&mbedtls_alarm, &work_sync);\
-								      \
-	mbedtls_printf("%9lu KiB/s,  %9lu ns/byte\n",                 \
-		       ii * BUFSIZE / 1024,                           \
-		       (unsigned long)(delta / (jj * BUFSIZE)));      \
-} while (0)
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_MEMORY_DEBUG)
-
-#define MEMORY_MEASURE_INIT {                                           \
-	size_t max_used, max_blocks, max_bytes;                         \
-	size_t prv_used, prv_blocks;                                    \
-	mbedtls_memory_buffer_alloc_cur_get(&prv_used, &prv_blocks);    \
-	mbedtls_memory_buffer_alloc_max_reset();                        \
+	timer_expired = 1;
 }
 
-#define MEMORY_MEASURE_PRINT(title_len) {                             \
-	mbedtls_memory_buffer_alloc_max_get(&max_used, &max_blocks);  \
-								      \
-	for (ii = 12 - title_len; ii != 0; ii--) {                    \
-		mbedtls_printf(" ");                                  \
-	}                                                             \
-								      \
-	max_used -= prv_used;                                         \
-	max_blocks -= prv_blocks;                                     \
-	max_bytes = max_used + MEM_BLOCK_OVERHEAD * max_blocks;       \
-	mbedtls_printf("%6u heap bytes", (unsigned int) max_bytes);   \
-}
-
-#else
-#define MEMORY_MEASURE_INIT
-#define MEMORY_MEASURE_PRINT(title_len)
-#endif
-
-#define TIME_PUBLIC(TITLE, TYPE, CODE)                                \
-do {                                                                  \
-	unsigned long ii;                                             \
-	int ret;                                                      \
-	MEMORY_MEASURE_INIT;                                          \
-								      \
-	mbedtls_printf(HEADER_FORMAT, TITLE);                         \
-	mbedtls_set_alarm(3);                                         \
-								      \
-	ret = 0;                                                      \
-	for (ii = 1; !mbedtls_timing_alarmed && !ret ; ii++) {        \
-		CODE;                                                 \
-	}                                                             \
-								      \
-	if (ret != 0) {                                               \
-		PRINT_ERROR;                                          \
-	} else {                                                      \
-		mbedtls_printf("%6lu " TYPE "/s", ii / 3);            \
-		MEMORY_MEASURE_PRINT(sizeof(TYPE) + 1);               \
-		mbedtls_printf("\n");                                 \
-	}                                                             \
-								      \
-	(void)k_work_cancel_delayable_sync(&mbedtls_alarm, &work_sync);\
+static struct k_timer timer;
+
+uint8_t in_buf[BUF_SIZE];
+uint8_t out_buf[BUF_SIZE];
+
+#define COMPUTE_THROUGHPUT(LABEL, CODE)					\
+do {									\
+	unsigned long i;						\
+									\
+	printk(LABEL_FORMAT, LABEL);					\
+									\
+	timer_expired = 0;						\
+	k_timer_start(&timer, TIMER_DURATION, TIMER_PERIOD);		\
+	for (i = 1; status == PSA_SUCCESS && !timer_expired; i++) {	\
+		status = CODE;						\
+	}								\
+									\
+	if (status != PSA_SUCCESS) {					\
+		k_timer_stop(&timer);					\
+		printk("Fail (%d)\n", status);				\
+	} else {							\
+		printk("%lu Ki/s\n", (i * BUF_SIZE) / 1024);		\
+	}								\
 } while (0)
 
-static int myrand(void *rng_state, unsigned char *output, size_t len)
-{
-	if (rng_state != NULL) {
-		rng_state  = NULL;
-	}
-
-	sys_rand_get(output, len);
-
-	return(0);
-}
-
-/*
- * Clear some memory that was used to prepare the context
- */
-#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_ALLOW_PRIVATE_ACCESS)
-void ecp_clear_precomputed(mbedtls_ecp_group *grp)
+static psa_status_t make_cipher_key(psa_key_type_t key_type,
+				    psa_algorithm_t alg,
+				    mbedtls_svc_key_id_t *key_id)
 {
-	if (grp->T != NULL) {
-		size_t i;
+	uint8_t tmp_key[32] = { 0x5 };
+	psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
 
-		for (i = 0; i < grp->T_size; i++) {
-			mbedtls_ecp_point_free(&grp->T[i]);
-		}
-
-		mbedtls_free(grp->T);
+	psa_set_key_type(&key_attr, key_type);
+	psa_set_key_algorithm(&key_attr, alg);
+	psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_ENCRYPT);
+	if (psa_import_key(&key_attr, tmp_key, sizeof(tmp_key), key_id) != PSA_SUCCESS) {
+		printk("Key import failed\n");
+		return PSA_ERROR_GENERIC_ERROR;
 	}
 
-	grp->T = NULL;
-	grp->T_size = 0;
+	return PSA_SUCCESS;
 }
-#else
-#define ecp_clear_precomputed(g)
-#endif
-
-unsigned char buf[BUFSIZE];
-
-typedef struct {
-	char md5, ripemd160, sha1, sha256, sha512, des3, des,
-	     aes_cbc, aes_gcm, aes_ccm, aes_xts, chachapoly, aes_cmac,
-	     des3_cmac, aria, camellia, chacha20, poly1305,
-	     havege, ctr_drbg, hmac_drbg, rsa, dhm, ecdsa, ecdh;
-} todo_list;
 
 int main(void)
 {
-	mbedtls_ssl_config conf;
-	unsigned char tmp[200];
-	char title[TITLE_LEN];
-	todo_list todo;
-	int i;
-
-	printk("\tMBEDTLS Benchmark sample\n");
-
-#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
-	mbedtls_platform_set_printf(MBEDTLS_PRINT);
-#endif
-	mbedtls_ssl_conf_dbg(&conf, my_debug, NULL);
-
-	k_work_init_delayable(&mbedtls_alarm, mbedtls_alarm_timeout);
-	memset(&todo, 1, sizeof(todo));
-
-	memset(buf, 0xAA, sizeof(buf));
-	memset(tmp, 0xBB, sizeof(tmp));
-
-
-#if defined(MBEDTLS_MD5_C)
-	if (todo.md5) {
-		TIME_AND_TSC("MD5", mbedtls_md5(buf, BUFSIZE, tmp));
-	}
-#endif
-
-#if defined(MBEDTLS_RIPEMD160_C)
-	if (todo.ripemd160) {
-		TIME_AND_TSC("RIPEMD160",
-			     mbedtls_ripemd160(buf, BUFSIZE, tmp));
-	}
-#endif
-
-#if defined(MBEDTLS_SHA1_C)
-	if (todo.sha1) {
-		TIME_AND_TSC("SHA-1", mbedtls_sha1(buf, BUFSIZE, tmp));
-	}
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
-	if (todo.sha256) {
-		TIME_AND_TSC("SHA-256", mbedtls_sha256(buf,
-						   BUFSIZE, tmp, 0));
-	}
-#endif
-
-#if defined(MBEDTLS_SHA512_C)
-	if (todo.sha512) {
-		TIME_AND_TSC("SHA-512", mbedtls_sha512(buf,
-						   BUFSIZE, tmp, 0));
-	}
-#endif
-
-#if defined(MBEDTLS_DES_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	if (todo.des3) {
-		mbedtls_des3_context des3;
-
-		mbedtls_des3_init(&des3);
-		mbedtls_des3_set3key_enc(&des3, tmp);
-
-		TIME_AND_TSC("3DES",
-			     mbedtls_des3_crypt_cbc(
-						&des3,
-						MBEDTLS_DES_ENCRYPT,
-						BUFSIZE, tmp, buf, buf));
-		mbedtls_des3_free(&des3);
-	}
-
-	if (todo.des) {
-		mbedtls_des_context des;
-
-		mbedtls_des_init(&des);
-		mbedtls_des_setkey_enc(&des, tmp);
-
-		TIME_AND_TSC("DES",
-			     mbedtls_des_crypt_cbc(&des,
-						   MBEDTLS_DES_ENCRYPT,
-						   BUFSIZE, tmp, buf, buf));
-		mbedtls_des_free(&des);
-
-	}
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-#if defined(MBEDTLS_CMAC_C)
-	if (todo.des3_cmac) {
-		unsigned char output[8];
-		const mbedtls_cipher_info_t *cipher_info;
-
-		memset(buf, 0, sizeof(buf));
-		memset(tmp, 0, sizeof(tmp));
-
-		cipher_info = mbedtls_cipher_info_from_type(
-						MBEDTLS_CIPHER_DES_EDE3_ECB);
-
-		TIME_AND_TSC("3DES-CMAC",
-			     mbedtls_cipher_cmac(cipher_info, tmp, 192, buf,
-						 BUFSIZE, output));
-	}
-#endif /* MBEDTLS_CMAC_C */
-#endif /* MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_AES_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	if (todo.aes_cbc) {
-		int keysize;
-		mbedtls_aes_context aes;
-
-		mbedtls_aes_init(&aes);
-
-		for (keysize = 128; keysize <= 256; keysize += 64) {
-			snprintk(title, sizeof(title),
-				 "AES-CBC-%d", keysize);
-
-			memset(buf, 0, sizeof(buf));
-			memset(tmp, 0, sizeof(tmp));
-			mbedtls_aes_setkey_enc(&aes, tmp, keysize);
-
-			TIME_AND_TSC(title,
-				     mbedtls_aes_crypt_cbc(&aes,
-						   MBEDTLS_AES_ENCRYPT,
-						   BUFSIZE, tmp, buf, buf));
-		}
-
-		mbedtls_aes_free(&aes);
-	}
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_XTS)
-	if (todo.aes_xts) {
-		int keysize;
-		mbedtls_aes_xts_context ctx;
-
-		mbedtls_aes_xts_init(&ctx);
-
-		for (keysize = 128; keysize <= 256; keysize += 128) {
-			snprintk(title, sizeof(title),
-				 "AES-XTS-%d", keysize);
-
-			memset(buf, 0, sizeof(buf));
-			memset(tmp, 0, sizeof(tmp));
-
-			mbedtls_aes_xts_setkey_enc(&ctx, tmp, keysize * 2);
-
-			TIME_AND_TSC(title,
-				     mbedtls_aes_crypt_xts(&ctx,
-						MBEDTLS_AES_ENCRYPT, BUFSIZE,
-						tmp, buf, buf));
-
-			mbedtls_aes_xts_free(&ctx);
-		}
-	}
-#endif
-#if defined(MBEDTLS_GCM_C)
-	if (todo.aes_gcm) {
-		int keysize;
-		mbedtls_gcm_context gcm;
-
-		mbedtls_gcm_init(&gcm);
-
-		for (keysize = 128; keysize <= 256; keysize += 64) {
-			snprintk(title, sizeof(title), "AES-GCM-%d",
-				 keysize);
-
-			memset(buf, 0, sizeof(buf));
-			memset(tmp, 0, sizeof(tmp));
-			mbedtls_gcm_setkey(&gcm, MBEDTLS_CIPHER_ID_AES, tmp,
-					   keysize);
-
-			TIME_AND_TSC(title,
-				     mbedtls_gcm_crypt_and_tag(&gcm,
-							MBEDTLS_GCM_ENCRYPT,
-							BUFSIZE, tmp,
-							12, NULL, 0, buf, buf,
-							16, tmp));
-			mbedtls_gcm_free(&gcm);
-		}
-	}
-#endif
-#if defined(MBEDTLS_CCM_C)
-	if (todo.aes_ccm) {
-		int keysize;
-		mbedtls_ccm_context ccm;
-
-		mbedtls_ccm_init(&ccm);
-
-		for (keysize = 128; keysize <= 256; keysize += 64) {
-			snprintk(title, sizeof(title), "AES-CCM-%d",
-				 keysize);
-
-			memset(buf, 0, sizeof(buf));
-			memset(tmp, 0, sizeof(tmp));
-			mbedtls_ccm_setkey(&ccm, MBEDTLS_CIPHER_ID_AES, tmp,
-					   keysize);
-
-			TIME_AND_TSC(title,
-				     mbedtls_ccm_encrypt_and_tag(&ccm, BUFSIZE,
-							tmp, 12, NULL, 0, buf,
-							buf, tmp, 16));
-
-			mbedtls_ccm_free(&ccm);
-		}
-	}
-#endif
-#if defined(MBEDTLS_CHACHAPOLY_C)
-	if (todo.chachapoly) {
-		mbedtls_chachapoly_context chachapoly;
-
-		mbedtls_chachapoly_init(&chachapoly);
-
-		memset(buf, 0, sizeof(buf));
-		memset(tmp, 0, sizeof(tmp));
-
-		snprintk(title, sizeof(title), "ChaCha20-Poly1305");
-
-		mbedtls_chachapoly_setkey(&chachapoly, tmp);
-
-		TIME_AND_TSC(title,
-			     mbedtls_chachapoly_encrypt_and_tag(&chachapoly,
-				BUFSIZE, tmp, NULL, 0, buf, buf, tmp));
-
-		mbedtls_chachapoly_free(&chachapoly);
-	}
-#endif
-#if defined(MBEDTLS_CMAC_C)
-	if (todo.aes_cmac) {
-		unsigned char output[16];
-		const mbedtls_cipher_info_t *cipher_info;
-		mbedtls_cipher_type_t cipher_type;
-		int keysize;
-
-		for (keysize = 128, cipher_type = MBEDTLS_CIPHER_AES_128_ECB;
-		     keysize <= 256; keysize += 64, cipher_type++) {
-			snprintk(title, sizeof(title), "AES-CMAC-%d",
-				 keysize);
-
-			memset(buf, 0, sizeof(buf));
-			memset(tmp, 0, sizeof(tmp));
-
-			cipher_info = mbedtls_cipher_info_from_type(
-							cipher_type);
-
-			TIME_AND_TSC(title,
-				     mbedtls_cipher_cmac(cipher_info,
-							 tmp, keysize,
-							 buf, BUFSIZE,
-							 output));
-		}
-
-		memset(buf, 0, sizeof(buf));
-		memset(tmp, 0, sizeof(tmp));
-
-		TIME_AND_TSC("AES-CMAC-PRF-128",
-			     mbedtls_aes_cmac_prf_128(tmp, 16, buf, BUFSIZE,
-						      output));
-	}
-#endif /* MBEDTLS_CMAC_C */
-#endif /* MBEDTLS_AES_C */
-
-#if defined(MBEDTLS_ARIA_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
-	if (todo.aria) {
-		int keysize;
-		mbedtls_aria_context aria;
-
-		mbedtls_aria_init(&aria);
-
-		for (keysize = 128; keysize <= 256; keysize += 64) {
-			snprintk(title, sizeof(title),
-				 "ARIA-CBC-%d", keysize);
-
-			memset(buf, 0, sizeof(buf));
-			memset(tmp, 0, sizeof(tmp));
-
-			mbedtls_aria_setkey_enc(&aria, tmp, keysize);
-
-			TIME_AND_TSC(title,
-				     mbedtls_aria_crypt_cbc(&aria,
-						MBEDTLS_ARIA_ENCRYPT,
-						BUFSIZE, tmp, buf, buf));
-		}
-
-		mbedtls_aria_free(&aria);
-	}
-#endif
-
-#if defined(MBEDTLS_CAMELLIA_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
-	if (todo.camellia) {
-		int keysize;
-		mbedtls_camellia_context camellia;
-
-		mbedtls_camellia_init(&camellia);
-
-		for (keysize = 128; keysize <= 256; keysize += 64) {
-			snprintk(title, sizeof(title),
-				 "CAMELLIA-CBC-%d", keysize);
-
-			memset(buf, 0, sizeof(buf));
-			memset(tmp, 0, sizeof(tmp));
-
-			mbedtls_camellia_setkey_enc(&camellia, tmp, keysize);
-
-			TIME_AND_TSC(title,
-				     mbedtls_camellia_crypt_cbc(&camellia,
-						MBEDTLS_CAMELLIA_ENCRYPT,
-						BUFSIZE, tmp, buf, buf));
-		}
-
-		mbedtls_camellia_free(&camellia);
-	}
-#endif
-
-#if defined(MBEDTLS_CHACHA20_C)
-	if (todo.chacha20) {
-		TIME_AND_TSC("ChaCha20", mbedtls_chacha20_crypt(
-						buf, buf, 0U, BUFSIZE,
-						buf, buf));
-	}
-#endif
-
-#if defined(MBEDTLS_POLY1305_C)
-	if (todo.poly1305) {
-		TIME_AND_TSC("Poly1305", mbedtls_poly1305_mac(
-						buf, buf, BUFSIZE,
-						buf));
-	}
-#endif
-
-#if defined(MBEDTLS_HAVEGE_C)
-	if (todo.havege) {
-		mbedtls_havege_state hs;
-
-		mbedtls_havege_init(&hs);
-
-		TIME_AND_TSC("HAVEGE", mbedtls_havege_random(&hs,
-							     buf, BUFSIZE));
-		mbedtls_havege_free(&hs);
-	}
-#endif
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-	if (todo.ctr_drbg) {
-		mbedtls_ctr_drbg_context ctr_drbg;
-
-		mbedtls_ctr_drbg_init(&ctr_drbg);
-
-		if (mbedtls_ctr_drbg_seed(&ctr_drbg, myrand,
-					  NULL, NULL, 0) != 0) {
-			mbedtls_exit(1);
-		}
-
-		TIME_AND_TSC("CTR_DRBG (NOPR)",
-			     mbedtls_ctr_drbg_random(&ctr_drbg, buf, BUFSIZE));
-
-		if (mbedtls_ctr_drbg_seed(&ctr_drbg, myrand,
-					  NULL, NULL, 0) != 0) {
-			mbedtls_exit(1);
-		}
-
-		mbedtls_ctr_drbg_set_prediction_resistance(&ctr_drbg,
-						MBEDTLS_CTR_DRBG_PR_ON);
-
-		TIME_AND_TSC("CTR_DRBG (PR)",
-			     mbedtls_ctr_drbg_random(&ctr_drbg, buf, BUFSIZE));
-
-		mbedtls_ctr_drbg_free(&ctr_drbg);
-	}
-#endif
-
-#if defined(MBEDTLS_HMAC_DRBG_C)
-	if (todo.hmac_drbg) {
-		mbedtls_hmac_drbg_context hmac_drbg;
-		const mbedtls_md_info_t *md_info;
-
-		mbedtls_hmac_drbg_init(&hmac_drbg);
-
-#if defined(MBEDTLS_SHA1_C)
-		md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
-		if (md_info == NULL) {
-			mbedtls_exit(1);
-		}
-
-		if (mbedtls_hmac_drbg_seed(&hmac_drbg, md_info,
-					   myrand, NULL, NULL, 0) != 0) {
-			mbedtls_exit(1);
-		}
-
-		TIME_AND_TSC("HMAC_DRBG SHA-1 (NOPR)",
-			     mbedtls_hmac_drbg_random(&hmac_drbg, buf,
-						      BUFSIZE));
-
-		if (mbedtls_hmac_drbg_seed(&hmac_drbg, md_info, myrand,
-					   NULL, NULL, 0) != 0) {
-			mbedtls_exit(1);
-		}
-
-		mbedtls_hmac_drbg_set_prediction_resistance(&hmac_drbg,
-						MBEDTLS_HMAC_DRBG_PR_ON);
-
-		TIME_AND_TSC("HMAC_DRBG SHA-1 (PR)",
-			     mbedtls_hmac_drbg_random(&hmac_drbg, buf,
-						      BUFSIZE));
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
-		md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
-		if (md_info == NULL) {
-			mbedtls_exit(1);
-		}
-
-		if (mbedtls_hmac_drbg_seed(&hmac_drbg, md_info,
-					   myrand, NULL, NULL, 0) != 0) {
-			mbedtls_exit(1);
-		}
-
-		TIME_AND_TSC("HMAC_DRBG SHA-256 (NOPR)",
-			     mbedtls_hmac_drbg_random(&hmac_drbg, buf,
-						      BUFSIZE));
-
-		if (mbedtls_hmac_drbg_seed(&hmac_drbg, md_info, myrand,
-					   NULL, NULL, 0) != 0) {
-			mbedtls_exit(1);
-		}
-
-		mbedtls_hmac_drbg_set_prediction_resistance(&hmac_drbg,
-					MBEDTLS_HMAC_DRBG_PR_ON);
-
-		TIME_AND_TSC("HMAC_DRBG SHA-256 (PR)",
-			     mbedtls_hmac_drbg_random(&hmac_drbg, buf,
-						      BUFSIZE));
-#endif
-		mbedtls_hmac_drbg_free(&hmac_drbg);
-	}
-#endif
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
-	if (todo.rsa) {
-		int keysize;
-		mbedtls_rsa_context rsa;
-
-		for (keysize = 2048; keysize <= 4096; keysize *= 2) {
-			snprintk(title, sizeof(title), "RSA-%d",
-				 keysize);
-
-			mbedtls_rsa_init(&rsa);
-			mbedtls_rsa_gen_key(&rsa, myrand, NULL, keysize,
-					    65537);
-
-			TIME_PUBLIC(title, " public",
-				    buf[0] = 0;
-				    ret = mbedtls_rsa_public(&rsa, buf, buf));
-
-			TIME_PUBLIC(title, "private",
-				    buf[0] = 0;
-				    ret = mbedtls_rsa_private(&rsa, myrand,
-							      NULL, buf, buf));
-
-			mbedtls_rsa_free(&rsa);
-		}
-	}
-#endif
-
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_BIGNUM_C)
-	if (todo.dhm) {
-		int dhm_sizes[] = {2048, 3072};
-		static const unsigned char dhm_P_2048[] =
-					MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
-		static const unsigned char dhm_P_3072[] =
-					MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN;
-		static const unsigned char dhm_G_2048[] =
-					MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
-		static const unsigned char dhm_G_3072[] =
-					MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN;
-
-		const unsigned char *dhm_P[] = { dhm_P_2048, dhm_P_3072 };
-		const size_t dhm_P_size[] = { sizeof(dhm_P_2048),
-					      sizeof(dhm_P_3072) };
-		const unsigned char *dhm_G[] = { dhm_G_2048, dhm_G_3072 };
-		const size_t dhm_G_size[] = { sizeof(dhm_G_2048),
-					      sizeof(dhm_G_3072) };
-		mbedtls_dhm_context dhm;
-		size_t olen;
-		size_t n;
-
-		for (i = 0; i < ARRAY_SIZE(dhm_sizes); i++) {
-			mbedtls_dhm_init(&dhm);
-
-			if (mbedtls_mpi_read_binary(&dhm.P, dhm_P[i],
-						    dhm_P_size[i]) != 0 ||
-			    mbedtls_mpi_read_binary(&dhm.G, dhm_G[i],
-						    dhm_G_size[i]) != 0) {
-				mbedtls_exit(1);
-			}
-
-			n = mbedtls_mpi_size(&dhm.P);
-			mbedtls_dhm_make_public(&dhm, (int)n, buf,
-						n, myrand, NULL);
-			if (mbedtls_mpi_copy(&dhm.GY, &dhm.GX) != 0) {
-				mbedtls_exit(1);
-			}
-
-			snprintk(title, sizeof(title), "DHE-%d", dhm_sizes[i]);
-
-			TIME_PUBLIC(title, "handshake",
-				    ret |= mbedtls_dhm_make_public(&dhm,
-						(int)n, buf, n,
-						myrand, NULL);
-				    ret |= mbedtls_dhm_calc_secret(&dhm, buf,
-						sizeof(buf), &olen, myrand,
-						NULL));
-
-			snprintk(title, sizeof(title), "DH-%d", dhm_sizes[i]);
-
-			TIME_PUBLIC(title, "handshake",
-				    ret |= mbedtls_dhm_calc_secret(&dhm, buf,
-						sizeof(buf), &olen, myrand,
-						NULL));
-
-			mbedtls_dhm_free(&dhm);
-		}
-	}
-#endif
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA256_C)
-	if (todo.ecdsa) {
-		size_t sig_len;
-		const mbedtls_ecp_curve_info *curve_info;
-		mbedtls_ecdsa_context ecdsa;
-
-		memset(buf, 0x2A, sizeof(buf));
-
-		for (curve_info = mbedtls_ecp_curve_list();
-		     curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-		     curve_info++) {
-			mbedtls_ecdsa_init(&ecdsa);
-
-			if (mbedtls_ecdsa_genkey(&ecdsa, curve_info->grp_id,
-						 myrand, NULL) != 0) {
-				mbedtls_exit(1);
-			}
-
-			ecp_clear_precomputed(&ecdsa.grp);
-
-			snprintk(title, sizeof(title), "ECDSA-%s",
-				 curve_info->name);
-
-			TIME_PUBLIC(title, "sign",
-				    ret = mbedtls_ecdsa_write_signature(
-						&ecdsa, MBEDTLS_MD_SHA256,
-						buf, curve_info->bit_size,
-						tmp, sizeof(tmp), &sig_len,
-						myrand, NULL));
-
-			mbedtls_ecdsa_free(&ecdsa);
-		}
-
-		for (curve_info = mbedtls_ecp_curve_list();
-		     curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-		     curve_info++) {
-			mbedtls_ecdsa_init(&ecdsa);
-
-			if (mbedtls_ecdsa_genkey(&ecdsa, curve_info->grp_id,
-						 myrand, NULL) != 0 ||
-			    mbedtls_ecdsa_write_signature(&ecdsa,
-						MBEDTLS_MD_SHA256, buf,
-						curve_info->bit_size,
-						tmp, sizeof(tmp),
-						&sig_len, myrand,
-						NULL) != 0) {
-				mbedtls_exit(1);
-			}
-
-			ecp_clear_precomputed(&ecdsa.grp);
-
-			snprintk(title, sizeof(title), "ECDSA-%s",
-				 curve_info->name);
-
-			TIME_PUBLIC(title, "verify",
-				    ret = mbedtls_ecdsa_read_signature(&ecdsa,
-						buf, curve_info->bit_size,
-						tmp, sig_len));
-
-			mbedtls_ecdsa_free(&ecdsa);
-		}
-	}
-#endif
-
-#if defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-	if (todo.ecdh) {
-		mbedtls_ecdh_context ecdh;
-		mbedtls_mpi z;
-		const mbedtls_ecp_curve_info montgomery_curve_list[] = {
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-			{ MBEDTLS_ECP_DP_CURVE25519, 0, 0, "Curve25519" },
-#endif
-#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-			{ MBEDTLS_ECP_DP_CURVE448, 0, 0, "Curve448" },
-#endif
-			{ MBEDTLS_ECP_DP_NONE, 0, 0, 0 }
-			};
-		const mbedtls_ecp_curve_info *curve_info;
-		size_t olen;
-
-		for (curve_info = mbedtls_ecp_curve_list();
-		     curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-		     curve_info++) {
-			mbedtls_ecdh_init(&ecdh);
-
-			if (mbedtls_ecp_group_load(&ecdh.grp,
-						curve_info->grp_id) != 0 ||
-			    mbedtls_ecdh_make_public(&ecdh, &olen, buf,
-						     sizeof(buf),
-						     myrand, NULL) != 0 ||
-			    mbedtls_ecp_copy(&ecdh.Qp, &ecdh.Q) != 0) {
-				mbedtls_exit(1);
-			}
-
-			ecp_clear_precomputed(&ecdh.grp);
-
-			snprintk(title, sizeof(title), "ECDHE-%s",
-				 curve_info->name);
-
-			TIME_PUBLIC(title, "handshake",
-				    ret |= mbedtls_ecdh_make_public(&ecdh,
-						&olen, buf, sizeof(buf),
-						myrand, NULL);
-				    ret |= mbedtls_ecdh_calc_secret(&ecdh,
-						&olen, buf, sizeof(buf),
-						myrand, NULL));
-			mbedtls_ecdh_free(&ecdh);
-		}
-
-		/* Montgomery curves need to be handled separately */
-		for (curve_info = montgomery_curve_list;
-		     curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-		     curve_info++) {
-			mbedtls_ecdh_init(&ecdh);
-			mbedtls_mpi_init(&z);
-
-			if (mbedtls_ecp_group_load(&ecdh.grp,
-						   curve_info->grp_id) != 0 ||
-			    mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d,
-						    &ecdh.Qp, myrand, NULL)
-			    != 0) {
-				mbedtls_exit(1);
-			}
-
-			snprintk(title, sizeof(title), "ECDHE-%s",
-				 curve_info->name);
-
-			TIME_PUBLIC(title, "handshake",
-				    ret |= mbedtls_ecdh_gen_public(&ecdh.grp,
-								   &ecdh.d,
-								   &ecdh.Q,
-								   myrand,
-								   NULL);
-				    ret |= mbedtls_ecdh_compute_shared(
-								&ecdh.grp, &z,
-								&ecdh.Qp,
-								&ecdh.d,
-								myrand,
-								NULL));
-			mbedtls_ecdh_free(&ecdh);
-			mbedtls_mpi_free(&z);
-		}
-
-		for (curve_info = mbedtls_ecp_curve_list();
-		     curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-		     curve_info++) {
-			mbedtls_ecdh_init(&ecdh);
-
-			if (mbedtls_ecp_group_load(&ecdh.grp,
-						   curve_info->grp_id) != 0 ||
-			    mbedtls_ecdh_make_public(&ecdh, &olen, buf,
-						     sizeof(buf), myrand,
-						     NULL) != 0 ||
-			    mbedtls_ecp_copy(&ecdh.Qp, &ecdh.Q) != 0 ||
-			    mbedtls_ecdh_make_public(&ecdh, &olen, buf,
-						     sizeof(buf), myrand,
-						     NULL) != 0) {
-				mbedtls_exit(1);
-			}
-
-			ecp_clear_precomputed(&ecdh.grp);
-
-			snprintk(title, sizeof(title), "ECDH-%s",
-				 curve_info->name);
-
-			TIME_PUBLIC(title, "handshake",
-				    ret |= mbedtls_ecdh_calc_secret(&ecdh,
-							&olen,
-							buf, sizeof(buf),
-							myrand, NULL));
-			mbedtls_ecdh_free(&ecdh);
-		}
-
-		/* Montgomery curves need to be handled separately */
-		for (curve_info = montgomery_curve_list;
-		     curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-		     curve_info++) {
-			mbedtls_ecdh_init(&ecdh);
-			mbedtls_mpi_init(&z);
-
-			if (mbedtls_ecp_group_load(&ecdh.grp,
-						   curve_info->grp_id) != 0 ||
-			    mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d,
-						    &ecdh.Qp, myrand,
-						    NULL) != 0 ||
-			    mbedtls_ecdh_gen_public(&ecdh.grp, &ecdh.d,
-						    &ecdh.Q, myrand,
-						    NULL) != 0) {
-				mbedtls_exit(1);
-			}
-
-			snprintk(title, sizeof(title), "ECDH-%s",
-				 curve_info->name);
-
-			TIME_PUBLIC(title, "handshake",
-				    ret |= mbedtls_ecdh_compute_shared(
-								&ecdh.grp,
-								&z, &ecdh.Qp,
-								&ecdh.d,
-								myrand,
-								NULL));
-
-			mbedtls_ecdh_free(&ecdh);
-			mbedtls_mpi_free(&z);
-		}
-	}
-#endif
-	mbedtls_printf("\n       Done\n");
+	mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
+	psa_status_t status = PSA_SUCCESS;
+	size_t out_len;
+
+	k_timer_init(&timer, timer_expired_callback, NULL);
+
+	memset(in_buf, 0xaa, sizeof(in_buf));
+
+	/* HASH */
+
+	COMPUTE_THROUGHPUT("SHA-1",
+		psa_hash_compute(PSA_ALG_SHA_1, in_buf, sizeof(in_buf),
+				 out_buf, sizeof(out_buf), &out_len)
+	);
+
+	COMPUTE_THROUGHPUT("SHA-224",
+		psa_hash_compute(PSA_ALG_SHA_224, in_buf, sizeof(in_buf),
+				 out_buf, sizeof(out_buf), &out_len)
+	);
+
+	COMPUTE_THROUGHPUT("SHA-256",
+		psa_hash_compute(PSA_ALG_SHA_256, in_buf, sizeof(in_buf),
+				 out_buf, sizeof(out_buf), &out_len)
+	);
+
+	COMPUTE_THROUGHPUT("SHA-384",
+		psa_hash_compute(PSA_ALG_SHA_384, in_buf, sizeof(in_buf),
+				 out_buf, sizeof(out_buf), &out_len)
+	);
+
+	COMPUTE_THROUGHPUT("SHA-512",
+		psa_hash_compute(PSA_ALG_SHA_512, in_buf, sizeof(in_buf),
+				 out_buf, sizeof(out_buf), &out_len)
+	);
+
+	/* Ciphers */
+
+	status = make_cipher_key(PSA_KEY_TYPE_AES, PSA_ALG_ECB_NO_PADDING, &key_id);
+	if (status == PSA_SUCCESS) {
+		COMPUTE_THROUGHPUT("AES-256-ECB",
+			psa_cipher_encrypt(key_id, PSA_ALG_ECB_NO_PADDING,
+					   in_buf, sizeof(in_buf),
+					   out_buf, sizeof(out_buf), &out_len);
+		);
+		psa_destroy_key(key_id);
+	} else {
+		printk("Failed to import AES key");
+	}
+
+	status = make_cipher_key(PSA_KEY_TYPE_ARIA, PSA_ALG_ECB_NO_PADDING, &key_id);
+	if (status == PSA_SUCCESS) {
+		COMPUTE_THROUGHPUT("ARIA-256-ECB",
+			psa_cipher_encrypt(key_id, PSA_ALG_ECB_NO_PADDING,
+					   in_buf, sizeof(in_buf),
+					   out_buf, sizeof(out_buf), &out_len);
+		);
+		psa_destroy_key(key_id);
+	} else {
+		printk("Failed to import ARIA key");
+	}
+
+	status = make_cipher_key(PSA_KEY_TYPE_CAMELLIA, PSA_ALG_ECB_NO_PADDING, &key_id);
+	if (status != PSA_SUCCESS) {
+		COMPUTE_THROUGHPUT("CAMELLIA-256-ECB",
+			psa_cipher_encrypt(key_id, PSA_ALG_ECB_NO_PADDING,
+					   in_buf, sizeof(in_buf),
+					   out_buf, sizeof(out_buf), &out_len);
+		);
+		psa_destroy_key(key_id);
+	} else {
+		printk("Failed to import Camellia key");
+	}
+
+	printk("Benchmark completed\n");
 	return 0;
 }
diff --git a/tests/benchmarks/mbedtls/testcase.yaml b/tests/benchmarks/mbedtls/testcase.yaml
index 021e92a4e32d8..4c7270c8f90cb 100644
--- a/tests/benchmarks/mbedtls/testcase.yaml
+++ b/tests/benchmarks/mbedtls/testcase.yaml
@@ -1,5 +1,10 @@
 common:
-  harness: crypto
+  harness: console
+  harness_config:
+    type: one_line
+    regex:
+      - "Benchmark completed"
+  timeout: 10
   tags: crypto
 tests:
   benchmark.crypto.mbedtls:
diff --git a/tests/crypto/mbedtls/CMakeLists.txt b/tests/crypto/mbedtls/CMakeLists.txt
deleted file mode 100644
index 7ebdc9d76a9ae..0000000000000
--- a/tests/crypto/mbedtls/CMakeLists.txt
+++ /dev/null
@@ -1,20 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-
-cmake_minimum_required(VERSION 3.20.0)
-find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
-project(mbedtls)
-
-set(output_file ${PROJECT_BINARY_DIR}/mbedtls-check.timestamp)
-
-add_custom_command(
-    COMMENT "Check Mbed TLS auto-generated files"
-    COMMAND
-        ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/modules/mbedtls/create_psa_files.py --check
-    OUTPUT
-        ${output_file}
-)
-
-add_custom_target(check_mbedtls_auto_generated_files ALL DEPENDS ${output_file})
-
-FILE(GLOB app_sources src/*.c)
-target_sources(app PRIVATE ${app_sources})
diff --git a/tests/crypto/mbedtls/boards/frdm_rw612.overlay b/tests/crypto/mbedtls/boards/frdm_rw612.overlay
deleted file mode 100644
index 5df8d83c40b87..0000000000000
--- a/tests/crypto/mbedtls/boards/frdm_rw612.overlay
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * Copyright 2024 NXP
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-
-&smu1 {
-	smu1_data: memory@0 {
-		/delete-property/ zephyr,memory-attr;
-	};
-};
-
-&smu2 {
-	smu2_data: memory@0 {
-		/delete-property/ zephyr,memory-attr;
-	};
-};
diff --git a/tests/crypto/mbedtls/boards/rd_rw612_bga.overlay b/tests/crypto/mbedtls/boards/rd_rw612_bga.overlay
deleted file mode 100644
index b78c0344f1eb0..0000000000000
--- a/tests/crypto/mbedtls/boards/rd_rw612_bga.overlay
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * Copyright 2023 NXP
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-
-&smu1 {
-	smu1_data: memory@0 {
-		/delete-property/ zephyr,memory-attr;
-	};
-};
-
-&smu2 {
-	smu2_data: memory@0 {
-		/delete-property/ zephyr,memory-attr;
-	};
-};
diff --git a/tests/crypto/mbedtls/prj.conf b/tests/crypto/mbedtls/prj.conf
deleted file mode 100644
index 6da7c1489b7cf..0000000000000
--- a/tests/crypto/mbedtls/prj.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-CONFIG_ZTEST_STACK_SIZE=4096
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_BUILTIN=y
-CONFIG_MBEDTLS_TEST=y
-CONFIG_ZTEST=y
-CONFIG_TEST_USERSPACE=y
-CONFIG_MINIMAL_LIBC=y
-CONFIG_MINIMAL_LIBC_NON_REENTRANT_FUNCTIONS=y
-CONFIG_MINIMAL_LIBC_RAND=y
-CONFIG_ENTROPY_GENERATOR=y
-CONFIG_TEST_RANDOM_GENERATOR=y
-CONFIG_MBEDTLS_USE_PSA_CRYPTO=n
-CONFIG_PSA_CRYPTO_ENABLE_ALL=n
diff --git a/tests/crypto/mbedtls/src/main.c b/tests/crypto/mbedtls/src/main.c
deleted file mode 100644
index b2c74f321f4c9..0000000000000
--- a/tests/crypto/mbedtls/src/main.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (c) 2017 Intel Corporation
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-
-#include <zephyr/ztest.h>
-#include <zephyr/app_memory/partitions.h>
-
-extern void test_mbedtls(void);
-
-void *mbedtls_fn_setup(void)
-{
-#ifdef CONFIG_USERSPACE
-	int ret = k_mem_domain_add_partition(&k_mem_domain_default,
-					     &k_mbedtls_partition);
-	if (ret != 0) {
-		printk("Failed to add memory partition (%d)\n", ret);
-		k_oops();
-	}
-#endif
-
-	return NULL;
-}
-
-ZTEST_SUITE(mbedtls_fn, NULL, mbedtls_fn_setup, NULL, NULL, NULL);
diff --git a/tests/crypto/mbedtls/src/mbedtls.c b/tests/crypto/mbedtls/src/mbedtls.c
deleted file mode 100644
index 762cdc15622ad..0000000000000
--- a/tests/crypto/mbedtls/src/mbedtls.c
+++ /dev/null
@@ -1,413 +0,0 @@
-/*  Self-test demonstration program
- *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#include <zephyr/sys/printk.h>
-#define  MBEDTLS_PRINT (int(*)(const char *, ...)) printk
-
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <zephyr/kernel.h>
-#include <zephyr/linker/sections.h>
-#include <errno.h>
-
-#include <zephyr/tc_util.h>
-#include <zephyr/ztest.h>
-
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
-#include "mbedtls/build_info.h"
-
-
-#include "mbedtls/entropy.h"
-#include "mbedtls/hmac_drbg.h"
-#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/dhm.h"
-#include "mbedtls/gcm.h"
-#include "mbedtls/ccm.h"
-#include "mbedtls/cmac.h"
-#include "mbedtls/md5.h"
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/sha1.h"
-#include "mbedtls/sha256.h"
-#include "mbedtls/sha512.h"
-#include "mbedtls/des.h"
-#include "mbedtls/aes.h"
-#include "mbedtls/camellia.h"
-#include "mbedtls/aria.h"
-#include "mbedtls/chacha20.h"
-#include "mbedtls/poly1305.h"
-#include "mbedtls/chachapoly.h"
-#include "mbedtls/base64.h"
-#include "mbedtls/bignum.h"
-#include "mbedtls/rsa.h"
-#include "mbedtls/x509.h"
-#include "mbedtls/pkcs5.h"
-#include "mbedtls/ecp.h"
-#include "mbedtls/ecjpake.h"
-#include "mbedtls/timing.h"
-#include "mbedtls/nist_kw.h"
-
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_printf     printf
-#define mbedtls_snprintf   snprintf
-#define mbedtls_exit       exit
-#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
-#endif
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-#include "mbedtls/memory_buffer_alloc.h"
-#endif
-
-static int test_snprintf(size_t n, const char *ref_buf, int ref_ret)
-{
-	int ret;
-	char buf[10] = "xxxxxxxxx";
-	const char ref[10] = "xxxxxxxxx";
-
-	ret = mbedtls_snprintf(buf, n, "%s", "123");
-	if (ret < 0 || (size_t) ret >= n) {
-		ret = -1;
-	}
-
-	if (strncmp(ref_buf, buf, sizeof(buf)) != 0 ||
-	    ref_ret != ret || memcmp(buf + n, ref + n, sizeof(buf) - n) != 0) {
-		return 1;
-	}
-
-	return 0;
-}
-
-static int run_test_snprintf(void)
-{
-	return (test_snprintf(0, "xxxxxxxxx", -1) != 0 ||
-		test_snprintf(1, "", -1) != 0 ||
-		test_snprintf(2, "1", -1) != 0 ||
-		test_snprintf(3, "12", -1) != 0 ||
-		test_snprintf(4, "123", 3) != 0 ||
-		test_snprintf(5, "123", 3) != 0);
-}
-
-/*
- * Check if a seed file is present, and if not create one for the entropy
- * self-test. If this fails, we attempt the test anyway, so no error is passed
- * back.
- */
-#if defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_ENTROPY_NV_SEED) && \
-	!defined(MBEDTLS_NO_PLATFORM_ENTROPY)
-static void create_entropy_seed_file(void)
-{
-	int result;
-	size_t output_len = 0;
-	unsigned char seed_value[MBEDTLS_ENTROPY_BLOCK_SIZE];
-
-/* Attempt to read the entropy seed file. If this fails - attempt to write
- * to the file to ensure one is present.
- */
-	result = mbedtls_platform_std_nv_seed_read(seed_value,
-						   MBEDTLS_ENTROPY_BLOCK_SIZE);
-	if (result == 0) {
-		return;
-	}
-
-	result = mbedtls_platform_entropy_poll(NULL,
-					       seed_value,
-					       MBEDTLS_ENTROPY_BLOCK_SIZE,
-					       &output_len);
-	if (result != 0) {
-		return;
-	}
-
-	if (output_len != MBEDTLS_ENTROPY_BLOCK_SIZE) {
-		return;
-	}
-
-	mbedtls_platform_std_nv_seed_write(seed_value,
-					   MBEDTLS_ENTROPY_BLOCK_SIZE);
-}
-#endif
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-ZTEST_BMEM unsigned char buf[16000];
-#endif
-
-ZTEST_USER(mbedtls_fn, test_mbedtls)
-{
-	int v, suites_tested = 0, suites_failed = 0;
-
-	void *pointer;
-
-#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
-	mbedtls_platform_set_printf(MBEDTLS_PRINT);
-#endif
-
-/*
- * The C standard doesn't guarantee that all-bits-0 is the representation
- * of a NULL pointer. We do however use that in our code for initializing
- * structures, which should work on every modern platform. Let's be sure.
- */
-	(void)memset(&pointer, 0, sizeof(void *));
-	if (pointer != NULL) {
-		mbedtls_printf("all-bits-zero is not a NULL pointer\n");
-		mbedtls_exit(MBEDTLS_EXIT_FAILURE);
-	}
-
-	/*
-	 * Make sure we have a snprintf that correctly zero-terminates
-	 */
-	if (run_test_snprintf() != 0) {
-		mbedtls_printf("the snprintf implementation is broken\n");
-		mbedtls_exit(MBEDTLS_EXIT_FAILURE);
-	}
-
-	v = 1;
-	mbedtls_printf("\n");
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-	mbedtls_memory_buffer_alloc_init(buf, sizeof(buf));
-#endif
-
-#if defined(MBEDTLS_MD2_C)
-	if (mbedtls_md2_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_MD4_C)
-	if (mbedtls_md4_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_MD5_C)
-	if (mbedtls_md5_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_RIPEMD160_C)
-	if (mbedtls_ripemd160_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_SHA1_C)
-	if (mbedtls_sha1_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
-	if (mbedtls_sha256_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_SHA512_C)
-	if (mbedtls_sha512_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_ARC4_C)
-	if (mbedtls_arc4_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_DES_C)
-	if (mbedtls_des_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_AES_C)
-	if (mbedtls_aes_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_AES_C)
-	if (mbedtls_gcm_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)
-	if (mbedtls_ccm_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_BASE64_C)
-	if (mbedtls_base64_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_BIGNUM_C)
-	if (mbedtls_mpi_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_RSA_C)
-	if (mbedtls_rsa_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_CAMELLIA_C)
-	if (mbedtls_camellia_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_ARIA_C)
-	if (mbedtls_aria_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-	if (mbedtls_ctr_drbg_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_HMAC_DRBG_C)
-	if (mbedtls_hmac_drbg_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_ECP_C)
-	if (mbedtls_ecp_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_ECJPAKE_C)
-	if (mbedtls_ecjpake_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_DHM_C)
-	if (mbedtls_dhm_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_ENTROPY_C)
-
-#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
-	create_entropy_seed_file();
-#endif
-
-	if (mbedtls_entropy_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_PKCS5_C)
-	if (mbedtls_pkcs5_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#if defined(MBEDTLS_CMAC_C) \
-	&& (defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C))
-	if (mbedtls_cmac_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-/* Slow tests last */
-
-#if defined(MBEDTLS_TIMING_C)
-	if (mbedtls_timing_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-
-#else
-	mbedtls_printf(" MBEDTLS_SELF_TEST not defined.\n");
-#endif
-
-	if (v != 0) {
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_MEMORY_DEBUG)
-		mbedtls_memory_buffer_alloc_status();
-#endif
-	}
-#if defined(MBEDTLS_SELF_TEST)
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-	mbedtls_memory_buffer_alloc_free();
-	if (mbedtls_memory_buffer_alloc_self_test(v) != 0) {
-		suites_failed++;
-	}
-	suites_tested++;
-#endif
-#endif
-
-	if (v != 0) {
-		mbedtls_printf("  Executed %d test suites\n\n", suites_tested);
-		if (suites_failed > 0) {
-			mbedtls_printf("  [ %d tests FAIL ]\n\n",
-				       suites_failed);
-		} else {
-			mbedtls_printf("  [ All tests PASS ]\n\n");
-		}
-		zassert_not_equal(suites_tested, 0,
-			      "ran %d tests", suites_tested);
-		zassert_equal(suites_failed, 0,
-			      "%d tests failed", suites_failed);
-
-#if defined(_WIN32)
-		mbedtls_printf("  Press Enter to exit this program.\n");
-		fflush(stdout);
-		getchar();
-#endif
-	}
-
-}
diff --git a/tests/crypto/mbedtls/testcase.yaml b/tests/crypto/mbedtls/testcase.yaml
deleted file mode 100644
index 9b89364da9394..0000000000000
--- a/tests/crypto/mbedtls/testcase.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-common:
-  min_flash: 65
-  min_ram: 36
-  tags:
-    - crypto
-    - mbedtls
-    - userspace
-  timeout: 400
-tests:
-  crypto.mbedtls:
-    platform_exclude: m2gl025_miv
-    extra_configs:
-      - CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=0
-      - arch:riscv64:CONFIG_ZTEST_STACK_SIZE=8192
-    integration_platforms:
-      - qemu_x86
-      - native_sim
diff --git a/tests/crypto/mbedtls_psa/prj.conf b/tests/crypto/mbedtls_psa/prj.conf
index 54dd833011b1f..8e04eac1bf75e 100644
--- a/tests/crypto/mbedtls_psa/prj.conf
+++ b/tests/crypto/mbedtls_psa/prj.conf
@@ -3,3 +3,13 @@ CONFIG_ZTEST=y
 
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+
+CONFIG_PSA_WANT_ALG_MD5=y
+CONFIG_PSA_WANT_ALG_SHA_1=y
+CONFIG_PSA_WANT_ALG_SHA_224=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
+CONFIG_PSA_WANT_ALG_SHA_384=y
+CONFIG_PSA_WANT_ALG_SHA_512=y
+
+CONFIG_PSA_WANT_ALG_HMAC=y
+CONFIG_PSA_WANT_KEY_TYPE_HMAC=y
diff --git a/tests/crypto/mbedtls_psa/src/main.c b/tests/crypto/mbedtls_psa/src/main.c
index b54f21a4df948..1eda7caf4e5be 100644
--- a/tests/crypto/mbedtls_psa/src/main.c
+++ b/tests/crypto/mbedtls_psa/src/main.c
@@ -13,14 +13,156 @@
 
 #include <psa/crypto.h>
 
-ZTEST_USER(test_fn, test_mbedtls_psa)
+ZTEST_USER(test_mbedtls_psa, test_generate_random)
 {
 	uint8_t tmp[64];
+	psa_status_t status;
 
-	zassert_equal(psa_crypto_init(), PSA_SUCCESS, "psa_crypto_init failed");
-	zassert_equal(psa_generate_random(tmp, sizeof(tmp)), PSA_SUCCESS,
-					"psa_generate_random failed");
+	status = psa_generate_random(tmp, sizeof(tmp));
+	zassert_equal(status, PSA_SUCCESS);
+}
+
+ZTEST_USER(test_mbedtls_psa, test_md5)
+{
+	uint8_t in_buf[] = { 'a' };
+	uint8_t out_buf[PSA_HASH_LENGTH(PSA_ALG_MD5)] = { 0 };
+	uint8_t out_buf_ref[PSA_HASH_LENGTH(PSA_ALG_MD5)] = {
+		0x0c, 0xc1, 0x75, 0xb9, 0xc0, 0xf1, 0xb6, 0xa8,
+		0x31, 0xc3, 0x99, 0xe2, 0x69, 0x77, 0x26, 0x61
+	};
+	size_t out_len;
+	psa_status_t status;
+
+	status = psa_hash_compute(PSA_ALG_MD5, in_buf, sizeof(in_buf),
+				  out_buf, sizeof(out_buf), &out_len);
+	zassert_equal(status, PSA_SUCCESS);
+	zassert_mem_equal(out_buf, out_buf_ref, sizeof(out_buf_ref));
+}
+
+ZTEST_USER(test_mbedtls_psa, test_sha1)
+{
+	uint8_t in_buf[] = { 'a' };
+	uint8_t out_buf[PSA_HASH_LENGTH(PSA_ALG_SHA_1)] = { 0 };
+	uint8_t out_buf_ref[PSA_HASH_LENGTH(PSA_ALG_SHA_1)] = {
+		0x86, 0xf7, 0xe4, 0x37, 0xfa, 0xa5, 0xa7, 0xfc, 0xe1, 0x5d,
+		0x1d, 0xdc, 0xb9, 0xea, 0xea, 0xea, 0x37, 0x76, 0x67, 0xb8
+	};
+	size_t out_len;
+	psa_status_t status;
+
+	status = psa_hash_compute(PSA_ALG_SHA_1, in_buf, sizeof(in_buf),
+				  out_buf, sizeof(out_buf), &out_len);
+	zassert_equal(status, PSA_SUCCESS);
+	zassert_mem_equal(out_buf, out_buf_ref, sizeof(out_buf_ref));
+}
+
+ZTEST_USER(test_mbedtls_psa, test_sha224)
+{
+	uint8_t in_buf[] = { 'a' };
+	uint8_t out_buf[PSA_HASH_LENGTH(PSA_ALG_SHA_224)] = { 0 };
+	uint8_t out_buf_ref[PSA_HASH_LENGTH(PSA_ALG_SHA_224)] = {
+		0xab, 0xd3, 0x75, 0x34, 0xc7, 0xd9, 0xa2, 0xef, 0xb9, 0x46,
+		0x5d, 0xe9, 0x31, 0xcd, 0x70, 0x55, 0xff, 0xdb, 0x88, 0x79,
+		0x56, 0x3a, 0xe9, 0x80, 0x78, 0xd6, 0xd6, 0xd5
+	};
+	size_t out_len;
+	psa_status_t status;
+
+	status = psa_hash_compute(PSA_ALG_SHA_224, in_buf, sizeof(in_buf),
+				  out_buf, sizeof(out_buf), &out_len);
+	zassert_equal(status, PSA_SUCCESS);
+	zassert_mem_equal(out_buf, out_buf_ref, sizeof(out_buf_ref));
+}
+
+ZTEST_USER(test_mbedtls_psa, test_sha256)
+{
+	uint8_t in_buf[] = { 'a' };
+	uint8_t out_buf[PSA_HASH_LENGTH(PSA_ALG_SHA_256)] = { 0 };
+	uint8_t out_buf_ref[PSA_HASH_LENGTH(PSA_ALG_SHA_256)] = {
+		0xca, 0x97, 0x81, 0x12, 0xca, 0x1b, 0xbd, 0xca, 0xfa, 0xc2,
+		0x31, 0xb3, 0x9a, 0x23, 0xdc, 0x4d, 0xa7, 0x86, 0xef, 0xf8,
+		0x14, 0x7c, 0x4e, 0x72, 0xb9, 0x80, 0x77, 0x85, 0xaf, 0xee,
+		0x48, 0xbb
+	};
+	size_t out_len;
+	psa_status_t status;
+
+	status = psa_hash_compute(PSA_ALG_SHA_256, in_buf, sizeof(in_buf),
+				  out_buf, sizeof(out_buf), &out_len);
+	zassert_equal(status, PSA_SUCCESS);
+	zassert_mem_equal(out_buf, out_buf_ref, sizeof(out_buf_ref));
+}
+
+ZTEST_USER(test_mbedtls_psa, test_sha384)
+{
+	uint8_t in_buf[] = { 'a' };
+	uint8_t out_buf[PSA_HASH_LENGTH(PSA_ALG_SHA_384)] = { 0 };
+	uint8_t out_buf_ref[PSA_HASH_LENGTH(PSA_ALG_SHA_384)] = {
+		0x54, 0xa5, 0x9b, 0x9f, 0x22, 0xb0, 0xb8, 0x08, 0x80, 0xd8,
+		0x42, 0x7e, 0x54, 0x8b, 0x7c, 0x23, 0xab, 0xd8, 0x73, 0x48,
+		0x6e, 0x1f, 0x03, 0x5d, 0xce, 0x9c, 0xd6, 0x97, 0xe8, 0x51,
+		0x75, 0x03, 0x3c, 0xaa, 0x88, 0xe6, 0xd5, 0x7b, 0xc3, 0x5e,
+		0xfa, 0xe0, 0xb5, 0xaf, 0xd3, 0x14, 0x5f, 0x31
+	};
+	size_t out_len;
+	psa_status_t status;
+
+	status = psa_hash_compute(PSA_ALG_SHA_384, in_buf, sizeof(in_buf),
+				  out_buf, sizeof(out_buf), &out_len);
+	zassert_equal(status, PSA_SUCCESS);
+	zassert_mem_equal(out_buf, out_buf_ref, sizeof(out_buf_ref));
+}
+
+ZTEST_USER(test_mbedtls_psa, test_sha512)
+{
+	uint8_t in_buf[] = { 'a' };
+	uint8_t out_buf[PSA_HASH_LENGTH(PSA_ALG_SHA_512)] = { 0 };
+	uint8_t out_buf_ref[PSA_HASH_LENGTH(PSA_ALG_SHA_512)] = {
+		0x1f, 0x40, 0xfc, 0x92, 0xda, 0x24, 0x16, 0x94, 0x75, 0x09,
+		0x79, 0xee, 0x6c, 0xf5, 0x82, 0xf2, 0xd5, 0xd7, 0xd2, 0x8e,
+		0x18, 0x33, 0x5d, 0xe0, 0x5a, 0xbc, 0x54, 0xd0, 0x56, 0x0e,
+		0x0f, 0x53, 0x02, 0x86, 0x0c, 0x65, 0x2b, 0xf0, 0x8d, 0x56,
+		0x02, 0x52, 0xaa, 0x5e, 0x74, 0x21, 0x05, 0x46, 0xf3, 0x69,
+		0xfb, 0xbb, 0xce, 0x8c, 0x12, 0xcf, 0xc7, 0x95, 0x7b, 0x26,
+		0x52, 0xfe, 0x9a, 0x75
+	};
+	size_t out_len;
+	psa_status_t status;
+
+	status = psa_hash_compute(PSA_ALG_SHA_512, in_buf, sizeof(in_buf),
+				  out_buf, sizeof(out_buf), &out_len);
+	zassert_equal(status, PSA_SUCCESS);
+	zassert_mem_equal(out_buf, out_buf_ref, sizeof(out_buf_ref));
+}
+
+ZTEST_USER(test_mbedtls_psa, test_hmac_sha256)
+{
+	uint8_t key[] = { 'a' };
+	psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
+	psa_key_id_t key_id = PSA_KEY_ID_NULL;
+	uint8_t in_buf[] = { 'a' };
+	uint8_t out_buf[PSA_HASH_LENGTH(PSA_ALG_SHA_256)] = { 0 };
+	uint8_t out_buf_ref[PSA_HASH_LENGTH(PSA_ALG_SHA_256)] = {
+		0x3e, 0xcf, 0x53, 0x88, 0xe2, 0x20, 0xda, 0x9e,
+		0x0f, 0x91, 0x94, 0x85, 0xde, 0xb6, 0x76, 0xd8,
+		0xbe, 0xe3, 0xae, 0xc0, 0x46, 0xa7, 0x79, 0x35,
+		0x3b, 0x46, 0x34, 0x18, 0x51, 0x1e, 0xe6, 0x22
+	};
+	size_t out_len;
+	psa_status_t status;
+
+	psa_set_key_type(&key_attr, PSA_KEY_TYPE_HMAC);
+	psa_set_key_algorithm(&key_attr, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+	psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_SIGN_MESSAGE);
+
+	status = psa_import_key(&key_attr, key, sizeof(key), &key_id);
+	zassert_equal(status, PSA_SUCCESS);
 
+	status = psa_mac_compute(key_id, PSA_ALG_HMAC(PSA_ALG_SHA_256),
+				 in_buf, sizeof(in_buf),
+				 out_buf, sizeof(out_buf), &out_len);
+	zassert_equal(status, PSA_SUCCESS);
+	zassert_mem_equal(out_buf, out_buf_ref, sizeof(out_buf_ref));
 }
 
-ZTEST_SUITE(test_fn, NULL, NULL, NULL, NULL, NULL);
+ZTEST_SUITE(test_mbedtls_psa, NULL, NULL, NULL, NULL, NULL);
diff --git a/tests/crypto/mbedtls_psa/testcase.yaml b/tests/crypto/mbedtls_psa/testcase.yaml
index 187e25b1976c8..a7a1a4646ff37 100644
--- a/tests/crypto/mbedtls_psa/testcase.yaml
+++ b/tests/crypto/mbedtls_psa/testcase.yaml
@@ -19,6 +19,18 @@ common:
   tags:
     - mbedtls
     - psa
+  harness: console
+  harness_config:
+    type: multi_line
+    regex:
+      - " PASS - test_generate_random.*"
+      - " PASS - test_hmac_sha256.*"
+      - " PASS - test_md5.*"
+      - " PASS - test_sha1.*"
+      - " PASS - test_sha224.*"
+      - " PASS - test_sha256.*"
+      - " PASS - test_sha384.*"
+      - " PASS - test_sha512.*"
 tests:
   crypto.mbedtls_psa.with_entropy_driver:
     filter: CONFIG_CSPRNG_ENABLED
diff --git a/tests/lib/uuid/testcase.yaml b/tests/lib/uuid/testcase.yaml
index de0da1c38754c..9bd172c96ece5 100644
--- a/tests/lib/uuid/testcase.yaml
+++ b/tests/lib/uuid/testcase.yaml
@@ -8,8 +8,8 @@ tests:
     extra_configs:
       - CONFIG_UUID_V5=y
       - CONFIG_MBEDTLS=y
-      - CONFIG_MBEDTLS_MD=y
-      - CONFIG_MBEDTLS_SHA1=y
+      - CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+      - CONFIG_PSA_WANT_ALG_SHA_1=y
       - CONFIG_UUID_BASE64=y
       - CONFIG_BASE64=y
       # UUID utilities need some heap, but MINIMAL_LIBC has none by default.
diff --git a/tests/net/socket/tls/prj.conf b/tests/net/socket/tls/prj.conf
index 3bbb28310f66f..2c63db612b6dd 100644
--- a/tests/net/socket/tls/prj.conf
+++ b/tests/net/socket/tls/prj.conf
@@ -47,5 +47,6 @@ CONFIG_ZTEST_STACK_SIZE=4096
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=18000
 CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
-CONFIG_MBEDTLS_HASH_ALL_ENABLED=y
+CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_WANT_ALG_HASH_ALL=y
 CONFIG_MBEDTLS_CMAC=y
diff --git a/tests/subsys/mgmt/mcumgr/all_options/prj.conf b/tests/subsys/mgmt/mcumgr/all_options/prj.conf
index 3087ce16c3932..485df89bb1956 100644
--- a/tests/subsys/mgmt/mcumgr/all_options/prj.conf
+++ b/tests/subsys/mgmt/mcumgr/all_options/prj.conf
@@ -5,7 +5,8 @@
 #
 CONFIG_ZTEST=y
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_SHA256=y
+CONFIG_MBEDTLS_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
 CONFIG_FILE_SYSTEM=y
 CONFIG_BASE64=y
 CONFIG_NET_BUF=y
diff --git a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf
index eff5b71007f86..e348b09cb2c27 100644
--- a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf
+++ b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf
@@ -6,4 +6,5 @@
 CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32=y
 CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_SHA256=y
+CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
diff --git a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf
index 5f85dda370851..035f52c4a528c 100644
--- a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf
+++ b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf
@@ -6,4 +6,5 @@
 CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32=n
 CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_SHA256=y
+CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
diff --git a/tests/subsys/storage/flash_map/overlay-mbedtls.conf b/tests/subsys/storage/flash_map/overlay-mbedtls.conf
deleted file mode 100644
index 2b8aef9e908d3..0000000000000
--- a/tests/subsys/storage/flash_map/overlay-mbedtls.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-CONFIG_FLASH_AREA_CHECK_INTEGRITY=y
-CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS=y
diff --git a/tests/subsys/storage/flash_map/testcase.yaml b/tests/subsys/storage/flash_map/testcase.yaml
index fd381e6034a8b..a7cd2581d2230 100644
--- a/tests/subsys/storage/flash_map/testcase.yaml
+++ b/tests/subsys/storage/flash_map/testcase.yaml
@@ -26,21 +26,6 @@ tests:
     integration_platforms:
       - nrf52840dk/nrf52840
     tags: flash_map
-  storage.flash_map_sha.mbedtls:
-    extra_args: EXTRA_CONF_FILE=overlay-mbedtls.conf
-    platform_allow:
-      - nrf51dk/nrf51822
-      - qemu_x86
-      - native_sim
-      - native_sim/native/64
-      - mr_canhubk3
-      - s32z2xxdc2/s32z270/rtu0
-      - s32z2xxdc2/s32z270/rtu1
-      - s32z2xxdc2@D/s32z270/rtu0
-      - s32z2xxdc2@D/s32z270/rtu1
-    tags: flash_map
-    integration_platforms:
-      - native_sim
   storage.flash_map_sha.psa:
     extra_args: EXTRA_CONF_FILE=overlay-psa.conf
     platform_allow: