Merge pull request #140 from yanesca/everest_integration

Everest integration
diff --git a/docs/getting_started.md b/docs/getting_started.md
index 9ab4f8f..4d380e0 100644
--- a/docs/getting_started.md
+++ b/docs/getting_started.md
@@ -63,35 +63,50 @@
 
 ### Importing a key
 
-To use a key for cryptography operations in Mbed Crypto, you need to first import it into a key slot. Each slot can store only one key at a time. The slot where the key is stored must be unoccupied, and valid for a key of the chosen type.
+To use a key for cryptography operations in Mbed Crypto, you need to first
+import it. Upon importing, you'll be given a handle to refer to the key for use
+with other function calls.
 
-Prerequisites to importing keys:
+Prerequisites for importing keys:
 * Initialize the library with a successful call to `psa_crypto_init`.
 
-Importing a key and checking key information:
-1. Import a key pair into key slot `1`.
-1. Test the information stored in this slot:
+Importing a key:
 ```C
-    int key_slot = 1;
-    uint8_t *data = "KEY_PAIR_KEY_DATA";
-    size_t data_size;
-    psa_key_type_t type = PSA_KEY_TYPE_RSA_PUBLIC_KEY;
-    size_t got_bits;
-    psa_key_type_t got_type;
-    size_t expected_bits = data_size;
-    psa_key_type_t type = PSA_KEY_TYPE_RAW_DATA;
-    size_t export_size = data_size;
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    uint8_t data[] = AES_KEY;
+    psa_key_handle_t handle;
 
-    psa_crypto_init();
+    printf("Import an AES key...\t");
+    fflush(stdout);
+
+    /* Initialize PSA Crypto */
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
+
+    /* Set key attributes */
+    psa_set_key_usage_flags(&attributes, 0);
+    psa_set_key_algorithm(&attributes, 0);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+    psa_set_key_bits(&attributes, 128);
 
     /* Import the key */
-    status = psa_import_key(key_slot, type, data, data_size);
+    status = psa_import_key(&attributes, data, sizeof(data), &handle);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to import key\n");
+        return;
+    }
+    printf("Imported a key\n");
 
-    /* Test the key information */
-    status = psa_get_key_information(slot, &got_type, &got_bits);
+    /* Free the attributes */
+    psa_reset_key_attributes(&attributes);
 
     /* Destroy the key */
-    psa_destroy_key(key_slot);
+    psa_destroy_key(handle);
+
     mbedtls_psa_crypto_free();
 ```
 
@@ -99,48 +114,70 @@
 
 Mbed Crypto provides support for encrypting, decrypting, signing and verifying messages using public key signature algorithms (such as RSA or ECDSA).
 
-Prerequisites to working with the asymmetric cipher API:
+Prerequisites for performing asymmetric signature operations:
 * Initialize the library with a successful call to `psa_crypto_init`.
-* Configure the key policy accordingly:
-    * `PSA_KEY_USAGE_SIGN` to allow signing.
-    * `PSA_KEY_USAGE_VERIFY` to allow signature verification.
-* Have a valid key in the key slot.
+* Have a valid key with appropriate attributes set:
+    * Usage flag `PSA_KEY_USAGE_SIGN` to allow signing.
+    * Usage flag `PSA_KEY_USAGE_VERIFY` to allow signature verification.
+    * Algorithm set to desired signature algorithm.
 
-To sign a given message `payload` using RSA:
-1. Set the key policy of the chosen key slot by calling `psa_key_policy_set_usage()` with the `PSA_KEY_USAGE_SIGN` parameter and the algorithm `PSA_ALG_RSA_PKCS1V15_SIGN_RAW`.
-This allows the key in the key slot to be used for RSA signing.
-1. Import the key into the key slot by calling `psa_import_key()`. You can use an already imported key instead of importing a new one.
-1. Call `psa_asymmetric_sign()` and get the output buffer that contains the signature:
+To sign a given `hash` using RSA:
+1. Call `psa_asymmetric_sign()` and get the output buffer that contains the
+   signature:
 ```C
     psa_status_t status;
-    int key_slot = 1;
-    unsigned char key[] = "RSA_KEY";
-    unsigned char payload[] = "ASYMMETRIC_INPUT_FOR_SIGN";
-    psa_key_policy_t policy = PSA_KEY_POLICY_INIT;
-    unsigned char signature[PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE] = {0};
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    uint8_t key[] = RSA_KEY;
+    uint8_t hash[] = "INPUT_FOR_SIGN";
+    uint8_t signature[PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE] = {0};
     size_t signature_length;
+    psa_key_handle_t handle;
 
+    printf("Sign a message...\t");
+    fflush(stdout);
+
+    /* Initialize PSA Crypto */
     status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
+
+    /* Set key attributes */
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN);
+    psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_SIGN_RAW);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
+    psa_set_key_bits(&attributes, 1024);
 
     /* Import the key */
-    psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_SIGN,
-                             PSA_ALG_RSA_PKCS1V15_SIGN_RAW);
-    status = psa_set_key_policy(key_slot, &policy);
+    status = psa_import_key(&attributes, key, sizeof(key), &handle);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to import key\n");
+        return;
+    }
 
-    status = psa_import_key(key_slot, PSA_KEY_TYPE_RSA_KEY_PAIR,
-                            key, sizeof(key));
-
-    /* Sing message using the key */
-    status = psa_asymmetric_sign(key_slot, PSA_ALG_RSA_PKCS1V15_SIGN_RAW,
-                                 payload, sizeof(payload),
+    /* Sign message using the key */
+    status = psa_asymmetric_sign(handle, PSA_ALG_RSA_PKCS1V15_SIGN_RAW,
+                                 hash, sizeof(hash),
                                  signature, sizeof(signature),
                                  &signature_length);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to sign\n");
+        return;
+    }
+
+    printf("Signed a message\n");
+
+    /* Free the attributes */
+    psa_reset_key_attributes(&attributes);
+
     /* Destroy the key */
-    psa_destroy_key(key_slot);
+    psa_destroy_key(handle);
+
     mbedtls_psa_crypto_free();
 ```
 
-### Encrypting or decrypting using symmetric ciphers
+### Using symmetric ciphers
 
 Mbed Crypto provides support for encrypting and decrypting messages using various symmetric cipher algorithms (both block and stream ciphers).
 
@@ -156,32 +193,78 @@
 1. Call `psa_cipher_update` one or more times, passing either the whole or only a fragment of the message each time.
 1. Call `psa_cipher_finish` to end the operation and output the encrypted message.
 
-Encrypting random data using an AES key in cipher block chain (CBC) mode with no padding (assuming all prerequisites have been fulfilled):
+Encrypting data using an AES key in cipher block chain (CBC) mode with no padding (assuming all prerequisites have been fulfilled):
 ```c
-    psa_key_slot_t key_slot = 1;
+    enum {
+        block_size = PSA_BLOCK_CIPHER_BLOCK_SIZE(PSA_KEY_TYPE_AES),
+    };
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_algorithm_t alg = PSA_ALG_CBC_NO_PADDING;
-    psa_cipher_operation_t operation;
-    size_t block_size = PSA_BLOCK_CIPHER_BLOCK_SIZE(PSA_KEY_TYPE_AES);
-    unsigned char input[block_size];
-    unsigned char iv[block_size];
+    uint8_t plaintext[block_size] = SOME_PLAINTEXT;
+    uint8_t iv[block_size];
     size_t iv_len;
-    unsigned char output[block_size];
+    uint8_t key[] = AES_KEY;
+    uint8_t output[block_size];
     size_t output_len;
+    psa_key_handle_t handle;
+    psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
 
-    /* generate some random data to be encrypted */
-    psa_generate_random(input, sizeof(input));
+    printf("Encrypt with cipher...\t");
+    fflush(stdout);
 
-    /* encrypt the key */
-    psa_cipher_encrypt_setup(&operation, key_slot, alg);
-    psa_cipher_generate_iv(&operation, iv, sizeof(iv), &iv_len);
-    psa_cipher_update(&operation, input, sizeof(input),
-    output, sizeof(output),
-    &output_len);
-    psa_cipher_finish(&operation,
-    output + output_len, sizeof(output) - output_len,
-    &output_len);
+    /* Initialize PSA Crypto */
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS)
+    {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
+
+    /* Import a key */
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+    psa_set_key_bits(&attributes, 128);
+    status = psa_import_key(&attributes, key, sizeof(key), &handle);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to import a key\n");
+        return;
+    }
+    psa_reset_key_attributes(&attributes);
+
+    /* Encrypt the plaintext */
+    status = psa_cipher_encrypt_setup(&operation, handle, alg);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to begin cipher operation\n");
+        return;
+    }
+    status = psa_cipher_generate_iv(&operation, iv, sizeof(iv), &iv_len);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to generate IV\n");
+        return;
+    }
+    status = psa_cipher_update(&operation, plaintext, sizeof(plaintext),
+                               output, sizeof(output), &output_len);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to update cipher operation\n");
+        return;
+    }
+    status = psa_cipher_finish(&operation, output + output_len,
+                               sizeof(output) - output_len, &output_len);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to finish cipher operation\n");
+        return;
+    }
+    printf("Encrypted plaintext\n");
+
     /* Clean up cipher operation context */
     psa_cipher_abort(&operation);
+
+    /* Destroy the key */
+    psa_destroy_key(handle);
+
+    mbedtls_psa_crypto_free();
 ```
 
 Decrypting a message with a symmetric cipher:
@@ -194,31 +277,75 @@
 Decrypting encrypted data using an AES key in CBC mode with no padding
 (assuming all prerequisites have been fulfilled):
 ```c
-    psa_key_slot_t key_slot = 1;
+    enum {
+        block_size = PSA_BLOCK_CIPHER_BLOCK_SIZE(PSA_KEY_TYPE_AES),
+    };
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_algorithm_t alg = PSA_ALG_CBC_NO_PADDING;
-    psa_cipher_operation_t operation;
-    size_t block_size = PSA_BLOCK_CIPHER_BLOCK_SIZE(PSA_KEY_TYPE_AES);
-    unsigned char input[block_size];
-    unsigned char iv[block_size];
-    size_t iv_len;
-    unsigned char output[block_size];
+    psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
+    uint8_t ciphertext[block_size] = SOME_CIPHERTEXT;
+    uint8_t iv[block_size] = ENCRYPTED_WITH_IV;
+    uint8_t key[] = AES_KEY;
+    uint8_t output[block_size];
     size_t output_len;
+    psa_key_handle_t handle;
 
-    /* setup input data */
-    fetch_iv(iv, sizeof(iv));     /* fetch the IV used when the data was encrypted */
-    fetch_input(input, sizeof(input));      /* fetch the data to be decrypted */
+    printf("Decrypt with cipher...\t");
+    fflush(stdout);
 
-    /* encrypt the encrypted data */
-    psa_cipher_decrypt_setup(&operation, key_slot, alg);
-    psa_cipher_set_iv(&operation, iv, sizeof(iv));
-    psa_cipher_update(&operation, input, sizeof(input),
-    output, sizeof(output),
-    &output_len);
-    psa_cipher_finish(&operation,
-    output + output_len, sizeof(output) - output_len,
-    &output_len);
+    /* Initialize PSA Crypto */
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS)
+    {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
+
+    /* Import a key */
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+    psa_set_key_bits(&attributes, 128);
+    status = psa_import_key(&attributes, key, sizeof(key), &handle);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to import a key\n");
+        return;
+    }
+    psa_reset_key_attributes(&attributes);
+
+    /* Decrypt the ciphertext */
+    status = psa_cipher_decrypt_setup(&operation, handle, alg);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to begin cipher operation\n");
+        return;
+    }
+    status = psa_cipher_set_iv(&operation, iv, sizeof(iv));
+    if (status != PSA_SUCCESS) {
+        printf("Failed to set IV\n");
+        return;
+    }
+    status = psa_cipher_update(&operation, ciphertext, sizeof(ciphertext),
+                               output, sizeof(output), &output_len);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to update cipher operation\n");
+        return;
+    }
+    status = psa_cipher_finish(&operation, output + output_len,
+                               sizeof(output) - output_len, &output_len);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to finish cipher operation\n");
+        return;
+    }
+    printf("Decrypted ciphertext\n");
+
     /* Clean up cipher operation context */
     psa_cipher_abort(&operation);
+
+    /* Destroy the key */
+    psa_destroy_key(handle);
+
+    mbedtls_psa_crypto_free();
 ```
 
 #### Handling cipher operation contexts
@@ -237,9 +364,8 @@
 
 ### Hashing a message
 
-Mbed Crypto lets you compute and verify hashes using various hashing algorithms.
-
-The current implementation supports the following hash algorithms: `MD2`, `MD4`, `MD5`, `RIPEMD160`, `SHA-1`, `SHA-224`, `SHA-256`, `SHA-384`, and `SHA-512`.
+Mbed Crypto lets you compute and verify hashes using various hashing
+algorithms.
 
 Prerequisites to working with the hash APIs:
 * Initialize the library with a successful call to `psa_crypto_init`.
@@ -252,25 +378,54 @@
 
 Calculate the `SHA-256` hash of a message:
 ```c
+    psa_status_t status;
     psa_algorithm_t alg = PSA_ALG_SHA_256;
-    psa_hash_operation_t operation;
+    psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
     unsigned char input[] = { 'a', 'b', 'c' };
     unsigned char actual_hash[PSA_HASH_MAX_SIZE];
     size_t actual_hash_len;
 
+    printf("Hash a message...\t");
+    fflush(stdout);
+
+    /* Initialize PSA Crypto */
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
+
     /* Compute hash of message  */
-    psa_hash_setup(&operation, alg);
-    psa_hash_update(&operation, input, sizeof(input));
-    psa_hash_finish(&operation, actual_hash, sizeof(actual_hash), &actual_hash_len);
+    status = psa_hash_setup(&operation, alg);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to begin hash operation\n");
+        return;
+    }
+    status = psa_hash_update(&operation, input, sizeof(input));
+    if (status != PSA_SUCCESS) {
+        printf("Failed to update hash operation\n");
+        return;
+    }
+    status = psa_hash_finish(&operation, actual_hash, sizeof(actual_hash),
+                             &actual_hash_len);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to finish hash operation\n");
+        return;
+    }
+
+    printf("Hashed a message\n");
 
     /* Clean up hash operation context */
     psa_hash_abort(&operation);
+
+    mbedtls_psa_crypto_free();
 ```
 
 Verify the `SHA-256` hash of a message:
 ```c
+    psa_status_t status;
     psa_algorithm_t alg = PSA_ALG_SHA_256;
-    psa_hash_operation_t operation;
+    psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
     unsigned char input[] = { 'a', 'b', 'c' };
     unsigned char expected_hash[] = {
         0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde,
@@ -279,10 +434,39 @@
     };
     size_t expected_hash_len = PSA_HASH_SIZE(alg);
 
+    printf("Verify a hash...\t");
+    fflush(stdout);
+
+    /* Initialize PSA Crypto */
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
+
     /* Verify message hash */
-    psa_hash_setup(&operation, alg);
-    psa_hash_update(&operation, input, sizeof(input));
-    psa_hash_verify(&operation, expected_hash, expected_hash_len);
+    status = psa_hash_setup(&operation, alg);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to begin hash operation\n");
+        return;
+    }
+    status = psa_hash_update(&operation, input, sizeof(input));
+    if (status != PSA_SUCCESS) {
+        printf("Failed to update hash operation\n");
+        return;
+    }
+    status = psa_hash_verify(&operation, expected_hash, expected_hash_len);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to verify hash\n");
+        return;
+    }
+
+    printf("Verified a hash\n");
+
+    /* Clean up hash operation context */
+    psa_hash_abort(&operation);
+
+    mbedtls_psa_crypto_free();
 ```
 
 The API provides the macro `PSA_HASH_SIZE`, which returns the expected hash length (in bytes) for the specified algorithm.
@@ -304,86 +488,172 @@
 
 ### Generating a random value
 
-Mbed Crypto can generate random data.
+Mbed Crypto can generate random data. To generate a random key, use
+`psa_generate_key()` instead of `psa_generate_random()`
 
 Prerequisites to random generation:
-* Initialize the library with a successful call to `psa_crypto_init`.
+* Initialize the library with a successful call to `psa_crypto_init()`.
 
 Generate a random, ten-byte piece of data:
 1. Generate random bytes by calling `psa_generate_random()`:
 ```C
     psa_status_t status;
     uint8_t random[10] = { 0 };
-    psa_crypto_init();
-    status = psa_generate_random(random, sizeof(random));
 
+    printf("Generate random...\t");
+    fflush(stdout);
+
+    /* Initialize PSA Crypto */
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
+
+    status = psa_generate_random(random, sizeof(random));
+    if (status != PSA_SUCCESS) {
+        printf("Failed to generate a random value\n");
+        return;
+    }
+
+    printf("Generated random data\n");
+
+    /* Clean up */
     mbedtls_psa_crypto_free();
 ```
 
 ### Deriving a new key from an existing key
 
-Mbed Crypto provides a key derivation API that lets you derive new keys from existing ones. Key derivation is based upon the generator abstraction. A generator must first be initialized and set up (provided with a key and optionally other data) and then derived data can be read from it either to a buffer or directly imported into a key slot.
+Mbed Crypto provides a key derivation API that lets you derive new keys from
+existing ones. The key derivation API has functions to take inputs, including
+other keys and data, and functions to generate outputs, such as new keys or
+other data. A key derivation context must first be initialized and set up,
+provided with a key and optionally other data, and then derived data can be
+read from it either to a buffer or directly sent to a key slot. Refer to the
+documentation for the particular algorithm (such as HKDF or the TLS1.2 PRF) for
+information on which inputs to pass when and when you can obtain which outputs.
 
 Prerequisites to working with the key derivation APIs:
 * Initialize the library with a successful call to `psa_crypto_init`.
-* Configure the key policy for the key used for derivation (`PSA_KEY_USAGE_DERIVE`)
-* The key type must be `PSA_KEY_TYPE_DERIVE`.
+* Use a key with the appropriate attributes set:
+    * Usage flags set for key derivation (`PSA_KEY_USAGE_DERIVE`)
+    * Key type set to `PSA_KEY_TYPE_DERIVE`.
+    * Algorithm set to a key derivation algorithm
+      (`PSA_ALG_HKDF(PSA_ALG_SHA_256)`).
 
-Deriving a new AES-CTR 128-bit encryption key into a given key slot using HKDF with a given key, salt and label:
-1. Set the key policy for key derivation by calling `psa_key_policy_set_usage()` with `PSA_KEY_USAGE_DERIVE` parameter, and the algorithm `PSA_ALG_HKDF(PSA_ALG_SHA_256)`.
-1. Import the key into the key slot by calling `psa_import_key()`. You can skip this step and the previous one if the key has already been imported into a known key slot.
-1. Set up the generator using the `psa_key_derivation` function providing a key slot containing a key that can be used for key derivation and a salt and label (Note: salt and label are optional).
-1. Initiate a key policy to for the derived key by calling `psa_key_policy_set_usage()` with `PSA_KEY_USAGE_ENCRYPT` parameter and the algorithm `PSA_ALG_CTR`.
-1. Set the key policy to the derived key slot.
-1. Import a key from generator into the desired key slot using (`psa_key_derivation_output_key`).
-1. Clean up generator.
+Deriving a new AES-CTR 128-bit encryption key into a given key slot using HKDF
+with a given key, salt and info:
+1. Set up the key derivation context using the `psa_key_derivation_setup`
+function, specifying the derivation algorithm `PSA_ALG_HKDF(PSA_ALG_SHA_256)`.
+1. Provide an optional salt with `psa_key_derivation_input_bytes`.
+1. Provide info with `psa_key_derivation_input_bytes`.
+1. Provide secret with `psa_key_derivation_input_key`, referencing a key that
+   can be used for key derivation.
+1. Set the key attributes desired for the new derived key. We'll set
+   `PSA_KEY_USAGE_ENCRYPT` parameter and the algorithm `PSA_ALG_CTR` for this
+   example.
+1. Derive the key by calling `psa_key_derivation_output_key()`.
+1. Clean up the key derivation context.
 
-At this point the derived key slot holds a new 128-bit AES-CTR encryption key derived from the key, salt and label provided:
+At this point the derived key slot holds a new 128-bit AES-CTR encryption key
+derived from the key, salt and info provided:
 ```C
-    psa_key_slot_t base_key = 1;
-    psa_key_slot_t derived_key = 2;
-    psa_key_policy_t policy = PSA_KEY_POLICY_INIT;
-
-    unsigned char key[] = {
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    static const unsigned char key[] = {
         0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
         0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
         0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
         0x0b };
-
-    unsigned char salt[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
-                             0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c };
-
-    unsigned char label[] = { 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6,
-                              0xf7, 0xf8, 0xf9 };
-
+    static const unsigned char salt[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
+        0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c };
+    static const unsigned char info[] = {
+        0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6,
+        0xf7, 0xf8, 0xf9 };
     psa_algorithm_t alg = PSA_ALG_HKDF(PSA_ALG_SHA_256);
-    psa_key_policy_t policy = PSA_KEY_POLICY_INIT;
-    psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT;
+    psa_key_derivation_operation_t operation =
+        PSA_KEY_DERIVATION_OPERATION_INIT;
     size_t derived_bits = 128;
     size_t capacity = PSA_BITS_TO_BYTES(derived_bits);
+    psa_key_handle_t base_key;
+    psa_key_handle_t derived_key;
 
+    printf("Derive a key (HKDF)...\t");
+    fflush(stdout);
+
+    /* Initialize PSA Crypto */
     status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
 
-    /* Import a key for use in key derivation, if such a key has already been imported you can skip this part */
-    psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_DERIVE, alg);
-    status = psa_set_key_policy(base_key, &policy);
+    /* Import a key for use in key derivation. If such a key has already been
+     * generated or imported, you can skip this part. */
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
+    status = psa_import_key(&attributes, key, sizeof(key), &base_key);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to import a key\n");
+        return;
+    }
+    psa_reset_key_attributes(&attributes);
 
-    status = psa_import_key(base_key, PSA_KEY_TYPE_DERIVE, key, sizeof(key));
+    /* Derive a key */
+    status = psa_key_derivation_setup(&operation, alg);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to begin key derivation\n");
+        return;
+    }
+    status = psa_key_derivation_set_capacity(&operation, capacity);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to set capacity\n");
+        return;
+    }
+    status = psa_key_derivation_input_bytes(&operation,
+                                            PSA_KEY_DERIVATION_INPUT_SALT,
+                                            salt, sizeof(salt));
+    if (status != PSA_SUCCESS) {
+        printf("Failed to input salt (extract)\n");
+        return;
+    }
+    status = psa_key_derivation_input_key(&operation,
+                                          PSA_KEY_DERIVATION_INPUT_SECRET,
+                                          base_key);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to input key (extract)\n");
+        return;
+    }
+    status = psa_key_derivation_input_bytes(&operation,
+                                            PSA_KEY_DERIVATION_INPUT_INFO,
+                                            info, sizeof(info));
+    if (status != PSA_SUCCESS) {
+        printf("Failed to input info (expand)\n");
+        return;
+    }
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
+    psa_set_key_algorithm(&attributes, PSA_ALG_CTR);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+    psa_set_key_bits(&attributes, 128);
+    status = psa_key_derivation_output_key(&attributes, &operation,
+                                           &derived_key);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to derive key\n");
+        return;
+    }
+    psa_reset_key_attributes(&attributes);
 
-    /* Derive a key into a key slot*/
-    status = psa_key_derivation(&generator, base_key, alg, salt, sizeof(salt),
-                                label, sizeof(label), capacity);
+    printf("Derived key\n");
 
-    psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_ENCRYPT, PSA_ALG_CTR);
+    /* Clean up key derivation operation */
+    psa_key_derivation_abort(&operation);
 
-    psa_set_key_policy(derived_key, &policy);
+    /* Destroy the keys */
+    psa_destroy_key(derived_key);
+    psa_destroy_key(base_key);
 
-    psa_key_derivation_output_key(derived_key, PSA_KEY_TYPE_AES, derived_bits, &generator);
-
-    /* Clean up generator and key */
-    psa_key_derivation_abort(&generator);
-    /* as part of clean up you may want to clean up the keys used by calling:
-     * psa_destroy_key( base_key ); or psa_destroy_key( derived_key ); */
     mbedtls_psa_crypto_free();
 ```
 
@@ -393,95 +663,152 @@
 
 Prerequisites to working with the AEAD ciphers APIs:
 * Initialize the library with a successful call to `psa_crypto_init`.
-* The key policy for the key used for derivation must be configured accordingly (`PSA_KEY_USAGE_ENCRYPT` or `PSA_KEY_USAGE_DECRYPT`).
+* The key attributes for the key used for derivation must have usage flags
+  `PSA_KEY_USAGE_ENCRYPT` or `PSA_KEY_USAGE_DECRYPT`.
 
 To authenticate and encrypt a message:
 ```C
-    int slot = 1;
     psa_status_t status;
-    unsigned char key[] = { 0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
-                            0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF };
-
-    unsigned char nonce[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-                              0x08, 0x09, 0x0A, 0x0B };
-
-    unsigned char additional_data[] = { 0xEC, 0x46, 0xBB, 0x63, 0xB0, 0x25, 0x20,
-                                        0xC3, 0x3C, 0x49, 0xFD, 0x70 };
-
-    unsigned char input_data[] = { 0xB9, 0x6B, 0x49, 0xE2, 0x1D, 0x62, 0x17, 0x41,
-                                   0x63, 0x28, 0x75, 0xDB, 0x7F, 0x6C, 0x92, 0x43,
-                                   0xD2, 0xD7, 0xC2 };
-    unsigned char *output_data = NULL;
+    static const uint8_t key[] = {
+        0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
+        0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF };
+    static const uint8_t nonce[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B };
+    static const uint8_t additional_data[] = {
+        0xEC, 0x46, 0xBB, 0x63, 0xB0, 0x25,
+        0x20, 0xC3, 0x3C, 0x49, 0xFD, 0x70 };
+    static const uint8_t input_data[] = {
+        0xB9, 0x6B, 0x49, 0xE2, 0x1D, 0x62, 0x17, 0x41,
+        0x63, 0x28, 0x75, 0xDB, 0x7F, 0x6C, 0x92, 0x43,
+        0xD2, 0xD7, 0xC2 };
+    uint8_t *output_data = NULL;
     size_t output_size = 0;
     size_t output_length = 0;
     size_t tag_length = 16;
-    psa_key_policy_t policy = PSA_KEY_POLICY_INIT;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_handle_t handle;
+
+    printf("Authenticate encrypt...\t");
+    fflush(stdout);
+
+    /* Initialize PSA Crypto */
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
 
     output_size = sizeof(input_data) + tag_length;
-    output_data = malloc(output_size);
-    status = psa_crypto_init();
+    output_data = (uint8_t *)malloc(output_size);
+    if (!output_data) {
+        printf("Out of memory\n");
+        return;
+    }
 
-    psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_ENCRYPT, PSA_ALG_CCM);
-    status = psa_set_key_policy(slot, &policy);
+    /* Import a key */
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
+    psa_set_key_algorithm(&attributes, PSA_ALG_CCM);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+    psa_set_key_bits(&attributes, 128);
+    status = psa_import_key(&attributes, key, sizeof(key), &handle);
+    psa_reset_key_attributes(&attributes);
 
-    status = psa_import_key(slot, PSA_KEY_TYPE_AES, key, sizeof(key));
-
-    status = psa_aead_encrypt(slot, PSA_ALG_CCM,
+    /* Authenticate and encrypt */
+    status = psa_aead_encrypt(handle, PSA_ALG_CCM,
                               nonce, sizeof(nonce),
                               additional_data, sizeof(additional_data),
                               input_data, sizeof(input_data),
                               output_data, output_size,
                               &output_length);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to authenticate and encrypt\n");
+        return;
+    }
 
-    psa_destroy_key(slot);
-    mbedtls_free(output_data);
+    printf("Authenticated and encrypted\n");
+
+    /* Clean up */
+    free(output_data);
+
+    /* Destroy the key */
+    psa_destroy_key(handle);
+
     mbedtls_psa_crypto_free();
 ```
 
 To authenticate and decrypt a message:
 
 ```C
-    int slot = 1;
     psa_status_t status;
-    unsigned char key[] = {
+    static const uint8_t key[] = {
         0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
-        0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF
-    };
-
-    unsigned char nonce[] = { 0xEC, 0x46, 0xBB, 0x63, 0xB0, 0x25, 0x20, 0xC3,
-                              0x3C, 0x49, 0xFD, 0x70
-                            };
-
-    unsigned char additional_data[] = { 0xEC, 0x46, 0xBB, 0x63, 0xB0, 0x25, 0x20,
-                                        0xC3, 0x3C, 0x49, 0xFD, 0x70
-                                      };
-    unsigned char input_data[] = { 0xB9, 0x6B, 0x49, 0xE2, 0x1D, 0x62, 0x17, 0x41,
-                                   0x63, 0x28, 0x75, 0xDB, 0x7F, 0x6C, 0x92, 0x43,
-                                   0xD2, 0xD7, 0xC2
-                                 };
-    unsigned char *output_data = NULL;
+        0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF };
+    static const uint8_t nonce[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B };
+    static const uint8_t additional_data[] = {
+        0xEC, 0x46, 0xBB, 0x63, 0xB0, 0x25,
+        0x20, 0xC3, 0x3C, 0x49, 0xFD, 0x70 };
+    static const uint8_t input_data[] = {
+        0x20, 0x30, 0xE0, 0x36, 0xED, 0x09, 0xA0, 0x45, 0xAF, 0x3C, 0xBA, 0xEE,
+        0x0F, 0xC8, 0x48, 0xAF, 0xCD, 0x89, 0x54, 0xF4, 0xF6, 0x3F, 0x28, 0x9A,
+        0xA1, 0xDD, 0xB2, 0xB8, 0x09, 0xCD, 0x7C, 0xE1, 0x46, 0xE9, 0x98 };
+    uint8_t *output_data = NULL;
     size_t output_size = 0;
     size_t output_length = 0;
-    psa_key_policy_t policy = PSA_KEY_POLICY_INIT;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_handle_t handle;
+
+    printf("Authenticate decrypt...\t");
+    fflush(stdout);
+
+    /* Initialize PSA Crypto */
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
 
     output_size = sizeof(input_data);
-    output_data = malloc(output_size);
-    status = psa_crypto_init();
+    output_data = (uint8_t *)malloc(output_size);
+    if (!output_data) {
+        printf("Out of memory\n");
+        return;
+    }
 
-    psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_DECRYPT, PSA_ALG_CCM);
-    status = psa_set_key_policy(slot, &policy);
+    /* Import a key */
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
+    psa_set_key_algorithm(&attributes, PSA_ALG_CCM);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
+    psa_set_key_bits(&attributes, 128);
+    status = psa_import_key(&attributes, key, sizeof(key), &handle);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to import a key\n");
+        return;
+    }
+    psa_reset_key_attributes(&attributes);
 
-    status = psa_import_key(slot, PSA_KEY_TYPE_AES, key, sizeof(key));
-
-    status = psa_aead_decrypt(slot, PSA_ALG_CCM,
+    /* Authenticate and decrypt */
+    status = psa_aead_decrypt(handle, PSA_ALG_CCM,
                               nonce, sizeof(nonce),
                               additional_data, sizeof(additional_data),
                               input_data, sizeof(input_data),
                               output_data, output_size,
                               &output_length);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to authenticate and decrypt %ld\n", status);
+        return;
+    }
 
-    psa_destroy_key(slot);
-    mbedtls_free(output_data);
+    printf("Authenticated and decrypted\n");
+
+    /* Clean up */
+    free(output_data);
+
+    /* Destroy the key */
+    psa_destroy_key(handle);
+
     mbedtls_psa_crypto_free();
 ```
 
@@ -492,29 +819,61 @@
 Prerequisites to using key generation and export APIs:
 * Initialize the library with a successful call to `psa_crypto_init`.
 
-Generate a piece of random 128-bit AES data:
-1. Set the key policy for key generation by calling `psa_key_policy_set_usage()` with the `PSA_KEY_USAGE_EXPORT` parameter and the algorithm `PSA_ALG_GCM`.
-1. Generate a random AES key by calling `psa_generate_key()`.
-1. Export the generated key by calling `psa_export_key()`:
+Generate an ECDSA key:
+1. Set the desired key attributes for key generation by calling
+   `psa_set_key_algorithm()` with the chosen ECDSA algorithm (such as
+   `PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256)`). We don't set
+   `PSA_KEY_USAGE_EXPORT` as we only want to export the public key, not the key
+   pair (or private key).
+1. Generate a key by calling `psa_generate_key()`.
+1. Export the generated public key by calling `psa_export_public_key()`
+:
 ```C
-    int slot = 1;
-    size_t bits = 128;
-    size_t exported_size = bits;
+    enum {
+        key_bits = 256,
+    };
+    psa_status_t status;
     size_t exported_length = 0;
-    uint8_t *exported = malloc(exported_size);
-    psa_key_policy_t policy = PSA_KEY_POLICY_INIT;
+    static uint8_t exported[PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)];
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_handle_t handle;
 
-    psa_crypto_init();
+    printf("Generate a key pair...\t");
+    fflush(stdout);
 
-    psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_EXPORT, PSA_ALG_GCM);
-    psa_set_key_policy(slot, &policy);
+    /* Initialize PSA Crypto */
+    status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        printf("Failed to initialize PSA Crypto\n");
+        return;
+    }
 
     /* Generate a key */
-    psa_generate_key(slot, PSA_KEY_TYPE_AES, bits);
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN);
+    psa_set_key_algorithm(&attributes,
+                          PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256));
+    psa_set_key_type(&attributes,
+                     PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1));
+    psa_set_key_bits(&attributes, key_bits);
+    status = psa_generate_key(&attributes, &handle);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to generate key\n");
+        return;
+    }
+    psa_reset_key_attributes(&attributes);
 
-    psa_export_key(slot, exported, exported_size, &exported_length)
+    status = psa_export_public_key(handle, exported, sizeof(exported),
+                                   &exported_length);
+    if (status != PSA_SUCCESS) {
+        printf("Failed to export public key %ld\n", status);
+        return;
+    }
 
-    psa_destroy_key(slot);
+    printf("Exported a public key\n");
+
+    /* Destroy the key */
+    psa_destroy_key(handle);
+
     mbedtls_psa_crypto_free();
 ```
 
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 2b5bb97..0d8cbfa 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -358,17 +358,18 @@
  * with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key
  * always has a nonzero key identifier, set with psa_set_key_id() when
  * creating the key. Implementations may provide additional pre-provisioned
- * keys with identifiers in the range
- * #PSA_KEY_ID_VENDOR_MIN–#PSA_KEY_ID_VENDOR_MAX.
+ * keys that can be opened with psa_open_key(). Such keys have a key identifier
+ * in the vendor range, as documented in the description of #psa_key_id_t.
  *
  * The application must eventually close the handle with psa_close_key()
  * to release associated resources. If the application dies without calling
  * psa_close_key(), the implementation should perform the equivalent of a
  * call to psa_close_key().
  *
- * Implementations may provide additional keys that can be opened with
- * psa_open_key(). Such keys have a key identifier in the vendor range,
- * as documented in the description of #psa_key_id_t.
+ * Some implementations permit an application to open the same key multiple
+ * times. Applications that rely on this behavior will not be portable to
+ * implementations that only permit a single key handle to be opened. See
+ * also :ref:\`key-handles\`.
  *
  * \param id            The persistent identifier of the key.
  * \param[out] handle   On success, a handle to the key.
@@ -377,9 +378,14 @@
  *         Success. The application can now use the value of `*handle`
  *         to access the key.
  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ *         The implementation does not have sufficient resources to open the
+ *         key. This can be due to reaching an implementation limit on the
+ *         number of open keys, the number of open key handles, or available
+ *         memory.
  * \retval #PSA_ERROR_DOES_NOT_EXIST
+ *         There is no persistent key with key identifier \p id.
  * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \p id is invalid.
+ *         \p id is not a valid persistent key identifier.
  * \retval #PSA_ERROR_NOT_PERMITTED
  *         The specified key exists, but the application does not have the
  *         permission to access it. Note that this specification does not
@@ -394,15 +400,19 @@
 
 /** Close a key handle.
  *
- * If the handle designates a volatile key, destroy the key material and
- * free all associated resources, just like psa_destroy_key().
+ * If the handle designates a volatile key, this will destroy the key material
+ * and free all associated resources, just like psa_destroy_key().
  *
- * If the handle designates a persistent key, free all resources associated
- * with the key in volatile memory. The key in persistent storage is
- * not affected and can be opened again later with psa_open_key().
+ * If this is the last open handle to a persistent key, then closing the handle
+ * will free all resources associated with the key in volatile memory. The key
+ * data in persistent storage is not affected and can be opened again later
+ * with a call to psa_open_key().
  *
- * If the key is currently in use in a multipart operation,
- * the multipart operation is aborted.
+ * Closing the key handle makes the handle invalid, and the key handle
+ * must not be used again by the application.
+ *
+ * If the key is currently in use in a multipart operation, then closing the
+ * last remaining handle to the key will abort the multipart operation.
  *
  * \param handle        The key handle to close.
  *
@@ -496,6 +506,11 @@
  * This function also erases any metadata such as policies and frees all
  * resources associated with the key.
  *
+ * Destroying a key will invalidate all existing handles to the key.
+ *
+ * If the key is currently in use in a multipart operation, then destroying the
+ * key will abort the multipart operation.
+ *
  * \param handle        Handle to the key to erase.
  *
  * \retval #PSA_SUCCESS
@@ -3201,6 +3216,8 @@
  * \retval #PSA_ERROR_NOT_SUPPORTED
  *         The key type or key size is not supported, either by the
  *         implementation in general or in this particular location.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The provided key attributes are not valid for the operation.
  * \retval #PSA_ERROR_BAD_STATE
  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
  * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index 6dfaa13..636c881 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -104,6 +104,117 @@
     return( attributes->core.policy.alg2 );
 }
 
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+
+/** Retrieve the slot number where a key is stored.
+ *
+ * A slot number is only defined for keys that are stored in a secure
+ * element.
+ *
+ * This information is only useful if the secure element is not entirely
+ * managed through the PSA Cryptography API. It is up to the secure
+ * element driver to decide how PSA slot numbers map to any other interface
+ * that the secure element may have.
+ *
+ * \param[in] attributes        The key attribute structure to query.
+ * \param[out] slot_number      On success, the slot number containing the key.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key is located in a secure element, and \p *slot_number
+ *         indicates the slot number that contains it.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The caller is not permitted to query the slot number.
+ *         Mbed Crypto currently does not return this error.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The key is not located in a secure element.
+ */
+psa_status_t psa_get_key_slot_number(
+    const psa_key_attributes_t *attributes,
+    psa_key_slot_number_t *slot_number );
+
+/** Choose the slot number where a key is stored.
+ *
+ * This function declares a slot number in the specified attribute
+ * structure.
+ *
+ * A slot number is only meaningful for keys that are stored in a secure
+ * element. It is up to the secure element driver to decide how PSA slot
+ * numbers map to any other interface that the secure element may have.
+ *
+ * \note Setting a slot number in key attributes for a key creation can
+ *       cause the following errors when creating the key:
+ *       - #PSA_ERROR_NOT_SUPPORTED if the selected secure element does
+ *         not support choosing a specific slot number.
+ *       - #PSA_ERROR_NOT_PERMITTED if the caller is not permitted to
+ *         choose slot numbers in general or to choose this specific slot.
+ *       - #PSA_ERROR_INVALID_ARGUMENT if the chosen slot number is not
+ *         valid in general or not valid for this specific key.
+ *       - #PSA_ERROR_ALREADY_EXISTS if there is already a key in the
+ *         selected slot.
+ *
+ * \param[out] attributes       The attribute structure to write to.
+ * \param slot_number           The slot number to set.
+ */
+static inline void psa_set_key_slot_number(
+    psa_key_attributes_t *attributes,
+    psa_key_slot_number_t slot_number )
+{
+    attributes->core.flags |= MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER;
+    attributes->slot_number = slot_number;
+}
+
+/** Remove the slot number attribute from a key attribute structure.
+ *
+ * This function undoes the action of psa_set_key_slot_number().
+ *
+ * \param[out] attributes       The attribute structure to write to.
+ */
+static inline void psa_clear_key_slot_number(
+    psa_key_attributes_t *attributes )
+{
+    attributes->core.flags &= ~MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER;
+}
+
+/** Register a key that is already present in a secure element.
+ *
+ * The key must be located in a secure element designated by the
+ * lifetime field in \p attributes, in the slot set with
+ * psa_set_key_slot_number() in the attribute structure.
+ * This function makes the key available through the key identifier
+ * specified in \p attributes.
+ *
+ * \param[in] attributes        The attributes of the existing key.
+ *
+ * \retval #PSA_SUCCESS
+ *         The key was successfully registered.
+ *         Note that depending on the design of the driver, this may or may
+ *         not guarantee that a key actually exists in the designated slot
+ *         and is compatible with the specified attributes.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         There is already a key with the identifier specified in
+ *         \p attributes.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         \p attributes specifies a lifetime which is not located
+ *         in a secure element.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         No slot number is specified in \p attributes,
+ *         or the specified slot number is not valid.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The caller is not authorized to register the specified key slot.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_BAD_STATE
+ *         The library has not been previously initialized by psa_crypto_init().
+ *         It is implementation-dependent whether a failure to initialize
+ *         results in this error code.
+ */
+psa_status_t mbedtls_psa_register_se_key(
+    const psa_key_attributes_t *attributes);
+
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
 /**@}*/
 
 /**
@@ -140,9 +251,9 @@
     /** Number of slots that are not used for anything. */
     size_t empty_slots;
     /** Largest key id value among open keys in internal persistent storage. */
-    psa_key_id_t max_open_internal_key_id;
+    psa_app_key_id_t max_open_internal_key_id;
     /** Largest key id value among open keys in secure elements. */
-    psa_key_id_t max_open_external_key_id;
+    psa_app_key_id_t max_open_external_key_id;
 } mbedtls_psa_stats_t;
 
 /** \brief Get statistics about
@@ -221,68 +332,9 @@
  *         The library has already been initialized. It is no longer
  *         possible to call this function.
  */
-psa_status_t mbedtls_psa_inject_entropy(uint8_t *seed,
+psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
                                         size_t seed_size);
 
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-/** Set up a key derivation operation.
- *
- * FIMXE This function is no longer part of the official API. Its prototype
- * is only kept around for the sake of tests that haven't been updated yet.
- *
- * A key derivation algorithm takes three inputs: a secret input \p handle and
- * two non-secret inputs \p label and p salt.
- * The result of this function is a byte generator which can
- * be used to produce keys and other cryptographic material.
- *
- * The role of \p label and \p salt is as follows:
- * - For HKDF (#PSA_ALG_HKDF), \p salt is the salt used in the "extract" step
- *   and \p label is the info string used in the "expand" step.
- *
- * \param[in,out] operation       The key derivation object to set up. It must
- *                                have been initialized as per the documentation
- *                                for #psa_key_derivation_operation_t and not
- *                                yet be in use.
- * \param handle                  Handle to the secret key.
- * \param alg                     The key derivation algorithm to compute
- *                                (\c PSA_ALG_XXX value such that
- *                                #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true).
- * \param[in] salt                Salt to use.
- * \param salt_length             Size of the \p salt buffer in bytes.
- * \param[in] label               Label to use.
- * \param label_length            Size of the \p label buffer in bytes.
- * \param capacity                The maximum number of bytes that the
- *                                operation will be able to provide.
- *
- * \retval #PSA_SUCCESS
- *         Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_EMPTY_SLOT
- * \retval #PSA_ERROR_NOT_PERMITTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- *         \c key is not compatible with \c alg,
- *         or \p capacity is too large for the specified algorithm and key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- *         \c alg is not supported or is not a key derivation algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_BAD_STATE
- *         The library has not been previously initialized by psa_crypto_init().
- *         It is implementation-dependent whether a failure to initialize
- *         results in this error code.
- */
-psa_status_t psa_key_derivation(psa_key_derivation_operation_t *operation,
-                                psa_key_handle_t handle,
-                                psa_algorithm_t alg,
-                                const uint8_t *salt,
-                                size_t salt_length,
-                                const uint8_t *label,
-                                size_t label_length,
-                                size_t capacity);
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
-
 /** \addtogroup crypto_types
  * @{
  */
diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h
index 86af08f..572f40c 100644
--- a/include/psa/crypto_platform.h
+++ b/include/psa/crypto_platform.h
@@ -89,6 +89,7 @@
  * `psa_key_file_id_t` argument. As a workaround, make `psa_key_id_t` an
  * alias for `psa_key_file_id_t` when building for a multi-client service. */
 typedef psa_key_file_id_t psa_key_id_t;
+#define PSA_KEY_ID_INIT {0, 0}
 
 #else /* !MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */
 
diff --git a/include/psa/crypto_se_driver.h b/include/psa/crypto_se_driver.h
index f95eaeb..a43e0db 100644
--- a/include/psa/crypto_se_driver.h
+++ b/include/psa/crypto_se_driver.h
@@ -134,10 +134,17 @@
                                           void *persistent_data,
                                           psa_key_lifetime_t lifetime);
 
+#if defined(__DOXYGEN_ONLY__) || !defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/* Mbed Crypto with secure element support enabled defines this type in
+ * crypto_types.h because it is also visible to applications through an
+ * implementation-specific extension.
+ * For the PSA Cryptography specification, this type is only visible
+ * via crypto_se_driver.h. */
 /** An internal designation of a key slot between the core part of the
  * PSA Crypto implementation and the driver. The meaning of this value
  * is driver-dependent. */
 typedef uint64_t psa_key_slot_number_t;
+#endif /* __DOXYGEN_ONLY__ || !MBEDTLS_PSA_CRYPTO_SE_C */
 
 /**@}*/
 
@@ -803,12 +810,90 @@
  */
 /**@{*/
 
+/** An enumeration indicating how a key is created.
+ */
+typedef enum
+{
+    PSA_KEY_CREATION_IMPORT, /**< During psa_import_key() */
+    PSA_KEY_CREATION_GENERATE, /**< During psa_generate_key() */
+    PSA_KEY_CREATION_DERIVE, /**< During psa_key_derivation_output_key() */
+    PSA_KEY_CREATION_COPY, /**< During psa_copy_key() */
+
+#ifndef __DOXYGEN_ONLY__
+    /** A key is being registered with mbedtls_psa_register_se_key().
+     *
+     * The core only passes this value to
+     * psa_drv_se_key_management_t::p_validate_slot_number, not to
+     * psa_drv_se_key_management_t::p_allocate. The call to
+     * `p_validate_slot_number` is not followed by any other call to the
+     * driver: the key is considered successfully registered if the call to
+     * `p_validate_slot_number` succeeds, or if `p_validate_slot_number` is
+     * null.
+     *
+     * With this creation method, the driver must return #PSA_SUCCESS if
+     * the given attributes are compatible with the existing key in the slot,
+     * and #PSA_ERROR_DOES_NOT_EXIST if the driver can determine that there
+     * is no key with the specified slot number.
+     *
+     * This is an Mbed Crypto extension.
+     */
+    PSA_KEY_CREATION_REGISTER,
+#endif
+} psa_key_creation_method_t;
+
 /** \brief A function that allocates a slot for a key.
  *
+ * To create a key in a specific slot in a secure element, the core
+ * first calls this function to determine a valid slot number,
+ * then calls a function to create the key material in that slot.
+ * In nominal conditions (that is, if no error occurs),
+ * the effect of a call to a key creation function in the PSA Cryptography
+ * API with a lifetime that places the key in a secure element is the
+ * following:
+ * -# The core calls psa_drv_se_key_management_t::p_allocate
+ *    (or in some implementations
+ *    psa_drv_se_key_management_t::p_validate_slot_number). The driver
+ *    selects (or validates) a suitable slot number given the key attributes
+ *    and the state of the secure element.
+ * -# The core calls a key creation function in the driver.
+ *
+ * The key creation functions in the PSA Cryptography API are:
+ * - psa_import_key(), which causes
+ *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_IMPORT
+ *   then a call to psa_drv_se_key_management_t::p_import.
+ * - psa_generate_key(), which causes
+ *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_GENERATE
+ *   then a call to psa_drv_se_key_management_t::p_import.
+ * - psa_key_derivation_output_key(), which causes
+ *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_DERIVE
+ *   then a call to psa_drv_se_key_derivation_t::p_derive.
+ * - psa_copy_key(), which causes
+ *   a call to `p_allocate` with \p method = #PSA_KEY_CREATION_COPY
+ *   then a call to psa_drv_se_key_management_t::p_export.
+ *
+ * In case of errors, other behaviors are possible.
+ * - If the PSA Cryptography subsystem dies after the first step,
+ *   for example because the device has lost power abruptly,
+ *   the second step may never happen, or may happen after a reset
+ *   and re-initialization. Alternatively, after a reset and
+ *   re-initialization, the core may call
+ *   psa_drv_se_key_management_t::p_destroy on the slot number that
+ *   was allocated (or validated) instead of calling a key creation function.
+ * - If an error occurs, the core may call
+ *   psa_drv_se_key_management_t::p_destroy on the slot number that
+ *   was allocated (or validated) instead of calling a key creation function.
+ *
+ * Errors and system resets also have an impact on the driver's persistent
+ * data. If a reset happens before the overall key creation process is
+ * completed (before or after the second step above), it is unspecified
+ * whether the persistent data after the reset is identical to what it
+ * was before or after the call to `p_allocate` (or `p_validate_slot_number`).
+ *
  * \param[in,out] drv_context       The driver context structure.
  * \param[in,out] persistent_data   A pointer to the persistent data
  *                                  that allows writing.
  * \param[in] attributes            Attributes of the key.
+ * \param method                    The way in which the key is being created.
  * \param[out] key_slot             Slot where the key will be stored.
  *                                  This must be a valid slot for a key of the
  *                                  chosen type. It must be unoccupied.
@@ -824,23 +909,68 @@
     psa_drv_se_context_t *drv_context,
     void *persistent_data,
     const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
     psa_key_slot_number_t *key_slot);
 
+/** \brief A function that determines whether a slot number is valid
+ * for a key.
+ *
+ * To create a key in a specific slot in a secure element, the core
+ * first calls this function to validate the choice of slot number,
+ * then calls a function to create the key material in that slot.
+ * See the documentation of #psa_drv_se_allocate_key_t for more details.
+ *
+ * As of the PSA Cryptography API specification version 1.0, there is no way
+ * for applications to trigger a call to this function. However some
+ * implementations offer the capability to create or declare a key in
+ * a specific slot via implementation-specific means, generally for the
+ * sake of initial device provisioning or onboarding. Such a mechanism may
+ * be added to a future version of the PSA Cryptography API specification.
+ *
+ * \param[in,out] drv_context   The driver context structure.
+ * \param[in] attributes        Attributes of the key.
+ * \param method                The way in which the key is being created.
+ * \param[in] key_slot          Slot where the key is to be stored.
+ *
+ * \retval #PSA_SUCCESS
+ *         The given slot number is valid for a key with the given
+ *         attributes.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ *         The given slot number is not valid for a key with the
+ *         given attributes. This includes the case where the slot
+ *         number is not valid at all.
+ * \retval #PSA_ERROR_ALREADY_EXISTS
+ *         There is already a key with the specified slot number.
+ *         Drivers may choose to return this error from the key
+ *         creation function instead.
+ */
+typedef psa_status_t (*psa_drv_se_validate_slot_number_t)(
+    psa_drv_se_context_t *drv_context,
+    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
+    psa_key_slot_number_t key_slot);
+
 /** \brief A function that imports a key into a secure element in binary format
  *
  * This function can support any output from psa_export_key(). Refer to the
  * documentation of psa_export_key() for the format for each key type.
  *
  * \param[in,out] drv_context   The driver context structure.
- * \param[in] key_slot          Slot where the key will be stored
+ * \param key_slot              Slot where the key will be stored.
  *                              This must be a valid slot for a key of the
  *                              chosen type. It must be unoccupied.
- * \param[in] lifetime          The required lifetime of the key storage
- * \param[in] type              Key type (a \c PSA_KEY_TYPE_XXX value)
- * \param[in] algorithm         Key algorithm (a \c PSA_ALG_XXX value)
- * \param[in] usage             The allowed uses of the key
- * \param[in] p_data            Buffer containing the key data
- * \param[in] data_length       Size of the `data` buffer in bytes
+ * \param[in] attributes        The key attributes, including the lifetime,
+ *                              the key type and the usage policy.
+ *                              Drivers should not access the key size stored
+ *                              in the attributes: it may not match the
+ *                              data passed in \p data.
+ *                              Drivers can call psa_get_key_lifetime(),
+ *                              psa_get_key_type(),
+ *                              psa_get_key_usage_flags() and
+ *                              psa_get_key_algorithm() to access this
+ *                              information.
+ * \param[in] data              Buffer containing the key data.
+ * \param[in] data_length       Size of the \p data buffer in bytes.
  * \param[out] bits             On success, the key size in bits. The driver
  *                              must determine this value after parsing the
  *                              key according to the key type.
@@ -849,15 +979,13 @@
  * \retval #PSA_SUCCESS
  *         Success.
  */
-typedef psa_status_t (*psa_drv_se_import_key_t)(psa_drv_se_context_t *drv_context,
-                                                psa_key_slot_number_t key_slot,
-                                                psa_key_lifetime_t lifetime,
-                                                psa_key_type_t type,
-                                                psa_algorithm_t algorithm,
-                                                psa_key_usage_t usage,
-                                                const uint8_t *p_data,
-                                                size_t data_length,
-                                                size_t *bits);
+typedef psa_status_t (*psa_drv_se_import_key_t)(
+    psa_drv_se_context_t *drv_context,
+    psa_key_slot_number_t key_slot,
+    const psa_key_attributes_t *attributes,
+    const uint8_t *data,
+    size_t data_length,
+    size_t *bits);
 
 /**
  * \brief A function that destroys a secure element key and restore the slot to
@@ -924,41 +1052,51 @@
  * element
  *
  * If \p type is asymmetric (#PSA_KEY_TYPE_IS_ASYMMETRIC(\p type) = 1),
- * the public component of the generated key will be placed in `p_pubkey_out`.
- * The format of the public key information will match the format specified for
- * the psa_export_key() function for the key type.
+ * the driver may export the public key at the time of generation,
+ * in the format documented for psa_export_public_key() by writing it
+ * to the \p pubkey buffer.
+ * This is optional, intended for secure elements that output the
+ * public key at generation time and that cannot export the public key
+ * later. Drivers that do not need this feature should leave
+ * \p *pubkey_length set to 0 and should
+ * implement the psa_drv_key_management_t::p_export_public function.
+ * Some implementations do not support this feature, in which case
+ * \p pubkey is \c NULL and \p pubkey_size is 0.
  *
  * \param[in,out] drv_context   The driver context structure.
- * \param[in] key_slot          Slot where the generated key will be placed
- * \param[in] type              The type of the key to be generated
- * \param[in] usage             The prescribed usage of the generated key
- *                              Note: Not all Secure Elements support the same
- *                              restrictions that PSA Crypto does (and vice
- *                              versa).
- *                              Driver developers should endeavor to match the
- *                              usages as close as possible.
- * \param[in] bits              The size in bits of the key to be generated.
- * \param[in] extra             Extra parameters for key generation. The
- *                              interpretation of this parameter should match
- *                              the interpretation in the `extra` parameter is
- *                              the `psa_generate_key` function
- * \param[in] extra_size        The size in bytes of the \p extra buffer
- * \param[out] p_pubkey_out     The buffer where the public key information will
- *                              be placed
- * \param[in] pubkey_out_size   The size in bytes of the `p_pubkey_out` buffer
- * \param[out] p_pubkey_length  Upon successful completion, will contain the
- *                              size of the data placed in `p_pubkey_out`.
+ * \param key_slot              Slot where the key will be stored.
+ *                              This must be a valid slot for a key of the
+ *                              chosen type. It must be unoccupied.
+ * \param[in] attributes        The key attributes, including the lifetime,
+ *                              the key type and size, and the usage policy.
+ *                              Drivers can call psa_get_key_lifetime(),
+ *                              psa_get_key_type(), psa_get_key_bits(),
+ *                              psa_get_key_usage_flags() and
+ *                              psa_get_key_algorithm() to access this
+ *                              information.
+ * \param[out] pubkey           A buffer where the driver can write the
+ *                              public key, when generating an asymmetric
+ *                              key pair.
+ *                              This is \c NULL when generating a symmetric
+ *                              key or if the core does not support
+ *                              exporting the public key at generation time.
+ * \param pubkey_size           The size of the `pubkey` buffer in bytes.
+ *                              This is 0 when generating a symmetric
+ *                              key or if the core does not support
+ *                              exporting the public key at generation time.
+ * \param[out] pubkey_length    On entry, this is always 0.
+ *                              On success, the number of bytes written to
+ *                              \p pubkey. If this is 0 or unchanged on return,
+ *                              the core will not read the \p pubkey buffer,
+ *                              and will instead call the driver's
+ *                              psa_drv_key_management_t::p_export_public
+ *                              function to export the public key when needed.
  */
-typedef psa_status_t (*psa_drv_se_generate_key_t)(psa_drv_se_context_t *drv_context,
-                                                  psa_key_slot_number_t key_slot,
-                                                  psa_key_type_t type,
-                                                  psa_key_usage_t usage,
-                                                  size_t bits,
-                                                  const void *extra,
-                                                  size_t extra_size,
-                                                  uint8_t *p_pubkey_out,
-                                                  size_t pubkey_out_size,
-                                                  size_t *p_pubkey_length);
+typedef psa_status_t (*psa_drv_se_generate_key_t)(
+    psa_drv_se_context_t *drv_context,
+    psa_key_slot_number_t key_slot,
+    const psa_key_attributes_t *attributes,
+    uint8_t *pubkey, size_t pubkey_size, size_t *pubkey_length);
 
 /**
  * \brief A struct containing all of the function pointers needed to for secure
@@ -970,8 +1108,10 @@
  * If one of the functions is not implemented, it should be set to NULL.
  */
 typedef struct {
-    /** Function that allocates a slot. */
+    /** Function that allocates a slot for a key. */
     psa_drv_se_allocate_key_t   p_allocate;
+    /** Function that checks the validity of a slot for a key. */
+    psa_drv_se_validate_slot_number_t p_validate_slot_number;
     /** Function that performs a key import operation */
     psa_drv_se_import_key_t     p_import;
     /** Function that performs a generation */
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 9e38e53..f177d5d 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -12,6 +12,26 @@
  * In implementations with isolation between the application and the
  * cryptography module, it is expected that the front-end and the back-end
  * would have different versions of this file.
+ *
+ * <h3>Design notes about multipart operation structures</h3>
+ *
+ * Each multipart operation structure contains a `psa_algorithm_t alg`
+ * field which indicates which specific algorithm the structure is for.
+ * When the structure is not in use, `alg` is 0. Most of the structure
+ * consists of a union which is discriminated by `alg`.
+ *
+ * Note that when `alg` is 0, the content of other fields is undefined.
+ * In particular, it is not guaranteed that a freshly-initialized structure
+ * is all-zero: we initialize structures to something like `{0, 0}`, which
+ * is only guaranteed to initializes the first member of the union;
+ * GCC and Clang initialize the whole structure to 0 (at the time of writing),
+ * but MSVC and CompCert don't.
+ *
+ * In Mbed Crypto, multipart operation structures live independently from
+ * the key. This allows Mbed Crypto to free the key objects when destroying
+ * a key slot. If a multipart operation needs to remember the key after
+ * the setup function returns, the operation structure needs to contain a
+ * copy of the key.
  */
 /*
  *  Copyright (C) 2018, ARM Limited, All Rights Reserved
@@ -35,6 +55,10 @@
 #ifndef PSA_CRYPTO_STRUCT_H
 #define PSA_CRYPTO_STRUCT_H
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* Include the Mbed TLS configuration file, the way Mbed TLS does it
  * in each of its header files. */
 #if !defined(MBEDTLS_CONFIG_FILE)
@@ -191,49 +215,7 @@
 } psa_hkdf_key_derivation_t;
 #endif /* MBEDTLS_MD_C */
 
-/*
- * If this option is not turned on, then the function `psa_key_derivation()`
- * is removed. And the new psa_tls12_prf_key_derivation_t context is used along
- * with the corresponding new API.
- *
- * The sole purpose of this option is to make the transition to the new API
- * smoother. Once the transition is complete it can and should be removed
- * along with the old API and its implementation.
- */
-#define PSA_PRE_1_0_KEY_DERIVATION
-
 #if defined(MBEDTLS_MD_C)
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-typedef struct psa_tls12_prf_key_derivation_s
-{
-    /* The TLS 1.2 PRF uses the key for each HMAC iteration,
-     * hence we must store it for the lifetime of the operation.
-     * This is different from HKDF, where the key is only used
-     * in the extraction phase, but not during expansion. */
-    uint8_t *key;
-    size_t key_len;
-
-    /* `A(i) + seed` in the notation of RFC 5246, Sect. 5 */
-    uint8_t *Ai_with_seed;
-    size_t Ai_with_seed_len;
-
-    /* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */
-    uint8_t output_block[PSA_HASH_MAX_SIZE];
-
-#if PSA_HASH_MAX_SIZE > 0xff
-#error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
-#endif
-
-    /* Indicates how many bytes in the current HMAC block have
-     * already been read by the user. */
-    uint8_t offset_in_block;
-
-    /* The 1-based number of the block. */
-    uint8_t block_number;
-
-} psa_tls12_prf_key_derivation_t;
-#else
-
 typedef enum
 {
     TLS12_PRF_STATE_INIT,       /* no input provided */
@@ -268,7 +250,6 @@
     /* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */
     uint8_t output_block[PSA_HASH_MAX_SIZE];
 } psa_tls12_prf_key_derivation_t;
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
 #endif /* MBEDTLS_MD_C */
 
 struct psa_key_derivation_s
@@ -322,6 +303,29 @@
  * conditionals. */
 #define PSA_MAX_KEY_BITS 0xfff8
 
+/** A mask of flags that can be stored in key attributes.
+ *
+ * This type is also used internally to store flags in slots. Internal
+ * flags are defined in library/psa_crypto_core.h. Internal flags may have
+ * the same value as external flags if they are properly handled during
+ * key creation and in psa_get_key_attributes.
+ */
+typedef uint16_t psa_key_attributes_flag_t;
+
+#define MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER     \
+    ( (psa_key_attributes_flag_t) 0x0001 )
+
+/* A mask of key attribute flags used externally only.
+ * Only meant for internal checks inside the library. */
+#define MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY (      \
+        MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER |    \
+        0 )
+
+/* A mask of key attribute flags used both internally and externally.
+ * Currently there aren't any. */
+#define MBEDTLS_PSA_KA_MASK_DUAL_USE (          \
+        0 )
+
 typedef struct
 {
     psa_key_type_t type;
@@ -329,19 +333,27 @@
     psa_key_id_t id;
     psa_key_policy_t policy;
     psa_key_bits_t bits;
-    uint16_t flags;
+    psa_key_attributes_flag_t flags;
 } psa_core_key_attributes_t;
 
-#define PSA_CORE_KEY_ATTRIBUTES_INIT {0, 0, 0, {0, 0, 0}, 0, 0}
+#define PSA_CORE_KEY_ATTRIBUTES_INIT {0, 0, PSA_KEY_ID_INIT, PSA_KEY_POLICY_INIT, 0, 0}
 
 struct psa_key_attributes_s
 {
     psa_core_key_attributes_t core;
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    psa_key_slot_number_t slot_number;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
     void *domain_parameters;
     size_t domain_parameters_size;
 };
 
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#define PSA_KEY_ATTRIBUTES_INIT {PSA_CORE_KEY_ATTRIBUTES_INIT, 0, NULL, 0}
+#else
 #define PSA_KEY_ATTRIBUTES_INIT {PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0}
+#endif
+
 static inline struct psa_key_attributes_s psa_key_attributes_init( void )
 {
     const struct psa_key_attributes_s v = PSA_KEY_ATTRIBUTES_INIT;
@@ -367,7 +379,14 @@
 {
     attributes->core.lifetime = lifetime;
     if( lifetime == PSA_KEY_LIFETIME_VOLATILE )
+    {
+#ifdef MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+        attributes->core.id.key_id = 0;
+        attributes->core.id.owner = 0;
+#else
         attributes->core.id = 0;
+#endif
+    }
 }
 
 static inline psa_key_lifetime_t psa_get_key_lifetime(
@@ -446,4 +465,8 @@
     return( attributes->core.bits );
 }
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* PSA_CRYPTO_STRUCT_H */
diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h
index 1944be4..b79c3b5 100644
--- a/include/psa/crypto_types.h
+++ b/include/psa/crypto_types.h
@@ -120,6 +120,7 @@
  * psa_key_id_t in crypto_platform.h instead of here. */
 #if !defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER)
 typedef uint32_t psa_key_id_t;
+#define PSA_KEY_ID_INIT 0
 #endif
 
 /**@}*/
@@ -244,6 +245,17 @@
  */
 typedef struct psa_key_attributes_s psa_key_attributes_t;
 
+
+#ifndef __DOXYGEN_ONLY__
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+/* Mbed Crypto defines this type in crypto_types.h because it is also
+ * visible to applications through an implementation-specific extension.
+ * For the PSA Cryptography specification, this type is only visible
+ * via crypto_se_driver.h. */
+typedef uint64_t psa_key_slot_number_t;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+#endif /* !__DOXYGEN_ONLY__ */
+
 /**@}*/
 
 /** \defgroup derivation Key derivation
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 2c0acf3..b53e1c7 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -268,7 +268,7 @@
  * to read from a resource. */
 #define PSA_ERROR_INSUFFICIENT_DATA     ((psa_status_t)-143)
 
-/** The key handle is not valid.
+/** The key handle is not valid. See also :ref:\`key-handles\`.
  */
 #define PSA_ERROR_INVALID_HANDLE        ((psa_status_t)-136)
 
@@ -1015,15 +1015,15 @@
  * \return              The corresponding AEAD algorithm with the default
  *                      tag length for that algorithm.
  */
-#define PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH(aead_alg)                  \
-    (                                                                   \
-        PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(aead_alg, PSA_ALG_CCM) \
-        PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(aead_alg, PSA_ALG_GCM) \
-        PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(aead_alg, PSA_ALG_CHACHA20_POLY1305) \
+#define PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH(aead_alg)                   \
+    (                                                                    \
+        PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH_CASE(aead_alg, PSA_ALG_CCM) \
+        PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH_CASE(aead_alg, PSA_ALG_GCM) \
+        PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH_CASE(aead_alg, PSA_ALG_CHACHA20_POLY1305) \
         0)
-#define PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(aead_alg, ref)      \
-    PSA_ALG_AEAD_WITH_TAG_LENGTH(aead_alg, 0) ==                        \
-    PSA_ALG_AEAD_WITH_TAG_LENGTH(ref, 0) ?  \
+#define PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH_CASE(aead_alg, ref)         \
+    PSA_ALG_AEAD_WITH_TAG_LENGTH(aead_alg, 0) ==                         \
+    PSA_ALG_AEAD_WITH_TAG_LENGTH(ref, 0) ?                               \
     ref :
 
 #define PSA_ALG_RSA_PKCS1V15_SIGN_BASE          ((psa_algorithm_t)0x10020000)
@@ -1503,16 +1503,16 @@
 
 /** The minimum value for a key identifier chosen by the application.
  */
-#define PSA_KEY_ID_USER_MIN                     ((psa_key_id_t)0x00000001)
+#define PSA_KEY_ID_USER_MIN                     ((psa_app_key_id_t)0x00000001)
 /** The maximum value for a key identifier chosen by the application.
  */
-#define PSA_KEY_ID_USER_MAX                     ((psa_key_id_t)0x3fffffff)
+#define PSA_KEY_ID_USER_MAX                     ((psa_app_key_id_t)0x3fffffff)
 /** The minimum value for a key identifier chosen by the implementation.
  */
-#define PSA_KEY_ID_VENDOR_MIN                   ((psa_key_id_t)0x40000000)
+#define PSA_KEY_ID_VENDOR_MIN                   ((psa_app_key_id_t)0x40000000)
 /** The maximum value for a key identifier chosen by the implementation.
  */
-#define PSA_KEY_ID_VENDOR_MAX                   ((psa_key_id_t)0x7fffffff)
+#define PSA_KEY_ID_VENDOR_MAX                   ((psa_app_key_id_t)0x7fffffff)
 
 /**@}*/
 
diff --git a/library/bignum.c b/library/bignum.c
index 98ee12a..30757df 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -2139,13 +2139,13 @@
 {
     int ret;
     size_t lz, lzt;
-    mbedtls_mpi TG, TA, TB;
+    mbedtls_mpi TA, TB;
 
     MPI_VALIDATE_RET( G != NULL );
     MPI_VALIDATE_RET( A != NULL );
     MPI_VALIDATE_RET( B != NULL );
 
-    mbedtls_mpi_init( &TG ); mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
+    mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
 
     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
@@ -2183,7 +2183,7 @@
 
 cleanup:
 
-    mbedtls_mpi_free( &TG ); mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TB );
+    mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TB );
 
     return( ret );
 }
@@ -2410,8 +2410,6 @@
     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R, &W ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &R, s ) );
 
-    i = mbedtls_mpi_bitlen( X );
-
     for( i = 0; i < rounds; i++ )
     {
         /*
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index bd80144..ef2d50e 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -994,18 +994,16 @@
     return( PSA_SUCCESS );
 }
 
-static void psa_abort_operations_using_key( psa_key_slot_t *slot )
-{
-    /*TODO how to implement this?*/
-    (void) slot;
-}
-
 /** Completely wipe a slot in memory, including its policy.
  * Persistent storage is not affected. */
 psa_status_t psa_wipe_key_slot( psa_key_slot_t *slot )
 {
     psa_status_t status = psa_remove_key_data_from_memory( slot );
-    psa_abort_operations_using_key( slot );
+    /* Multipart operations may still be using the key. This is safe
+     * because all multipart operation objects are independent from
+     * the key slot: if they need to access the key after the setup
+     * phase, they have a copy of the key. Note that this means that
+     * key material can linger until all operations are completed. */
     /* At this point, key material and other type-specific content has
      * been wiped. Clear remaining metadata. We can call memset and not
      * zeroize because the metadata is not particularly sensitive. */
@@ -1016,8 +1014,8 @@
 psa_status_t psa_destroy_key( psa_key_handle_t handle )
 {
     psa_key_slot_t *slot;
-    psa_status_t status = PSA_SUCCESS;
-    psa_status_t storage_status = PSA_SUCCESS;
+    psa_status_t status; /* status of the last operation */
+    psa_status_t overall_status = PSA_SUCCESS;
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
     psa_se_drv_table_entry_t *driver;
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
@@ -1043,42 +1041,57 @@
         if( status != PSA_SUCCESS )
         {
             (void) psa_crypto_stop_transaction( );
-            /* TODO: destroy what can be destroyed anyway */
-            return( status );
+            /* We should still try to destroy the key in the secure
+             * element and the key metadata in storage. This is especially
+             * important if the error is that the storage is full.
+             * But how to do it exactly without risking an inconsistent
+             * state after a reset?
+             * https://github.com/ARMmbed/mbed-crypto/issues/215
+             */
+            overall_status = status;
+            goto exit;
         }
 
         status = psa_destroy_se_key( driver, slot->data.se.slot_number );
+        if( overall_status == PSA_SUCCESS )
+            overall_status = status;
     }
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-    if( slot->attr.lifetime == PSA_KEY_LIFETIME_PERSISTENT )
+    if( slot->attr.lifetime != PSA_KEY_LIFETIME_VOLATILE )
     {
-        storage_status =
-            psa_destroy_persistent_key( slot->attr.id );
+        status = psa_destroy_persistent_key( slot->attr.id );
+        if( overall_status == PSA_SUCCESS )
+            overall_status = status;
+
+        /* TODO: other slots may have a copy of the same key. We should
+         * invalidate them.
+         * https://github.com/ARMmbed/mbed-crypto/issues/214
+         */
     }
 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
 
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
     if( driver != NULL )
     {
-        psa_status_t status2;
         status = psa_save_se_persistent_data( driver );
-        status2 = psa_crypto_stop_transaction( );
-        if( status == PSA_SUCCESS )
-            status = status2;
-        if( status != PSA_SUCCESS )
-        {
-            /* TODO: destroy what can be destroyed anyway */
-            return( status );
-        }
+        if( overall_status == PSA_SUCCESS )
+            overall_status = status;
+        status = psa_crypto_stop_transaction( );
+        if( overall_status == PSA_SUCCESS )
+            overall_status = status;
     }
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+exit:
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
     status = psa_wipe_key_slot( slot );
-    if( status != PSA_SUCCESS )
-        return( status );
-    return( storage_status );
+    /* Prioritize CORRUPTION_DETECTED from wiping over a storage error */
+    if( overall_status == PSA_SUCCESS )
+        overall_status = status;
+    return( overall_status );
 }
 
 void psa_reset_key_attributes( psa_key_attributes_t *attributes )
@@ -1187,6 +1200,13 @@
         return( status );
 
     attributes->core = slot->attr;
+    attributes->core.flags &= ( MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY |
+                                MBEDTLS_PSA_KA_MASK_DUAL_USE );
+
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    if( psa_key_slot_is_external( slot ) )
+        psa_set_key_slot_number( attributes, slot->data.se.slot_number );
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
     switch( slot->attr.type )
     {
@@ -1195,8 +1215,10 @@
         case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
             /* TODO: reporting the public exponent for opaque keys
-             * is not yet implemented. */
-            if( psa_get_se_driver( slot->attr.lifetime, NULL, NULL ) )
+             * is not yet implemented.
+             * https://github.com/ARMmbed/mbed-crypto/issues/216
+             */
+            if( psa_key_slot_is_external( slot ) )
                 break;
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
             status = psa_get_rsa_public_exponent( slot->data.rsa, attributes );
@@ -1212,6 +1234,21 @@
     return( status );
 }
 
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+psa_status_t psa_get_key_slot_number(
+    const psa_key_attributes_t *attributes,
+    psa_key_slot_number_t *slot_number )
+{
+    if( attributes->core.flags & MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER )
+    {
+        *slot_number = attributes->slot_number;
+        return( PSA_SUCCESS );
+    }
+    else
+        return( PSA_ERROR_INVALID_ARGUMENT );
+}
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C)
 static int pk_write_pubkey_simple( mbedtls_pk_context *key,
                                    unsigned char *buf, size_t size )
@@ -1408,6 +1445,15 @@
                                      data_length, 1 ) );
 }
 
+#if defined(static_assert)
+static_assert( ( MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_DUAL_USE ) == 0,
+               "One or more key attribute flag is listed as both external-only and dual-use" );
+static_assert( ( PSA_KA_MASK_INTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_DUAL_USE ) == 0,
+               "One or more key attribute flag is listed as both internal-only and dual-use" );
+static_assert( ( PSA_KA_MASK_INTERNAL_ONLY & MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY ) == 0,
+               "One or more key attribute flag is listed as both internal-only and external-only" );
+#endif
+
 /** Validate that a key policy is internally well-formed.
  *
  * This function only rejects invalid policies. It does not validate the
@@ -1467,6 +1513,11 @@
     if( psa_get_key_bits( attributes ) > PSA_MAX_KEY_BITS )
         return( PSA_ERROR_NOT_SUPPORTED );
 
+    /* Reject invalid flags. These should not be reachable through the API. */
+    if( attributes->core.flags & ~ ( MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY |
+                                     MBEDTLS_PSA_KA_MASK_DUAL_USE ) )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+
     return( PSA_SUCCESS );
 }
 
@@ -1484,6 +1535,7 @@
  * In case of failure at any step, stop the sequence and call
  * psa_fail_key_creation().
  *
+ * \param method            An identification of the calling function.
  * \param[in] attributes    Key attributes for the new key.
  * \param[out] handle       On success, a handle for the allocated slot.
  * \param[out] p_slot       On success, a pointer to the prepared slot.
@@ -1496,6 +1548,7 @@
  *         You must call psa_fail_key_creation() to wipe and free the slot.
  */
 static psa_status_t psa_start_key_creation(
+    psa_key_creation_method_t method,
     const psa_key_attributes_t *attributes,
     psa_key_handle_t *handle,
     psa_key_slot_t **p_slot,
@@ -1504,13 +1557,14 @@
     psa_status_t status;
     psa_key_slot_t *slot;
 
+    (void) method;
     *p_drv = NULL;
 
     status = psa_validate_key_attributes( attributes, p_drv );
     if( status != PSA_SUCCESS )
         return( status );
 
-    status = psa_internal_allocate_key_slot( handle, p_slot );
+    status = psa_get_empty_key_slot( handle, p_slot );
     if( status != PSA_SUCCESS )
         return( status );
     slot = *p_slot;
@@ -1523,8 +1577,16 @@
 
     slot->attr = attributes->core;
 
+    /* Erase external-only flags from the internal copy. To access
+     * external-only flags, query `attributes`. Thanks to the check
+     * in psa_validate_key_attributes(), this leaves the dual-use
+     * flags and any internal flag that psa_get_empty_key_slot()
+     * may have set. */
+    slot->attr.flags &= ~MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY;
+
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    /* For a key in a secure element, we need to do three things:
+    /* For a key in a secure element, we need to do three things
+     * when creating a key (but not when registering an existing key):
      * create the key file in internal storage, create the
      * key inside the secure element, and update the driver's
      * persistent data. Start a transaction that will encompass these
@@ -1537,9 +1599,9 @@
      * secure element driver updates its persistent state, but we do not yet
      * save the driver's persistent state, so that if the power fails,
      * we can roll back to a state where the key doesn't exist. */
-    if( *p_drv != NULL )
+    if( *p_drv != NULL && method != PSA_KEY_CREATION_REGISTER )
     {
-        status = psa_find_se_slot_for_key( attributes, *p_drv,
+        status = psa_find_se_slot_for_key( attributes, method, *p_drv,
                                            &slot->data.se.slot_number );
         if( status != PSA_SUCCESS )
             return( status );
@@ -1631,7 +1693,13 @@
 #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
 
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-    if( driver != NULL )
+    /* Finish the transaction for a key creation. This does not
+     * happen when registering an existing key. Detect this case
+     * by checking whether a transaction is in progress (actual
+     * creation of a key in a secure element requires a transaction,
+     * but registration doesn't use one). */
+    if( driver != NULL &&
+        psa_crypto_transaction.unknown.type == PSA_CRYPTO_TRANSACTION_CREATE_KEY )
     {
         status = psa_save_se_persistent_data( driver );
         if( status != PSA_SUCCESS )
@@ -1672,11 +1740,16 @@
     /* TODO: If the key has already been created in the secure
      * element, and the failure happened later (when saving metadata
      * to internal storage), we need to destroy the key in the secure
-     * element. */
+     * element.
+     * https://github.com/ARMmbed/mbed-crypto/issues/217
+     */
 
-    /* Abort the ongoing transaction if any. We already did what it
-     * takes to undo any partial creation. All that's left is to update
-     * the transaction data itself. */
+    /* Abort the ongoing transaction if any (there may not be one if
+     * the creation process failed before starting one, or if the
+     * key creation is a registration of a key in a secure element).
+     * Earlier functions must already have done what it takes to undo any
+     * partial creation. All that's left is to update the transaction data
+     * itself. */
     (void) psa_crypto_stop_transaction( );
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
@@ -1753,7 +1826,8 @@
     psa_key_slot_t *slot = NULL;
     psa_se_drv_table_entry_t *driver = NULL;
 
-    status = psa_start_key_creation( attributes, handle, &slot, &driver );
+    status = psa_start_key_creation( PSA_KEY_CREATION_IMPORT, attributes,
+                                     handle, &slot, &driver );
     if( status != PSA_SUCCESS )
         goto exit;
 
@@ -1761,7 +1835,9 @@
     if( driver != NULL )
     {
         const psa_drv_se_t *drv = psa_get_se_driver_methods( driver );
-        size_t bits;
+        /* The driver should set the number of key bits, however in
+         * case it doesn't, we initialize bits to an invalid value. */
+        size_t bits = PSA_MAX_KEY_BITS + 1;
         if( drv->key_management == NULL ||
             drv->key_management->p_import == NULL )
         {
@@ -1770,10 +1846,7 @@
         }
         status = drv->key_management->p_import(
             psa_get_se_driver_context( driver ),
-            slot->data.se.slot_number,
-            slot->attr.lifetime, slot->attr.type,
-            slot->attr.policy.alg, slot->attr.policy.usage,
-            data, data_length,
+            slot->data.se.slot_number, attributes, data, data_length,
             &bits );
         if( status != PSA_SUCCESS )
             goto exit;
@@ -1805,6 +1878,74 @@
     return( status );
 }
 
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+psa_status_t mbedtls_psa_register_se_key(
+    const psa_key_attributes_t *attributes )
+{
+    psa_status_t status;
+    psa_key_slot_t *slot = NULL;
+    psa_se_drv_table_entry_t *driver = NULL;
+    const psa_drv_se_t *drv;
+    psa_key_handle_t handle = 0;
+
+    /* Leaving attributes unspecified is not currently supported.
+     * It could make sense to query the key type and size from the
+     * secure element, but not all secure elements support this
+     * and the driver HAL doesn't currently support it. */
+    if( psa_get_key_type( attributes ) == PSA_KEY_TYPE_NONE )
+        return( PSA_ERROR_NOT_SUPPORTED );
+    if( psa_get_key_bits( attributes ) == 0 )
+        return( PSA_ERROR_NOT_SUPPORTED );
+
+    status = psa_start_key_creation( PSA_KEY_CREATION_REGISTER, attributes,
+                                     &handle, &slot, &driver );
+    if( status != PSA_SUCCESS )
+        goto exit;
+
+    if( driver == NULL )
+    {
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+    drv = psa_get_se_driver_methods( driver );
+
+    if ( psa_get_key_slot_number( attributes,
+                                  &slot->data.se.slot_number ) != PSA_SUCCESS )
+    {
+        /* The application didn't specify a slot number. This doesn't
+         * make sense when registering a slot. */
+        status = PSA_ERROR_INVALID_ARGUMENT;
+        goto exit;
+    }
+
+    /* If the driver has a slot number validation method, call it.
+     * If it doesn't, it means the secure element is unable to validate
+     * anything and so we have to trust the application. */
+    if( drv->key_management != NULL &&
+        drv->key_management->p_validate_slot_number != NULL )
+    {
+        status = drv->key_management->p_validate_slot_number(
+            psa_get_se_driver_context( driver ),
+            attributes,
+            PSA_KEY_CREATION_REGISTER,
+            slot->data.se.slot_number );
+        if( status != PSA_SUCCESS )
+            goto exit;
+    }
+
+    status = psa_finish_key_creation( slot, driver );
+
+exit:
+    if( status != PSA_SUCCESS )
+    {
+        psa_fail_key_creation( slot, driver );
+    }
+    /* Registration doesn't keep the key in RAM. */
+    psa_close_key( handle );
+    return( status );
+}
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
 static psa_status_t psa_copy_key_material( const psa_key_slot_t *source,
                                            psa_key_slot_t *target )
 {
@@ -1856,7 +1997,8 @@
     if( status != PSA_SUCCESS )
         goto exit;
 
-    status = psa_start_key_creation( &actual_attributes,
+    status = psa_start_key_creation( PSA_KEY_CREATION_COPY,
+                                     &actual_attributes,
                                      target_handle, &target_slot, &driver );
     if( status != PSA_SUCCESS )
         goto exit;
@@ -2458,14 +2600,6 @@
     mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) );
     return( psa_hash_abort( &hmac->hash_ctx ) );
 }
-
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-static void psa_hmac_init_internal( psa_hmac_internal_data *hmac )
-{
-    /* Instances of psa_hash_operation_s can be initialized by zeroization. */
-    memset( hmac, 0, sizeof( *hmac ) );
-}
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
 #endif /* MBEDTLS_MD_C */
 
 psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
@@ -3208,10 +3342,14 @@
 {
     psa_key_slot_t *slot;
     psa_status_t status;
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
     *signature_length = signature_size;
 
-    status = psa_get_transparent_key( handle, &slot, PSA_KEY_USAGE_SIGN, alg );
+    status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_SIGN, alg );
     if( status != PSA_SUCCESS )
         goto exit;
     if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
@@ -3220,6 +3358,24 @@
         goto exit;
     }
 
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
+    {
+        if( drv->asymmetric == NULL ||
+            drv->asymmetric->p_sign == NULL )
+        {
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto exit;
+        }
+        status = drv->asymmetric->p_sign( drv_context,
+                                          slot->data.se.slot_number,
+                                          alg,
+                                          hash, hash_length,
+                                          signature, signature_size,
+                                          signature_length );
+    }
+    else
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 #if defined(MBEDTLS_RSA_C)
     if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
@@ -3283,11 +3439,29 @@
 {
     psa_key_slot_t *slot;
     psa_status_t status;
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    const psa_drv_se_t *drv;
+    psa_drv_se_context_t *drv_context;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
-    status = psa_get_transparent_key( handle, &slot, PSA_KEY_USAGE_VERIFY, alg );
+    status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_VERIFY, alg );
     if( status != PSA_SUCCESS )
         return( status );
 
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+    if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
+    {
+        if( drv->asymmetric == NULL ||
+            drv->asymmetric->p_verify == NULL )
+            return( PSA_ERROR_NOT_SUPPORTED );
+        return( drv->asymmetric->p_verify( drv_context,
+                                           slot->data.se.slot_number,
+                                           alg,
+                                           hash, hash_length,
+                                           signature, signature_length ) );
+    }
+    else
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 #if defined(MBEDTLS_RSA_C)
     if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
     {
@@ -4212,21 +4386,6 @@
              /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
              PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
     {
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-        if( operation->ctx.tls12_prf.key != NULL )
-        {
-            mbedtls_platform_zeroize( operation->ctx.tls12_prf.key,
-                             operation->ctx.tls12_prf.key_len );
-            mbedtls_free( operation->ctx.tls12_prf.key );
-        }
-
-        if( operation->ctx.tls12_prf.Ai_with_seed != NULL )
-        {
-            mbedtls_platform_zeroize( operation->ctx.tls12_prf.Ai_with_seed,
-                             operation->ctx.tls12_prf.Ai_with_seed_len );
-            mbedtls_free( operation->ctx.tls12_prf.Ai_with_seed );
-        }
-#else
         if( operation->ctx.tls12_prf.seed != NULL )
         {
             mbedtls_platform_zeroize( operation->ctx.tls12_prf.seed,
@@ -4245,7 +4404,6 @@
 
         /* We leave the fields Ai and output_block to be erased safely by the
          * mbedtls_platform_zeroize() in the end of this function. */
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
     }
     else
 #endif /* MBEDTLS_MD_C */
@@ -4350,119 +4508,6 @@
     return( PSA_SUCCESS );
 }
 
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
-    psa_tls12_prf_key_derivation_t *tls12_prf,
-    psa_algorithm_t alg )
-{
-    psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg );
-    uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
-    psa_hmac_internal_data hmac;
-    psa_status_t status, cleanup_status;
-
-    uint8_t *Ai;
-    size_t Ai_len;
-
-    /* We can't be wanting more output after block 0xff, otherwise
-     * the capacity check in psa_key_derivation_output_bytes() would have
-     * prevented this call. It could happen only if the operation
-     * object was corrupted or if this function is called directly
-     * inside the library. */
-    if( tls12_prf->block_number == 0xff )
-        return( PSA_ERROR_BAD_STATE );
-
-    /* We need a new block */
-    ++tls12_prf->block_number;
-    tls12_prf->offset_in_block = 0;
-
-    /* Recall the definition of the TLS-1.2-PRF from RFC 5246:
-     *
-     * PRF(secret, label, seed) = P_<hash>(secret, label + seed)
-     *
-     * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
-     *                        HMAC_hash(secret, A(2) + seed) +
-     *                        HMAC_hash(secret, A(3) + seed) + ...
-     *
-     * A(0) = seed
-     * A(i) = HMAC_hash( secret, A(i-1) )
-     *
-     * The `psa_tls12_prf_key_derivation` structures saves the block
-     * `HMAC_hash(secret, A(i) + seed)` from which the output
-     * is currently extracted as `output_block`, while
-     * `A(i) + seed` is stored in `Ai_with_seed`.
-     *
-     * Generating a new block means recalculating `Ai_with_seed`
-     * from the A(i)-part of it, and afterwards recalculating
-     * `output_block`.
-     *
-     * A(0) is computed at setup time.
-     *
-     */
-
-    psa_hmac_init_internal( &hmac );
-
-    /* We must distinguish the calculation of A(1) from those
-     * of A(2) and higher, because A(0)=seed has a different
-     * length than the other A(i). */
-    if( tls12_prf->block_number == 1 )
-    {
-        Ai     = tls12_prf->Ai_with_seed + hash_length;
-        Ai_len = tls12_prf->Ai_with_seed_len - hash_length;
-    }
-    else
-    {
-        Ai     = tls12_prf->Ai_with_seed;
-        Ai_len = hash_length;
-    }
-
-    /* Compute A(i+1) = HMAC_hash(secret, A(i)) */
-    status = psa_hmac_setup_internal( &hmac,
-                                      tls12_prf->key,
-                                      tls12_prf->key_len,
-                                      hash_alg );
-    if( status != PSA_SUCCESS )
-        goto cleanup;
-
-    status = psa_hash_update( &hmac.hash_ctx,
-                              Ai, Ai_len );
-    if( status != PSA_SUCCESS )
-        goto cleanup;
-
-    status = psa_hmac_finish_internal( &hmac,
-                                       tls12_prf->Ai_with_seed,
-                                       hash_length );
-    if( status != PSA_SUCCESS )
-        goto cleanup;
-
-    /* Compute the next block `HMAC_hash(secret, A(i+1) + seed)`. */
-    status = psa_hmac_setup_internal( &hmac,
-                                      tls12_prf->key,
-                                      tls12_prf->key_len,
-                                      hash_alg );
-    if( status != PSA_SUCCESS )
-        goto cleanup;
-
-    status = psa_hash_update( &hmac.hash_ctx,
-                              tls12_prf->Ai_with_seed,
-                              tls12_prf->Ai_with_seed_len );
-    if( status != PSA_SUCCESS )
-        goto cleanup;
-
-    status = psa_hmac_finish_internal( &hmac,
-                                       tls12_prf->output_block,
-                                       hash_length );
-    if( status != PSA_SUCCESS )
-        goto cleanup;
-
-cleanup:
-
-    cleanup_status = psa_hmac_abort_internal( &hmac );
-    if( status == PSA_SUCCESS && cleanup_status != PSA_SUCCESS )
-        status = cleanup_status;
-
-    return( status );
-}
-#else
 static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
     psa_tls12_prf_key_derivation_t *tls12_prf,
     psa_algorithm_t alg )
@@ -4570,49 +4615,7 @@
 
     return( status );
 }
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
 
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-/* Read some bytes from an TLS-1.2-PRF-based operation.
- * See Section 5 of RFC 5246. */
-static psa_status_t psa_key_derivation_tls12_prf_read(
-    psa_tls12_prf_key_derivation_t *tls12_prf,
-    psa_algorithm_t alg,
-    uint8_t *output,
-    size_t output_length )
-{
-    psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH( alg );
-    uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
-    psa_status_t status;
-
-    while( output_length != 0 )
-    {
-        /* Copy what remains of the current block */
-        uint8_t n = hash_length - tls12_prf->offset_in_block;
-
-        /* Check if we have fully processed the current block. */
-        if( n == 0 )
-        {
-            status = psa_key_derivation_tls12_prf_generate_next_block( tls12_prf,
-                                                                       alg );
-            if( status != PSA_SUCCESS )
-                return( status );
-
-            continue;
-        }
-
-        if( n > output_length )
-            n = (uint8_t) output_length;
-        memcpy( output, tls12_prf->output_block + tls12_prf->offset_in_block,
-                n );
-        output += n;
-        output_length -= n;
-        tls12_prf->offset_in_block += n;
-    }
-
-    return( PSA_SUCCESS );
-}
-#else
 static psa_status_t psa_key_derivation_tls12_prf_read(
     psa_tls12_prf_key_derivation_t *tls12_prf,
     psa_algorithm_t alg,
@@ -4651,7 +4654,6 @@
 
     return( PSA_SUCCESS );
 }
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
 #endif /* MBEDTLS_MD_C */
 
 psa_status_t psa_key_derivation_output_bytes(
@@ -4774,7 +4776,8 @@
     psa_status_t status;
     psa_key_slot_t *slot = NULL;
     psa_se_drv_table_entry_t *driver = NULL;
-    status = psa_start_key_creation( attributes, handle, &slot, &driver );
+    status = psa_start_key_creation( PSA_KEY_CREATION_DERIVE,
+                                     attributes, handle, &slot, &driver );
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
     if( driver != NULL )
     {
@@ -4804,284 +4807,6 @@
 /* Key derivation */
 /****************************************************************/
 
-#if defined(MBEDTLS_MD_C)
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-/* Set up an HKDF-based operation. This is exactly the extract phase
- * of the HKDF algorithm.
- *
- * Note that if this function fails, you must call psa_key_derivation_abort()
- * to potentially free embedded data structures and wipe confidential data.
- */
-static psa_status_t psa_key_derivation_hkdf_setup( psa_hkdf_key_derivation_t *hkdf,
-                                                   const uint8_t *secret,
-                                                   size_t secret_length,
-                                                   psa_algorithm_t hash_alg,
-                                                   const uint8_t *salt,
-                                                   size_t salt_length,
-                                                   const uint8_t *label,
-                                                   size_t label_length )
-{
-    psa_status_t status;
-    status = psa_hmac_setup_internal( &hkdf->hmac,
-                                      salt, salt_length,
-                                      hash_alg );
-    if( status != PSA_SUCCESS )
-        return( status );
-    status = psa_hash_update( &hkdf->hmac.hash_ctx, secret, secret_length );
-    if( status != PSA_SUCCESS )
-        return( status );
-    status = psa_hmac_finish_internal( &hkdf->hmac,
-                                       hkdf->prk,
-                                       sizeof( hkdf->prk ) );
-    if( status != PSA_SUCCESS )
-        return( status );
-    hkdf->offset_in_block = PSA_HASH_SIZE( hash_alg );
-    hkdf->block_number = 0;
-    hkdf->info_length = label_length;
-    if( label_length != 0 )
-    {
-        hkdf->info = mbedtls_calloc( 1, label_length );
-        if( hkdf->info == NULL )
-            return( PSA_ERROR_INSUFFICIENT_MEMORY );
-        memcpy( hkdf->info, label, label_length );
-    }
-    hkdf->state = HKDF_STATE_KEYED;
-    hkdf->info_set = 1;
-    return( PSA_SUCCESS );
-}
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
-#endif /* MBEDTLS_MD_C */
-
-#if defined(MBEDTLS_MD_C)
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-/* Set up a TLS-1.2-prf-based operation (see RFC 5246, Section 5).
- *
- * Note that if this function fails, you must call psa_key_derivation_abort()
- * to potentially free embedded data structures and wipe confidential data.
- */
-static psa_status_t psa_key_derivation_tls12_prf_setup(
-    psa_tls12_prf_key_derivation_t *tls12_prf,
-    const uint8_t *key,
-    size_t key_len,
-    psa_algorithm_t hash_alg,
-    const uint8_t *salt,
-    size_t salt_length,
-    const uint8_t *label,
-    size_t label_length )
-{
-    uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
-    size_t Ai_with_seed_len = hash_length + salt_length + label_length;
-    int overflow;
-
-    tls12_prf->key = mbedtls_calloc( 1, key_len );
-    if( tls12_prf->key == NULL )
-        return( PSA_ERROR_INSUFFICIENT_MEMORY );
-    tls12_prf->key_len = key_len;
-    memcpy( tls12_prf->key, key, key_len );
-
-    overflow = ( salt_length + label_length               < salt_length ) ||
-        ( salt_length + label_length + hash_length < hash_length );
-    if( overflow )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
-    tls12_prf->Ai_with_seed = mbedtls_calloc( 1, Ai_with_seed_len );
-    if( tls12_prf->Ai_with_seed == NULL )
-        return( PSA_ERROR_INSUFFICIENT_MEMORY );
-    tls12_prf->Ai_with_seed_len = Ai_with_seed_len;
-
-    /* Write `label + seed' at the end of the `A(i) + seed` buffer,
-     * leaving the initial `hash_length` bytes unspecified for now. */
-    if( label_length != 0 )
-    {
-        memcpy( tls12_prf->Ai_with_seed + hash_length,
-                label, label_length );
-    }
-
-    if( salt_length != 0 )
-    {
-        memcpy( tls12_prf->Ai_with_seed + hash_length + label_length,
-                salt, salt_length );
-    }
-
-    /* The first block gets generated when
-     * psa_key_derivation_output_bytes() is called. */
-    tls12_prf->block_number    = 0;
-    tls12_prf->offset_in_block = hash_length;
-
-    return( PSA_SUCCESS );
-}
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
-
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-/* Set up a TLS-1.2-PSK-to-MS-based operation. */
-static psa_status_t psa_key_derivation_tls12_psk_to_ms_setup(
-    psa_tls12_prf_key_derivation_t *tls12_prf,
-    const uint8_t *psk,
-    size_t psk_len,
-    psa_algorithm_t hash_alg,
-    const uint8_t *salt,
-    size_t salt_length,
-    const uint8_t *label,
-    size_t label_length )
-{
-    psa_status_t status;
-    uint8_t pms[ 4 + 2 * PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN ];
-
-    if( psk_len > PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
-    /* Quoting RFC 4279, Section 2:
-     *
-     * The premaster secret is formed as follows: if the PSK is N octets
-     * long, concatenate a uint16 with the value N, N zero octets, a second
-     * uint16 with the value N, and the PSK itself.
-     */
-
-    pms[0] = ( psk_len >> 8 ) & 0xff;
-    pms[1] = ( psk_len >> 0 ) & 0xff;
-    memset( pms + 2, 0, psk_len );
-    pms[2 + psk_len + 0] = pms[0];
-    pms[2 + psk_len + 1] = pms[1];
-    memcpy( pms + 4 + psk_len, psk, psk_len );
-
-    status = psa_key_derivation_tls12_prf_setup( tls12_prf,
-                                                 pms, 4 + 2 * psk_len,
-                                                 hash_alg,
-                                                 salt, salt_length,
-                                                 label, label_length );
-
-    mbedtls_platform_zeroize( pms, sizeof( pms ) );
-    return( status );
-}
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
-#endif /* MBEDTLS_MD_C */
-
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-/* Note that if this function fails, you must call psa_key_derivation_abort()
- * to potentially free embedded data structures and wipe confidential data.
- */
-static psa_status_t psa_key_derivation_internal(
-    psa_key_derivation_operation_t *operation,
-    const uint8_t *secret, size_t secret_length,
-    psa_algorithm_t alg,
-    const uint8_t *salt, size_t salt_length,
-    const uint8_t *label, size_t label_length,
-    size_t capacity )
-{
-    psa_status_t status;
-    size_t max_capacity;
-
-    /* Set operation->alg even on failure so that abort knows what to do. */
-    operation->alg = alg;
-
-#if defined(MBEDTLS_MD_C)
-    if( PSA_ALG_IS_HKDF( alg ) )
-    {
-        psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg );
-        size_t hash_size = PSA_HASH_SIZE( hash_alg );
-        if( hash_size == 0 )
-            return( PSA_ERROR_NOT_SUPPORTED );
-        max_capacity = 255 * hash_size;
-        status = psa_key_derivation_hkdf_setup( &operation->ctx.hkdf,
-                                                secret, secret_length,
-                                                hash_alg,
-                                                salt, salt_length,
-                                                label, label_length );
-    }
-    /* TLS-1.2 PRF and TLS-1.2 PSK-to-MS are very similar, so share code. */
-    else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
-             PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
-    {
-        psa_algorithm_t hash_alg = PSA_ALG_TLS12_PRF_GET_HASH( alg );
-        size_t hash_size = PSA_HASH_SIZE( hash_alg );
-
-        /* TLS-1.2 PRF supports only SHA-256 and SHA-384. */
-        if( hash_alg != PSA_ALG_SHA_256 &&
-            hash_alg != PSA_ALG_SHA_384 )
-        {
-            return( PSA_ERROR_NOT_SUPPORTED );
-        }
-
-        max_capacity = 255 * hash_size;
-
-        if( PSA_ALG_IS_TLS12_PRF( alg ) )
-        {
-            status = psa_key_derivation_tls12_prf_setup( &operation->ctx.tls12_prf,
-                                                         secret, secret_length,
-                                                         hash_alg, salt, salt_length,
-                                                         label, label_length );
-        }
-        else
-        {
-            status = psa_key_derivation_tls12_psk_to_ms_setup(
-                &operation->ctx.tls12_prf,
-                secret, secret_length,
-                hash_alg, salt, salt_length,
-                label, label_length );
-        }
-    }
-    else
-#endif
-    {
-        return( PSA_ERROR_NOT_SUPPORTED );
-    }
-
-    if( status != PSA_SUCCESS )
-        return( status );
-
-    if( capacity <= max_capacity )
-        operation->capacity = capacity;
-    else if( capacity == PSA_KEY_DERIVATION_UNLIMITED_CAPACITY )
-        operation->capacity = max_capacity;
-    else
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
-    return( PSA_SUCCESS );
-}
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
-
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-psa_status_t psa_key_derivation( psa_key_derivation_operation_t *operation,
-                                 psa_key_handle_t handle,
-                                 psa_algorithm_t alg,
-                                 const uint8_t *salt,
-                                 size_t salt_length,
-                                 const uint8_t *label,
-                                 size_t label_length,
-                                 size_t capacity )
-{
-    psa_key_slot_t *slot;
-    psa_status_t status;
-
-    if( operation->alg != 0 )
-        return( PSA_ERROR_BAD_STATE );
-
-    /* Make sure that alg is a key derivation algorithm. This prevents
-     * key selection algorithms, which psa_key_derivation_internal
-     * accepts for the sake of key agreement. */
-    if( ! PSA_ALG_IS_KEY_DERIVATION( alg ) )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
-    status = psa_get_transparent_key( handle, &slot, PSA_KEY_USAGE_DERIVE, alg );
-    if( status != PSA_SUCCESS )
-        return( status );
-
-    if( slot->attr.type != PSA_KEY_TYPE_DERIVE )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
-    status = psa_key_derivation_internal( operation,
-                                          slot->data.raw.data,
-                                          slot->data.raw.bytes,
-                                          alg,
-                                          salt, salt_length,
-                                          label, label_length,
-                                          capacity );
-    if( status != PSA_SUCCESS )
-        psa_key_derivation_abort( operation );
-    return( status );
-}
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
-
 static psa_status_t psa_key_derivation_setup_kdf(
     psa_key_derivation_operation_t *operation,
     psa_algorithm_t kdf_alg )
@@ -5207,38 +4932,6 @@
     }
 }
 
-#if defined(PSA_PRE_1_0_KEY_DERIVATION)
-static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf,
-                                         psa_algorithm_t hash_alg,
-                                         psa_key_derivation_step_t step,
-                                         const uint8_t *data,
-                                         size_t data_length )
-{
-    (void) prf;
-    (void) hash_alg;
-    (void) step;
-    (void) data;
-    (void) data_length;
-
-    return( PSA_ERROR_INVALID_ARGUMENT );
-}
-
-static psa_status_t psa_tls12_prf_psk_to_ms_input(
-    psa_tls12_prf_key_derivation_t *prf,
-    psa_algorithm_t hash_alg,
-    psa_key_derivation_step_t step,
-    const uint8_t *data,
-    size_t data_length )
-{
-    (void) prf;
-    (void) hash_alg;
-    (void) step;
-    (void) data;
-    (void) data_length;
-
-    return( PSA_ERROR_INVALID_ARGUMENT );
-}
-#else
 static psa_status_t psa_tls12_prf_set_seed( psa_tls12_prf_key_derivation_t *prf,
                                             const uint8_t *data,
                                             size_t data_length )
@@ -5370,7 +5063,6 @@
 
     return( psa_tls12_prf_input( prf, hash_alg, step, data, data_length ) );
 }
-#endif /* PSA_PRE_1_0_KEY_DERIVATION */
 #endif /* MBEDTLS_MD_C */
 
 static psa_status_t psa_key_derivation_input_internal(
@@ -5389,10 +5081,7 @@
                                  PSA_ALG_HKDF_GET_HASH( kdf_alg ),
                                  step, data, data_length );
     }
-    else
-#endif /* MBEDTLS_MD_C */
-#if defined(MBEDTLS_MD_C)
-    if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) )
+    else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) )
     {
         status = psa_tls12_prf_input( &operation->ctx.tls12_prf,
                                       PSA_ALG_HKDF_GET_HASH( kdf_alg ),
@@ -5820,20 +5509,37 @@
     psa_status_t status;
     psa_key_slot_t *slot = NULL;
     psa_se_drv_table_entry_t *driver = NULL;
-    status = psa_start_key_creation( attributes, handle, &slot, &driver );
+
+    status = psa_start_key_creation( PSA_KEY_CREATION_GENERATE,
+                                     attributes, handle, &slot, &driver );
+    if( status != PSA_SUCCESS )
+        goto exit;
+
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
     if( driver != NULL )
     {
-        /* Generating a key in a secure element is not implemented yet. */
-        status = PSA_ERROR_NOT_SUPPORTED;
+        const psa_drv_se_t *drv = psa_get_se_driver_methods( driver );
+        size_t pubkey_length = 0; /* We don't support this feature yet */
+        if( drv->key_management == NULL ||
+            drv->key_management->p_generate == NULL )
+        {
+            status = PSA_ERROR_NOT_SUPPORTED;
+            goto exit;
+        }
+        status = drv->key_management->p_generate(
+            psa_get_se_driver_context( driver ),
+            slot->data.se.slot_number, attributes,
+            NULL, 0, &pubkey_length );
     }
+    else
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
-    if( status == PSA_SUCCESS )
     {
         status = psa_generate_key_internal(
             slot, attributes->core.bits,
             attributes->domain_parameters, attributes->domain_parameters_size );
     }
+
+exit:
     if( status == PSA_SUCCESS )
         status = psa_finish_key_creation( slot, driver );
     if( status != PSA_SUCCESS )
@@ -5895,7 +5601,9 @@
         case PSA_CRYPTO_TRANSACTION_CREATE_KEY:
         case PSA_CRYPTO_TRANSACTION_DESTROY_KEY:
             /* TODO - fall through to the failure case until this
-             * is implemented */
+             * is implemented.
+             * https://github.com/ARMmbed/mbed-crypto/issues/218
+             */
         default:
             /* We found an unsupported transaction in the storage.
              * We don't know what state the storage is in. Give up. */
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index fbfb6da..edf3ab6 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -56,14 +56,21 @@
         /* EC public key or key pair */
         mbedtls_ecp_keypair *ecp;
 #endif /* MBEDTLS_ECP_C */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
         /* Any key type in a secure element */
         struct se
         {
             psa_key_slot_number_t slot_number;
         } se;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
     } data;
 } psa_key_slot_t;
 
+/* A mask of key attribute flags used only internally.
+ * Currently there aren't any. */
+#define PSA_KA_MASK_INTERNAL_ONLY (     \
+        0 )
+
 /** Test whether a key slot is occupied.
  *
  * A key slot is occupied iff the key type is nonzero. This works because
diff --git a/library/psa_crypto_se.c b/library/psa_crypto_se.c
index bc73251..523c621 100644
--- a/library/psa_crypto_se.c
+++ b/library/psa_crypto_se.c
@@ -197,11 +197,11 @@
 
 psa_status_t psa_find_se_slot_for_key(
     const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
     psa_se_drv_table_entry_t *driver,
     psa_key_slot_number_t *slot_number )
 {
     psa_status_t status;
-    psa_drv_se_allocate_key_t p_allocate = NULL;
 
     /* If the lifetime is wrong, it's a bug in the library. */
     if( driver->lifetime != psa_get_key_lifetime( attributes ) )
@@ -210,17 +210,34 @@
     /* If the driver doesn't support key creation in any way, give up now. */
     if( driver->methods->key_management == NULL )
         return( PSA_ERROR_NOT_SUPPORTED );
-    p_allocate = driver->methods->key_management->p_allocate;
 
-    /* If the driver doesn't tell us how to allocate a slot, that's
-     * not supported for the time being. */
-    if( p_allocate == NULL )
-        return( PSA_ERROR_NOT_SUPPORTED );
-
-    status = p_allocate( &driver->context,
-                         driver->internal.persistent_data,
-                         attributes,
-                         slot_number );
+    if( psa_get_key_slot_number( attributes, slot_number ) == PSA_SUCCESS )
+    {
+        /* The application wants to use a specific slot. Allow it if
+         * the driver supports it. On a system with isolation,
+         * the crypto service must check that the application is
+         * permitted to request this slot. */
+        psa_drv_se_validate_slot_number_t p_validate_slot_number =
+            driver->methods->key_management->p_validate_slot_number;
+        if( p_validate_slot_number == NULL )
+            return( PSA_ERROR_NOT_SUPPORTED );
+        status = p_validate_slot_number( &driver->context,
+                                         attributes, method,
+                                         *slot_number );
+    }
+    else
+    {
+        /* The application didn't tell us which slot to use. Let the driver
+         * choose. This is the normal case. */
+        psa_drv_se_allocate_key_t p_allocate =
+            driver->methods->key_management->p_allocate;
+        if( p_allocate == NULL )
+            return( PSA_ERROR_NOT_SUPPORTED );
+        status = p_allocate( &driver->context,
+                             driver->internal.persistent_data,
+                             attributes, method,
+                             slot_number );
+    }
     return( status );
 }
 
diff --git a/library/psa_crypto_se.h b/library/psa_crypto_se.h
index 378c78f..900a72b 100644
--- a/library/psa_crypto_se.h
+++ b/library/psa_crypto_se.h
@@ -135,6 +135,7 @@
  */
 psa_status_t psa_find_se_slot_for_key(
     const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
     psa_se_drv_table_entry_t *driver,
     psa_key_slot_number_t *slot_number );
 
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index 0734009..59be319 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -102,7 +102,7 @@
     global_data.key_slots_initialized = 0;
 }
 
-psa_status_t psa_internal_allocate_key_slot( psa_key_handle_t *handle,
+psa_status_t psa_get_empty_key_slot( psa_key_handle_t *handle,
                                              psa_key_slot_t **p_slot )
 {
     if( ! global_data.key_slots_initialized )
@@ -228,7 +228,7 @@
     if( status != PSA_SUCCESS )
         return( status );
 
-    status = psa_internal_allocate_key_slot( handle, &slot );
+    status = psa_get_empty_key_slot( handle, &slot );
     if( status != PSA_SUCCESS )
         return( status );
 
@@ -278,15 +278,17 @@
             ++stats->volatile_slots;
         else if( slot->attr.lifetime == PSA_KEY_LIFETIME_PERSISTENT )
         {
+            psa_app_key_id_t id = PSA_KEY_FILE_GET_KEY_ID(slot->attr.id);
             ++stats->persistent_slots;
-            if( slot->attr.id > stats->max_open_internal_key_id )
-                stats->max_open_internal_key_id = slot->attr.id;
+            if( id > stats->max_open_internal_key_id )
+                stats->max_open_internal_key_id = id;
         }
         else
         {
+            psa_app_key_id_t id = PSA_KEY_FILE_GET_KEY_ID(slot->attr.id);
             ++stats->external_slots;
-            if( slot->attr.id > stats->max_open_external_key_id )
-                stats->max_open_external_key_id = slot->attr.id;
+            if( id > stats->max_open_external_key_id )
+                stats->max_open_external_key_id = id;
         }
     }
 }
diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h
index cde590f..472253d 100644
--- a/library/psa_crypto_slot_management.h
+++ b/library/psa_crypto_slot_management.h
@@ -71,8 +71,8 @@
  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
  * \retval #PSA_ERROR_BAD_STATE
  */
-psa_status_t psa_internal_allocate_key_slot( psa_key_handle_t *handle,
-                                             psa_key_slot_t **p_slot );
+psa_status_t psa_get_empty_key_slot( psa_key_handle_t *handle,
+                                     psa_key_slot_t **p_slot );
 
 /** Test whether a lifetime designates a key in an external cryptoprocessor.
  *
diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c
index 91e5178..f492e0e 100644
--- a/programs/psa/key_ladder_demo.c
+++ b/programs/psa/key_ladder_demo.c
@@ -68,14 +68,13 @@
 /* If the build options we need are not enabled, compile a placeholder. */
 #if !defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) ||     \
     !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CCM_C) ||       \
-    !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) ||\
-    defined(PSA_PRE_1_0_KEY_DERIVATION)
+    !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO)
 int main( void )
 {
     printf("MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or "
            "MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or "
-           "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO and/or "
-           "not defined and/or PSA_PRE_1_0_KEY_DERIVATION defined.\n");
+           "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO "
+           "not defined.\n");
     return( 0 );
 }
 #else
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 7e54370..7dcc98d 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -143,6 +143,7 @@
 add_test_suite(psa_crypto_metadata)
 add_test_suite(psa_crypto_persistent_key)
 add_test_suite(psa_crypto_se_driver_hal)
+add_test_suite(psa_crypto_se_driver_hal_mocks)
 add_test_suite(psa_crypto_slot_management)
 add_test_suite(psa_its)
 add_test_suite(shax)
diff --git a/tests/scripts/check-names.sh b/tests/scripts/check-names.sh
index b07db23..ee72607 100755
--- a/tests/scripts/check-names.sh
+++ b/tests/scripts/check-names.sh
@@ -57,11 +57,14 @@
     printf "Names of $THING: "
     test -r $THING
     BAD=$( grep -E -v '^(MBEDTLS|PSA)_[0-9A-Z_]*[0-9A-Z]$' $THING || true )
-    if [ "x$BAD" = "x" ]; then
+    UNDERSCORES=$( grep -E '.*__.*' $THING || true )
+
+    if [ "x$BAD" = "x" ] && [ "x$UNDERSCORES" = "x" ]; then
         echo "PASS"
     else
         echo "FAIL"
         echo "$BAD"
+        echo "$UNDERSCORES"
         FAIL=1
     fi
 done
diff --git a/tests/scripts/test_psa_constant_names.py b/tests/scripts/test_psa_constant_names.py
index d248ade..cf3a224 100755
--- a/tests/scripts/test_psa_constant_names.py
+++ b/tests/scripts/test_psa_constant_names.py
@@ -162,6 +162,7 @@
     # PSA_ALG_ECDH and PSA_ALG_FFDH are excluded for now as the script
     # currently doesn't support them. Deprecated errors are also excluded.
     _excluded_names = set(['PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH',
+                           'PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH_CASE',
                            'PSA_ALG_FULL_LENGTH_MAC',
                            'PSA_ALG_ECDH',
                            'PSA_ALG_FFDH',
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index b049840..8eee989 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -19,6 +19,9 @@
 PSA key attributes: lifetime then id
 persistence_attributes:0x1234:3:0x1235:0x1235:3
 
+PSA key attributes: slot number
+slot_number_attribute:
+
 PSA import/export raw: 0 bytes
 import_export:"":PSA_KEY_TYPE_RAW_DATA:PSA_KEY_USAGE_EXPORT:0:0:0:PSA_SUCCESS:1
 
@@ -353,6 +356,14 @@
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 mac_key_policy:PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_224)
 
+PSA key policy: MAC, alg=0 in policy
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+mac_key_policy:PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:0:PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256)
+
+PSA key policy: MAC, ANY_HASH in policy is not meaningful
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+mac_key_policy:PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_HMAC(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256)
+
 PSA key policy: MAC, sign but not verify
 depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 mac_key_policy:PSA_KEY_USAGE_SIGN:PSA_ALG_HMAC(PSA_ALG_SHA_256):PSA_KEY_TYPE_HMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HMAC(PSA_ALG_SHA_256)
@@ -385,6 +396,10 @@
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
 cipher_key_policy:0:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_CTR
 
+PSA key policy: cipher, alg=0 in policy
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
+cipher_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_CTR
+
 PSA key policy: AEAD, encrypt | decrypt
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
 aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM
@@ -393,6 +408,10 @@
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C:MBEDTLS_GCM_C
 aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":16:16:PSA_ALG_GCM
 
+PSA key policy: AEAD, alg=0 in policy
+depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
+aead_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":16:16:PSA_ALG_CCM
+
 PSA key policy: AEAD, encrypt but not decrypt
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
 aead_key_policy:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":13:16:PSA_ALG_CCM
@@ -417,6 +436,10 @@
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C
 asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_224):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
 
+PSA key policy: asymmetric encryption, alg=0 in policy
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_CRYPT
+
 PSA key policy: asymmetric encryption, ANY_HASH in policy is not meaningful
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C
 asymmetric_encryption_key_policy:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_ANY_HASH):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)
@@ -461,6 +484,10 @@
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
 asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0
 
+PSA key policy: asymmetric signature, alg=0 in policy
+depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY:0:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:0
+
 PSA key policy: asymmetric signature, sign but not verify
 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
 asymmetric_signature_key_policy:PSA_KEY_USAGE_SIGN:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082013b020100024100ee2b131d6b1818a94ca8e91c42387eb15a7c271f57b89e7336b144d4535b16c83097ecdefbbb92d1b5313b5a37214d0e8f25922dca778b424b25295fc8a1a7070203010001024100978ac8eadb0dc6035347d6aba8671215ff21283385396f7897c04baf5e2a835f3b53ef80a82ed36ae687a925380b55a0c73eb85656e989dcf0ed7fb4887024e1022100fdad8e1c6853563f8b921d2d112462ae7d6b176082d2ba43e87e1a37fc1a8b33022100f0592cf4c55ba44307b18981bcdbda376c51e590ffa5345ba866f6962dca94dd02201995f1a967d44ff4a4cd1de837bc65bf97a2bf7eda730a9a62cea53254591105022027f96cf4b8ee68ff8d04062ec1ce7f18c0b74e4b3379b29f9bfea3fc8e592731022100cefa6d220496b43feb83194255d8fb930afcf46f36606e3aa0eb7a93ad88c10c":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:1
@@ -478,7 +505,7 @@
 derive_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HKDF(PSA_ALG_SHA_256)
 
 PSA key policy: derive via TLS 1.2 PRF, permitted
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256)
 
 PSA key policy: derive via HKDF, not permitted
@@ -486,7 +513,7 @@
 derive_key_policy:0:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HKDF(PSA_ALG_SHA_256)
 
 PSA key policy: derive via TLS 1.2 PRF, not permitted
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_key_policy:0:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256)
 
 PSA key policy: derive via HKDF, wrong algorithm
@@ -494,7 +521,7 @@
 derive_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HKDF(PSA_ALG_SHA_224)
 
 PSA key policy: derive via TLS 1.2 PRF, wrong algorithm
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_key_policy:PSA_KEY_USAGE_DERIVE:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa":PSA_ALG_HKDF(PSA_ALG_SHA_224)
 
 PSA key policy: agreement + KDF, permitted
@@ -1488,7 +1515,7 @@
 import_and_exercise_key:"c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0":PSA_KEY_TYPE_DERIVE:192:PSA_ALG_HKDF(PSA_ALG_SHA_256)
 
 PSA import/exercise: TLS 1.2 PRF SHA-256
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 import_and_exercise_key:"c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0":PSA_KEY_TYPE_DERIVE:192:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256)
 
 PSA sign: RSA PKCS#1 v1.5, raw
@@ -1817,39 +1844,39 @@
 derive_input:PSA_ALG_HKDF(PSA_ALG_SHA_256):PSA_KEY_TYPE_RAW_DATA:PSA_KEY_DERIVATION_INPUT_SALT:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_INFO:"":PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_SUCCESS
 
 PSA key derivation: TLS 1.2 PRF SHA-256, good case
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS
 
 PSA key derivation: TLS 1.2 PRF SHA-256, key first
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE
 
 PSA key derivation: TLS 1.2 PRF SHA-256, label first
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE
 
 PSA key derivation: TLS 1.2 PRF SHA-256, early label
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE
 
 PSA key derivation: TLS 1.2 PRF SHA-256, double seed
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_ERROR_BAD_STATE:PSA_ERROR_BAD_STATE
 
 PSA key derivation: TLS 1.2 PRF SHA-256, double key
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_SUCCESS:PSA_SUCCESS:PSA_ERROR_BAD_STATE
 
 PSA key derivation: TLS 1.2 PRF SHA-256, bad key type
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_input:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_TYPE_RAW_DATA:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE
 
 PSA key derivation: HKDF invalid state (double generate + read past capacity)
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 test_derive_invalid_key_derivation_state:PSA_ALG_HKDF(PSA_ALG_SHA_256)
 
 PSA key derivation: TLS 1.2 PRF invalid state (double generate + read past capacity)
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 test_derive_invalid_key_derivation_state:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256)
 
 PSA key derivation: invalid state (call read/get_capacity after init and abort)
@@ -1906,70 +1933,70 @@
 
 # Test vectors taken from https://www.ietf.org/mail-archive/web/tls/current/msg03416.html
 PSA key derivation: TLS 1.2 PRF SHA-256, output 100+0
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"a0ba9f936cda311827a6f796ffd5198c":PSA_KEY_DERIVATION_INPUT_SECRET:"9bbe436ba940f017b17652849a71db35":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66":""
 
 PSA key derivation: TLS 1.2 PRF SHA-256, output 99+1
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"a0ba9f936cda311827a6f796ffd5198c":PSA_KEY_DERIVATION_INPUT_SECRET:"9bbe436ba940f017b17652849a71db35":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b":"66"
 
 PSA key derivation: TLS 1.2 PRF SHA-256, output 1+99
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"a0ba9f936cda311827a6f796ffd5198c":PSA_KEY_DERIVATION_INPUT_SECRET:"9bbe436ba940f017b17652849a71db35":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":100:"e3":"f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa022f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66"
 
 PSA key derivation: TLS 1.2 PRF SHA-256, output 50+50
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"a0ba9f936cda311827a6f796ffd5198c":PSA_KEY_DERIVATION_INPUT_SECRET:"9bbe436ba940f017b17652849a71db35":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa0":"22f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b66"
 
 PSA key derivation: TLS 1.2 PRF SHA-256, output 50+49
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"a0ba9f936cda311827a6f796ffd5198c":PSA_KEY_DERIVATION_INPUT_SECRET:"9bbe436ba940f017b17652849a71db35":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":100:"e3f229ba727be17b8d122620557cd453c2aab21d07c3d495329b52d4e61edb5a6b301791e90d35c9c9a46b4e14baf9af0fa0":"22f7077def17abfd3797c0564bab4fbc91666e9def9b97fce34f796789baa48082d122ee42c5a72e5a5110fff70187347b"
 
 PSA key derivation: TLS 1.2 PRF SHA-384, output 148+0
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C
 derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"cd665cf6a8447dd6ff8b27555edb7465":PSA_KEY_DERIVATION_INPUT_SECRET:"b80b733d6ceefcdc71566ea48e5567df":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f":""
 
 PSA key derivation: TLS 1.2 PRF SHA-384, output 147+1
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C
 derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"cd665cf6a8447dd6ff8b27555edb7465":PSA_KEY_DERIVATION_INPUT_SECRET:"b80b733d6ceefcdc71566ea48e5567df":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e5":"6f"
 
 PSA key derivation: TLS 1.2 PRF SHA-384, output 1+147
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C
 derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"cd665cf6a8447dd6ff8b27555edb7465":PSA_KEY_DERIVATION_INPUT_SECRET:"b80b733d6ceefcdc71566ea48e5567df":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":148:"7b":"0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792eca722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f"
 
 PSA key derivation: TLS 1.2 PRF SHA-384, output 74+74
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C
 derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"cd665cf6a8447dd6ff8b27555edb7465":PSA_KEY_DERIVATION_INPUT_SECRET:"b80b733d6ceefcdc71566ea48e5567df":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792ec":"a722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e56f"
 
 PSA key derivation: TLS 1.2 PRF SHA-384, output 74+73
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C
 derive_output:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"cd665cf6a8447dd6ff8b27555edb7465":PSA_KEY_DERIVATION_INPUT_SECRET:"b80b733d6ceefcdc71566ea48e5567df":PSA_KEY_DERIVATION_INPUT_LABEL:"74657374206c6162656c":148:"7b0c18e9ced410ed1804f2cfa34a336a1c14dffb4900bb5fd7942107e81c83cde9ca0faa60be9fe34f82b1233c9146a0e534cb400fed2700884f9dc236f80edd8bfa961144c9e8d792ec":"a722a7b32fc3d416d473ebc2c5fd4abfdad05d9184259b5bf8cd4d90fa0d31e2dec479e4f1a26066f2eea9a69236a3e52655c9e9aee691c8f3a26854308d5eaa3be85e0990703d73e5"
 
 # Test case manually extracted from debug output of TLS-PSK run
 # Label: "master secret"
 # Salt: Concatenation of ClientHello.Random and ServerHello.Random
 PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, 48+0
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32ca43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710":""
 
 PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, 24+24
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32c":"a43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710"
 
 PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, 0+48
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):PSA_KEY_DERIVATION_INPUT_SEED:"5bc0b19b4a8b24b07afe7ec65c471e94a7d518fcef06c3574315255c52afe21b5bc0b19b872b9b26508458f03603744d575f463a11ae7f1b090c012606fd3e9f":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"":"5a9dd5ffa78b4d1f28f40d91b4e6e6ed37849042d61ba32ca43d866e744cee7cd1baaa497e1ecd5c2e60f9f13030a710"
 
 PSA key derivation: TLS 1.2 PSK-to-MS, SHA-384, 48+0
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C
 derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c85ca71689301f9f4d875128c87608b75250b20a9550e4fe18":""
 
 PSA key derivation: TLS 1.2 PSK-to-MS, SHA-384, 24+24
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C
 derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"":"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c85ca71689301f9f4d875128c87608b75250b20a9550e4fe18"
 
 PSA key derivation: TLS 1.2 PSK-to-MS, SHA-384, 0+48
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C
 derive_output:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384):PSA_KEY_DERIVATION_INPUT_SEED:"5bed47716a11a49a6268a8350b085929116ad9ccc8181f09a05b07a7741576d65bed47718dfd82f2d3f57544afe52decae6819b970dc716ada72ae0dd3072e9a":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304":PSA_KEY_DERIVATION_INPUT_LABEL:"6d617374657220736563726574":48:"f5a61fbdd2ec415762abb8042a6c16645a53d2edb6dec8c8":"5ca71689301f9f4d875128c87608b75250b20a9550e4fe18"
 
 PSA key derivation: HKDF SHA-256, request maximum capacity
@@ -1989,7 +2016,7 @@
 derive_set_capacity:PSA_ALG_HKDF(PSA_ALG_SHA_1):255 * 20 + 1:PSA_ERROR_INVALID_ARGUMENT
 
 PSA key derivation: TLS 1.2 PSK-to-MS, SHA-256, PSK too long (160 Bytes)
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_input:PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256):PSA_KEY_TYPE_DERIVE:PSA_KEY_DERIVATION_INPUT_SEED:"":PSA_KEY_DERIVATION_INPUT_SECRET:"01020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708010203040506070801020304050607080102030405060708":PSA_KEY_DERIVATION_INPUT_LABEL:"":PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE
 
 PSA key derivation: over capacity 42: output 42+1
@@ -2017,98 +2044,98 @@
 derive_full:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * 32
 
 PSA key derivation: TLS 1.2 PRF SHA-256, read maximum capacity minus 1
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_full:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * 32 - 1
 
 PSA key derivation: TLS 1.2 PRF SHA-256, read maximum capacity
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_full:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":255 * 32
 
 PSA key derivation: HKDF SHA-256, exercise AES128-CTR
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR
 
 PSA key derivation: HKDF SHA-256, exercise AES256-CTR
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:256:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR
 
 PSA key derivation: HKDF SHA-256, exercise DES-CBC
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:64:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
 
 PSA key derivation: HKDF SHA-256, exercise 2-key 3DES-CBC
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
 
 PSA key derivation: HKDF SHA-256, exercise 3-key 3DES-CBC
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:192:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
 
 PSA key derivation: HKDF SHA-256, exercise HMAC-SHA-256
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_key_exercise:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN:PSA_ALG_HMAC(PSA_ALG_SHA_256)
 
 PSA key derivation: TLS 1.2 PRF SHA-256, exercise AES128-CTR
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
 derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR
 
 PSA key derivation: TLS 1.2 PRF SHA-256, exercise AES256-CTR
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
 derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:256:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CTR
 
 PSA key derivation: TLS 1.2 PRF SHA-256, exercise DES-CBC
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
 derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:64:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
 
 PSA key derivation: TLS 1.2 PRF SHA-256, exercise 2-key 3DES-CBC
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
 derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:128:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
 
 PSA key derivation: TLS 1.2 PRF SHA-256, exercise 3-key 3DES-CBC
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
 derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DES:192:PSA_KEY_USAGE_ENCRYPT:PSA_ALG_CBC_PKCS7
 
 PSA key derivation: TLS 1.2 PRF SHA-256, exercise HMAC-SHA-256
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_HMAC:256:PSA_KEY_USAGE_SIGN:PSA_ALG_HMAC(PSA_ALG_SHA_256)
 
 PSA key derivation: TLS 1.2 PRF SHA-256, exercise HKDF-SHA-256
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_key_exercise:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_DERIVE:400:PSA_KEY_USAGE_DERIVE:PSA_ALG_HKDF(PSA_ALG_SHA_256)
 
 PSA key derivation: HKDF SHA-256, derive key export, 16+32
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_key_export:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":16:32
 
 PSA key derivation: HKDF SHA-256, derive key export, 1+41
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_key_export:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":1:41
 
 PSA key derivation: TLS 1.2 PRF SHA-256, derive key export, 16+32
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_key_export:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":16:32
 
 PSA key derivation: TLS 1.2 PRF SHA-256, derive key export, 1+41
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
 derive_key_export:PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":1:41
 
 PSA key derivation: invalid type (0)
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
-derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_NONE:128:PSA_ERROR_NOT_SUPPORTED
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_NONE:128:PSA_ERROR_INVALID_ARGUMENT
 
 PSA key derivation: invalid type (PSA_KEY_TYPE_CATEGORY_MASK)
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C:!PSA_PRE_1_0_KEY_DERIVATION
-derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_CATEGORY_MASK:128:PSA_ERROR_NOT_SUPPORTED
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
+derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_CATEGORY_MASK:128:PSA_ERROR_INVALID_ARGUMENT
 
 # This test assumes that PSA_MAX_KEY_BITS (currently 65536-8 bits = 8191 bytes
 # and not expected to be raised any time soon) is less than the maximum
 # output from HKDF-SHA512 (255*64 = 16320 bytes).
 PSA key derivation: largest possible key
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:PSA_MAX_KEY_BITS:PSA_SUCCESS
 
 PSA key derivation: key too large
-depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C:!PSA_PRE_1_0_KEY_DERIVATION
+depends_on:MBEDTLS_MD_C:MBEDTLS_SHA512_C
 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_512):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_RAW_DATA:PSA_MAX_KEY_BITS + 1:PSA_ERROR_NOT_SUPPORTED
 
 PSA key agreement setup: ECDH + HKDF-SHA-256: good
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 0eb6172..3225bef 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -1113,6 +1113,23 @@
     return( ok );
 }
 
+/* Assert that a key isn't reported as having a slot number. */
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#define ASSERT_NO_SLOT_NUMBER( attributes )                             \
+    do                                                                  \
+    {                                                                   \
+        psa_key_slot_number_t ASSERT_NO_SLOT_NUMBER_slot_number;        \
+        TEST_EQUAL( psa_get_key_slot_number(                            \
+                        attributes,                                     \
+                        &ASSERT_NO_SLOT_NUMBER_slot_number ),           \
+                    PSA_ERROR_INVALID_ARGUMENT );                       \
+    }                                                                   \
+    while( 0 )
+#else /* MBEDTLS_PSA_CRYPTO_SE_C */
+#define ASSERT_NO_SLOT_NUMBER( attributes )     \
+    ( (void) 0 )
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
 /* An overapproximation of the amount of storage needed for a key of the
  * given type and with the given content. The API doesn't make it easy
  * to find a good value for the size. The current implementation doesn't
@@ -1214,6 +1231,46 @@
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_SE_C */
+void slot_number_attribute( )
+{
+    psa_key_slot_number_t slot_number = 0xdeadbeef;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+    /* Initially, there is no slot number. */
+    TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ),
+                PSA_ERROR_INVALID_ARGUMENT );
+
+    /* Test setting a slot number. */
+    psa_set_key_slot_number( &attributes, 0 );
+    PSA_ASSERT( psa_get_key_slot_number( &attributes, &slot_number ) );
+    TEST_EQUAL( slot_number, 0 );
+
+    /* Test changing the slot number. */
+    psa_set_key_slot_number( &attributes, 42 );
+    PSA_ASSERT( psa_get_key_slot_number( &attributes, &slot_number ) );
+    TEST_EQUAL( slot_number, 42 );
+
+    /* Test clearing the slot number. */
+    psa_clear_key_slot_number( &attributes );
+    TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ),
+                PSA_ERROR_INVALID_ARGUMENT );
+
+    /* Clearing again should have no effect. */
+    psa_clear_key_slot_number( &attributes );
+    TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ),
+                PSA_ERROR_INVALID_ARGUMENT );
+
+    /* Test that reset clears the slot number. */
+    psa_set_key_slot_number( &attributes, 42 );
+    PSA_ASSERT( psa_get_key_slot_number( &attributes, &slot_number ) );
+    TEST_EQUAL( slot_number, 42 );
+    psa_reset_key_attributes( &attributes );
+    TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ),
+                PSA_ERROR_INVALID_ARGUMENT );
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void import_with_policy( int type_arg,
                          int usage_arg, int alg_arg,
@@ -1246,6 +1303,7 @@
     TEST_EQUAL( psa_get_key_type( &got_attributes ), type );
     TEST_EQUAL( psa_get_key_usage_flags( &got_attributes ), usage );
     TEST_EQUAL( psa_get_key_algorithm( &got_attributes ), alg );
+    ASSERT_NO_SLOT_NUMBER( &got_attributes );
 
     PSA_ASSERT( psa_destroy_key( handle ) );
     test_operations_on_invalid_handle( handle );
@@ -1284,6 +1342,7 @@
     TEST_EQUAL( psa_get_key_type( &got_attributes ), type );
     if( attr_bits != 0 )
         TEST_EQUAL( attr_bits, psa_get_key_bits( &got_attributes ) );
+    ASSERT_NO_SLOT_NUMBER( &got_attributes );
 
     PSA_ASSERT( psa_destroy_key( handle ) );
     test_operations_on_invalid_handle( handle );
@@ -1328,6 +1387,7 @@
         TEST_EQUAL( psa_get_key_type( &attributes ), type );
         TEST_EQUAL( psa_get_key_bits( &attributes ),
                     PSA_BYTES_TO_BITS( byte_size ) );
+        ASSERT_NO_SLOT_NUMBER( &attributes );
         memset( buffer, 0, byte_size + 1 );
         PSA_ASSERT( psa_export_key( handle, buffer, byte_size, &n ) );
         for( n = 0; n < byte_size; n++ )
@@ -1420,6 +1480,7 @@
     PSA_ASSERT( psa_get_key_attributes( handle, &got_attributes ) );
     TEST_EQUAL( psa_get_key_type( &got_attributes ), type );
     TEST_EQUAL( psa_get_key_bits( &got_attributes ), (size_t) expected_bits );
+    ASSERT_NO_SLOT_NUMBER( &got_attributes );
 
     /* Export the key */
     status = psa_export_key( handle,
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.data b/tests/suites/test_suite_psa_crypto_se_driver_hal.data
index 6fb65f0..5819f78 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal.data
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.data
@@ -39,59 +39,125 @@
 SE key import-export, check after restart (slot 3)
 key_creation_import_export:3:1
 
-Key creation smoke test: AES-CTR
-key_creation_smoke:PSA_KEY_TYPE_AES:PSA_ALG_CTR:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key creation in a specific slot (0)
+key_creation_in_chosen_slot:0:0:PSA_SUCCESS
 
-Key creation smoke test: AES-CBC
-key_creation_smoke:PSA_KEY_TYPE_AES:PSA_ALG_CBC_NO_PADDING:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key creation in a specific slot (max)
+key_creation_in_chosen_slot:ARRAY_LENGTH( ram_slots ) - 1:0:PSA_SUCCESS
 
-Key creation smoke test: AES-CMAC
-key_creation_smoke:PSA_KEY_TYPE_AES:PSA_ALG_CMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key creation in a specific slot (0, restart)
+key_creation_in_chosen_slot:0:1:PSA_SUCCESS
 
-Key creation smoke test: AES-CCM
-key_creation_smoke:PSA_KEY_TYPE_AES:PSA_ALG_CCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key creation in a specific slot (max, restart)
+key_creation_in_chosen_slot:ARRAY_LENGTH( ram_slots ) - 1:1:PSA_SUCCESS
 
-Key creation smoke test: AES-GCM
-key_creation_smoke:PSA_KEY_TYPE_AES:PSA_ALG_GCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key creation in a specific slot (too large)
+key_creation_in_chosen_slot:ARRAY_LENGTH( ram_slots ):0:PSA_ERROR_INVALID_ARGUMENT
 
-Key creation smoke test: CAMELLIA-CTR
-key_creation_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_CTR:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key import smoke test: AES-CTR
+import_key_smoke:PSA_KEY_TYPE_AES:PSA_ALG_CTR:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: CAMELLIA-CBC
-key_creation_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_CBC_NO_PADDING:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key import smoke test: AES-CBC
+import_key_smoke:PSA_KEY_TYPE_AES:PSA_ALG_CBC_NO_PADDING:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: CAMELLIA-CMAC
-key_creation_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_CMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key import smoke test: AES-CMAC
+import_key_smoke:PSA_KEY_TYPE_AES:PSA_ALG_CMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: CAMELLIA-CCM
-key_creation_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_GCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key import smoke test: AES-CCM
+import_key_smoke:PSA_KEY_TYPE_AES:PSA_ALG_CCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: CAMELLIA-CCM
-key_creation_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_GCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key import smoke test: AES-GCM
+import_key_smoke:PSA_KEY_TYPE_AES:PSA_ALG_GCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: HMAC-SHA-256
-key_creation_smoke:PSA_KEY_TYPE_HMAC:PSA_ALG_HMAC( PSA_ALG_SHA_256 ):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key import smoke test: CAMELLIA-CTR
+import_key_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_CTR:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: HKDF-SHA-256
-key_creation_smoke:PSA_KEY_TYPE_DERIVE:PSA_ALG_HKDF( PSA_ALG_SHA_256 ):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+Key import smoke test: CAMELLIA-CBC
+import_key_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_CBC_NO_PADDING:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: RSA PKCS#1v1.5 signature
-key_creation_smoke:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001"
+Key import smoke test: CAMELLIA-CMAC
+import_key_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_CMAC:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: RSA PKCS#1v1.5 encryption
-key_creation_smoke:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_CRYPT:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001"
+Key import smoke test: CAMELLIA-CCM
+import_key_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_GCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: RSA OAEP encryption
-key_creation_smoke:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_OAEP( PSA_ALG_SHA_256 ):"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001"
+Key import smoke test: CAMELLIA-CCM
+import_key_smoke:PSA_KEY_TYPE_CAMELLIA:PSA_ALG_GCM:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: ECDSA secp256r1
-key_creation_smoke:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_ECDSA_ANY:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee"
+Key import smoke test: HMAC-SHA-256
+import_key_smoke:PSA_KEY_TYPE_HMAC:PSA_ALG_HMAC( PSA_ALG_SHA_256 ):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: ECDH secp256r1
-key_creation_smoke:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_ECDH:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee"
+Key import smoke test: HKDF-SHA-256
+import_key_smoke:PSA_KEY_TYPE_DERIVE:PSA_ALG_HKDF( PSA_ALG_SHA_256 ):"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
-Key creation smoke test: ECDH secp256r1 with HKDF
-key_creation_smoke:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_KEY_AGREEMENT( PSA_ALG_ECDH, PSA_ALG_HKDF( PSA_ALG_SHA_256 ) ):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee"
+Key import smoke test: RSA PKCS#1v1.5 signature
+import_key_smoke:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001"
+
+Key import smoke test: RSA PKCS#1v1.5 encryption
+import_key_smoke:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_PKCS1V15_CRYPT:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001"
+
+Key import smoke test: RSA OAEP encryption
+import_key_smoke:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_ALG_RSA_OAEP( PSA_ALG_SHA_256 ):"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001"
+
+Key import smoke test: ECDSA secp256r1
+import_key_smoke:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_ECDSA_ANY:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee"
+
+Key import smoke test: ECDH secp256r1
+import_key_smoke:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_ECDH:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee"
+
+Key import smoke test: ECDH secp256r1 with HKDF
+import_key_smoke:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_KEY_AGREEMENT( PSA_ALG_ECDH, PSA_ALG_HKDF( PSA_ALG_SHA_256 ) ):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee"
 
 Generate key: not supported
 generate_key_not_supported:PSA_KEY_TYPE_AES:128
+
+Key generation smoke test: AES-128-CTR
+generate_key_smoke:PSA_KEY_TYPE_AES:128:PSA_ALG_CTR
+
+Key generation smoke test: AES-256-CTR
+generate_key_smoke:PSA_KEY_TYPE_AES:128:PSA_ALG_CTR
+
+Key generation smoke test: HMAC-SHA-256
+generate_key_smoke:PSA_KEY_TYPE_HMAC:256:PSA_ALG_HMAC( PSA_ALG_SHA_256 )
+
+Key registration: smoke test
+register_key_smoke_test:MIN_DRIVER_LIFETIME:-1:PSA_SUCCESS
+
+Key registration: invalid lifetime (volatile)
+register_key_smoke_test:PSA_KEY_LIFETIME_VOLATILE:-1:PSA_ERROR_INVALID_ARGUMENT
+
+Key registration: invalid lifetime (internal storage)
+register_key_smoke_test:PSA_KEY_LIFETIME_PERSISTENT:-1:PSA_ERROR_INVALID_ARGUMENT
+
+Key registration: invalid lifetime (no registered driver)
+register_key_smoke_test:MIN_DRIVER_LIFETIME + 1:-1:PSA_ERROR_INVALID_ARGUMENT
+
+Key registration: with driver validation (accepted)
+register_key_smoke_test:MIN_DRIVER_LIFETIME:1:PSA_SUCCESS
+
+Key registration: with driver validation (rejected)
+register_key_smoke_test:MIN_DRIVER_LIFETIME:0:PSA_ERROR_NOT_PERMITTED
+
+Import-sign-verify: sign in driver, ECDSA
+depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+sign_verify:SIGN_IN_DRIVER_AND_PARALLEL_CREATION:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_ECDSA_ANY:0:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
+
+Import-sign-verify: sign in driver then export_public, ECDSA
+depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+sign_verify:SIGN_IN_DRIVER_THEN_EXPORT_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_ECDSA_ANY:0:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
+
+Import-sign-verify: sign in software, ECDSA
+depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+sign_verify:SIGN_IN_SOFTWARE_AND_PARALLEL_CREATION:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_ECDSA_ANY:0:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
+
+Generate-sign-verify: sign in driver, ECDSA
+depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+sign_verify:SIGN_IN_DRIVER_AND_PARALLEL_CREATION:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_ECDSA_ANY:256:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
+
+Generate-sign-verify: sign in driver then export_public, ECDSA
+depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+sign_verify:SIGN_IN_DRIVER_THEN_EXPORT_PUBLIC:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_ECDSA_ANY:256:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
+
+Generate-sign-verify: sign in software, ECDSA
+depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+sign_verify:SIGN_IN_SOFTWARE_AND_PARALLEL_CREATION:PSA_KEY_TYPE_ECC_KEY_PAIR( PSA_ECC_CURVE_SECP256R1 ):PSA_ALG_ECDSA_ANY:256:"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":"54686973206973206e6f74206120686173682e"
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function
index 6ac19a6..fc6f668 100644
--- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function
@@ -18,11 +18,13 @@
  * This is probably a bug in the library. */
 #define PSA_ERROR_DETECTED_BY_DRIVER ((psa_status_t)( -500 ))
 
-/** Like #TEST_ASSERT for use in a driver method.
+/** Like #TEST_ASSERT for use in a driver method, with no cleanup.
+ *
+ * If an error happens, this macro returns from the calling function.
  *
  * Use this macro to assert on guarantees provided by the core.
  */
-#define DRIVER_ASSERT( TEST )                               \
+#define DRIVER_ASSERT_RETURN( TEST )                        \
     do {                                                    \
        if( ! (TEST) )                                       \
        {                                                    \
@@ -31,20 +33,86 @@
        }                                                    \
     } while( 0 )
 
+/** Like #TEST_ASSERT for use in a driver method, with cleanup.
+ *
+ * In case of error, this macro sets `status` and jumps to the
+ * label `exit`.
+ *
+ * Use this macro to assert on guarantees provided by the core.
+ */
+#define DRIVER_ASSERT( TEST )                               \
+    do {                                                    \
+       if( ! (TEST) )                                       \
+       {                                                    \
+          test_fail( #TEST, __LINE__, __FILE__ );           \
+          status = PSA_ERROR_DETECTED_BY_DRIVER;            \
+          goto exit;                                        \
+       }                                                    \
+    } while( 0 )
+
+/** Like #PSA_ASSERT for a PSA API call that calls a driver underneath.
+ *
+ * Run the code \p expr. If this returns \p expected_status,
+ * do nothing. If this returns #PSA_ERROR_DETECTED_BY_DRIVER,
+ * jump directly to the `exit` label. If this returns any other
+ * status, call test_fail() then jump to `exit`.
+ *
+ * The special case for #PSA_ERROR_DETECTED_BY_DRIVER is because in this
+ * case, the test driver code is expected to have called test_fail()
+ * already, so we make sure not to overwrite the failure information.
+ */
+#define PSA_ASSERT_VIA_DRIVER( expr, expected_status )                  \
+    do {                                                                \
+        psa_status_t PSA_ASSERT_VIA_DRIVER_status = ( expr );           \
+        if( PSA_ASSERT_VIA_DRIVER_status == PSA_ERROR_DETECTED_BY_DRIVER ) \
+            goto exit;                                                  \
+        if( PSA_ASSERT_VIA_DRIVER_status != ( expected_status ) )       \
+        {                                                               \
+            test_fail( #expr, __LINE__, __FILE__ );                     \
+            goto exit;                                                  \
+        }                                                               \
+    } while( 0 )
+
 
 
 /****************************************************************/
 /* Miscellaneous driver methods */
 /****************************************************************/
 
+typedef struct
+{
+    psa_key_slot_number_t slot_number;
+    psa_key_creation_method_t method;
+    psa_status_t status;
+} validate_slot_number_directions_t;
+static validate_slot_number_directions_t validate_slot_number_directions;
+
+/* Validate a choice of slot number as directed. */
+static psa_status_t validate_slot_number_as_directed(
+    psa_drv_se_context_t *context,
+    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
+    psa_key_slot_number_t slot_number )
+{
+    (void) context;
+    (void) attributes;
+    DRIVER_ASSERT_RETURN( slot_number ==
+                          validate_slot_number_directions.slot_number );
+    DRIVER_ASSERT_RETURN( method ==
+                          validate_slot_number_directions.method );
+    return( validate_slot_number_directions.status );
+}
+
 /* Allocate slot numbers with a monotonic counter. */
 static psa_status_t counter_allocate( psa_drv_se_context_t *context,
                                       void *persistent_data,
                                       const psa_key_attributes_t *attributes,
+                                      psa_key_creation_method_t method,
                                       psa_key_slot_number_t *slot_number )
 {
     psa_key_slot_number_t *p_counter = persistent_data;
     (void) attributes;
+    (void) method;
     if( context->persistent_data_size != sizeof( psa_key_slot_number_t ) )
         return( PSA_ERROR_DETECTED_BY_DRIVER );
     ++*p_counter;
@@ -57,27 +125,54 @@
 /* Null import: do nothing, but pretend it worked. */
 static psa_status_t null_import( psa_drv_se_context_t *context,
                                  psa_key_slot_number_t slot_number,
-                                 psa_key_lifetime_t lifetime,
-                                 psa_key_type_t type,
-                                 psa_algorithm_t algorithm,
-                                 psa_key_usage_t usage,
-                                 const uint8_t *p_data,
+                                 const psa_key_attributes_t *attributes,
+                                 const uint8_t *data,
                                  size_t data_length,
                                  size_t *bits )
 {
     (void) context;
     (void) slot_number;
-    (void) lifetime;
-    (void) type;
-    (void) algorithm;
-    (void) usage;
-    (void) p_data;
+    (void) attributes;
+    (void) data;
     /* We're supposed to return a key size. Return one that's correct for
      * plain data keys. */
     *bits = PSA_BYTES_TO_BITS( data_length );
     return( PSA_SUCCESS );
 }
 
+/* Null generate: do nothing, but pretend it worked. */
+static psa_status_t null_generate( psa_drv_se_context_t *context,
+                                   psa_key_slot_number_t slot_number,
+                                   const psa_key_attributes_t *attributes,
+                                   uint8_t *pubkey,
+                                   size_t pubkey_size,
+                                   size_t *pubkey_length )
+{
+    (void) context;
+    (void) slot_number;
+    (void) attributes;
+
+    DRIVER_ASSERT_RETURN( *pubkey_length == 0 );
+    if( ! PSA_KEY_TYPE_IS_KEY_PAIR( psa_get_key_type( attributes ) ) )
+    {
+        DRIVER_ASSERT_RETURN( pubkey == NULL );
+        DRIVER_ASSERT_RETURN( pubkey_size == 0 );
+    }
+
+    return( PSA_SUCCESS );
+}
+
+/* Null destroy: do nothing, but pretend it worked. */
+static psa_status_t null_destroy( psa_drv_se_context_t *context,
+                                  void *persistent_data,
+                                  psa_key_slot_number_t slot_number )
+{
+    (void) context;
+    (void) persistent_data;
+    (void) slot_number;
+    return( PSA_SUCCESS );
+}
+
 
 
 /****************************************************************/
@@ -106,44 +201,135 @@
     ram_min_slot = 0;
 }
 
+/* Common parts of key creation.
+ *
+ * In case of error, zero out ram_slots[slot_number]. But don't
+ * do that if the error is PSA_ERROR_DETECTED_BY_DRIVER: in this case
+ * you don't need to clean up (ram_slot_reset() will take care of it
+ * in the test case function's cleanup code) and it might be wrong
+ * (if slot_number is invalid).
+ */
+static psa_status_t ram_create_common( psa_drv_se_context_t *context,
+                                       psa_key_slot_number_t slot_number,
+                                       const psa_key_attributes_t *attributes,
+                                       size_t required_storage )
+{
+    (void) context;
+    DRIVER_ASSERT_RETURN( slot_number < ARRAY_LENGTH( ram_slots ) );
+
+    ram_slots[slot_number].lifetime = psa_get_key_lifetime( attributes );
+    ram_slots[slot_number].type = psa_get_key_type( attributes );
+    ram_slots[slot_number].bits = psa_get_key_bits( attributes );
+
+    if( required_storage > sizeof( ram_slots[slot_number].content ) )
+    {
+        memset( &ram_slots[slot_number], 0, sizeof( ram_slots[slot_number] ) );
+        return( PSA_ERROR_INSUFFICIENT_STORAGE );
+    }
+
+    return( PSA_SUCCESS );
+}
+
+/* This function does everything except actually generating key material.
+ * After calling it, you must copy the desired key material to
+ * ram_slots[slot_number].content. */
+static psa_status_t ram_fake_generate( psa_drv_se_context_t *context,
+                                       psa_key_slot_number_t slot_number,
+                                       const psa_key_attributes_t *attributes,
+                                       uint8_t *pubkey,
+                                       size_t pubkey_size,
+                                       size_t *pubkey_length )
+{
+    psa_status_t status;
+    size_t required_storage =
+        PSA_KEY_EXPORT_MAX_SIZE( psa_get_key_type( attributes ),
+                                 psa_get_key_bits( attributes ) );
+
+    DRIVER_ASSERT_RETURN( *pubkey_length == 0 );
+    if( ! PSA_KEY_TYPE_IS_KEY_PAIR( psa_get_key_type( attributes ) ) )
+    {
+        DRIVER_ASSERT_RETURN( pubkey == NULL );
+        DRIVER_ASSERT_RETURN( pubkey_size == 0 );
+    }
+
+    status = ram_create_common( context, slot_number, attributes,
+                                required_storage );
+    return( status );
+}
+
 static psa_status_t ram_import( psa_drv_se_context_t *context,
                                 psa_key_slot_number_t slot_number,
-                                psa_key_lifetime_t lifetime,
-                                psa_key_type_t type,
-                                psa_algorithm_t algorithm,
-                                psa_key_usage_t usage,
-                                const uint8_t *p_data,
+                                const psa_key_attributes_t *attributes,
+                                const uint8_t *data,
                                 size_t data_length,
                                 size_t *bits )
 {
-    (void) context;
-    DRIVER_ASSERT( slot_number < ARRAY_LENGTH( ram_slots ) );
-    if( data_length > sizeof( ram_slots[slot_number].content ) )
-        return( PSA_ERROR_INSUFFICIENT_STORAGE );
-    ram_slots[slot_number].lifetime = lifetime;
-    ram_slots[slot_number].type = type;
-    ram_slots[slot_number].bits = PSA_BYTES_TO_BITS( data_length );
-    *bits = PSA_BYTES_TO_BITS( data_length );
-    (void) algorithm;
-    (void) usage;
-    memcpy( ram_slots[slot_number].content, p_data, data_length );
+    psa_key_type_t type = psa_get_key_type( attributes );
+    psa_status_t status = ram_create_common( context, slot_number, attributes,
+                                             data_length );
+    if( status != PSA_SUCCESS )
+        return( status );
+
+    /* The RAM driver only works for certain key types: raw keys,
+     * and ECC key pairs. This is true in particular of the bit-size
+     * calculation here. */
+    if( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) )
+        *bits = PSA_BYTES_TO_BITS( data_length );
+    else if ( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( type ) )
+        *bits = PSA_ECC_CURVE_BITS( PSA_KEY_TYPE_GET_CURVE( type ) );
+    else
+    {
+        memset( &ram_slots[slot_number], 0, sizeof( ram_slots[slot_number] ) );
+        return( PSA_ERROR_NOT_SUPPORTED );
+    }
+
+    ram_slots[slot_number].bits = *bits;
+    memcpy( ram_slots[slot_number].content, data, data_length );
+
     return( PSA_SUCCESS );
 }
 
 static psa_status_t ram_export( psa_drv_se_context_t *context,
                                 psa_key_slot_number_t slot_number,
-                                uint8_t *p_data,
+                                uint8_t *data,
                                 size_t data_size,
-                                size_t *p_data_length )
+                                size_t *data_length )
 {
     size_t actual_size;
     (void) context;
-    DRIVER_ASSERT( slot_number < ARRAY_LENGTH( ram_slots ) );
+    DRIVER_ASSERT_RETURN( slot_number < ARRAY_LENGTH( ram_slots ) );
     actual_size = PSA_BITS_TO_BYTES( ram_slots[slot_number].bits );
     if( actual_size > data_size )
         return( PSA_ERROR_BUFFER_TOO_SMALL );
-    *p_data_length = actual_size;
-    memcpy( p_data, ram_slots[slot_number].content, actual_size );
+    *data_length = actual_size;
+    memcpy( data, ram_slots[slot_number].content, actual_size );
+    return( PSA_SUCCESS );
+}
+
+static psa_status_t ram_export_public( psa_drv_se_context_t *context,
+                                       psa_key_slot_number_t slot_number,
+                                       uint8_t *data,
+                                       size_t data_size,
+                                       size_t *data_length )
+{
+    psa_status_t status;
+    psa_key_handle_t handle;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+    (void) context;
+    DRIVER_ASSERT_RETURN( slot_number < ARRAY_LENGTH( ram_slots ) );
+    DRIVER_ASSERT_RETURN(
+        PSA_KEY_TYPE_IS_KEY_PAIR( ram_slots[slot_number].type ) );
+
+    psa_set_key_type( &attributes, ram_slots[slot_number].type );
+    status = psa_import_key( &attributes,
+                             ram_slots[slot_number].content,
+                             PSA_BITS_TO_BYTES( ram_slots[slot_number].bits ),
+                             &handle );
+    if( status != PSA_SUCCESS )
+        return( status );
+    status = psa_export_public_key( handle, data, data_size, data_length );
+    psa_destroy_key( handle );
     return( PSA_SUCCESS );
 }
 
@@ -152,8 +338,8 @@
                                  psa_key_slot_number_t slot_number )
 {
     ram_slot_usage_t *slot_usage = persistent_data;
-    DRIVER_ASSERT( context->persistent_data_size == sizeof( ram_slot_usage_t ) );
-    DRIVER_ASSERT( slot_number < ARRAY_LENGTH( ram_slots ) );
+    DRIVER_ASSERT_RETURN( context->persistent_data_size == sizeof( ram_slot_usage_t ) );
+    DRIVER_ASSERT_RETURN( slot_number < ARRAY_LENGTH( ram_slots ) );
     memset( &ram_slots[slot_number], 0, sizeof( ram_slots[slot_number] ) );
     *slot_usage &= ~(ram_slot_usage_t)( 1 << slot_number );
     return( PSA_SUCCESS );
@@ -162,11 +348,13 @@
 static psa_status_t ram_allocate( psa_drv_se_context_t *context,
                                   void *persistent_data,
                                   const psa_key_attributes_t *attributes,
+                                  psa_key_creation_method_t method,
                                   psa_key_slot_number_t *slot_number )
 {
     ram_slot_usage_t *slot_usage = persistent_data;
     (void) attributes;
-    DRIVER_ASSERT( context->persistent_data_size == sizeof( ram_slot_usage_t ) );
+    (void) method;
+    DRIVER_ASSERT_RETURN( context->persistent_data_size == sizeof( ram_slot_usage_t ) );
     for( *slot_number = ram_min_slot;
          *slot_number < ARRAY_LENGTH( ram_slots );
          ++( *slot_number ) )
@@ -177,12 +365,103 @@
     return( PSA_ERROR_INSUFFICIENT_STORAGE );
 }
 
+static psa_status_t ram_validate_slot_number(
+    psa_drv_se_context_t *context,
+    const psa_key_attributes_t *attributes,
+    psa_key_creation_method_t method,
+    psa_key_slot_number_t slot_number )
+{
+    (void) context;
+    (void) attributes;
+    (void) method;
+    if( slot_number >= ARRAY_LENGTH( ram_slots ) )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+    return( PSA_SUCCESS );
+}
+
+static psa_status_t ram_sign( psa_drv_se_context_t *context,
+                              psa_key_slot_number_t slot_number,
+                              psa_algorithm_t alg,
+                              const uint8_t *hash,
+                              size_t hash_length,
+                              uint8_t *signature,
+                              size_t signature_size,
+                              size_t *signature_length )
+{
+    ram_slot_t *slot;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_handle_t handle = 0;
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+
+    (void) context;
+    DRIVER_ASSERT_RETURN( slot_number < ARRAY_LENGTH( ram_slots ) );
+    slot = &ram_slots[slot_number];
+
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN );
+    psa_set_key_algorithm( &attributes, alg );
+    psa_set_key_type( &attributes, slot->type );
+    DRIVER_ASSERT( psa_import_key( &attributes,
+                                   slot->content,
+                                   PSA_BITS_TO_BYTES( slot->bits ),
+                                   &handle ) == PSA_SUCCESS );
+    status = psa_asymmetric_sign( handle, alg,
+                                  hash, hash_length,
+                                  signature, signature_size,
+                                  signature_length );
+
+exit:
+    psa_destroy_key( handle );
+    return( status );
+}
+
+static psa_status_t ram_verify( psa_drv_se_context_t *context,
+                                psa_key_slot_number_t slot_number,
+                                psa_algorithm_t alg,
+                                const uint8_t *hash,
+                                size_t hash_length,
+                                const uint8_t *signature,
+                                size_t signature_length )
+{
+    ram_slot_t *slot;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_handle_t handle = 0;
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+
+    (void) context;
+    DRIVER_ASSERT_RETURN( slot_number < ARRAY_LENGTH( ram_slots ) );
+    slot = &ram_slots[slot_number];
+
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY );
+    psa_set_key_algorithm( &attributes, alg );
+    psa_set_key_type( &attributes, slot->type );
+    DRIVER_ASSERT( psa_import_key( &attributes,
+                                   slot->content,
+                                   PSA_BITS_TO_BYTES( slot->bits ),
+                                   &handle ) ==
+                   PSA_SUCCESS );
+    status = psa_asymmetric_verify( handle, alg,
+                                    hash, hash_length,
+                                    signature, signature_length );
+
+exit:
+    psa_destroy_key( handle );
+    return( status );
+}
+
+
 
 
 /****************************************************************/
 /* Other test helper functions */
 /****************************************************************/
 
+typedef enum
+{
+    SIGN_IN_SOFTWARE_AND_PARALLEL_CREATION,
+    SIGN_IN_DRIVER_AND_PARALLEL_CREATION,
+    SIGN_IN_DRIVER_THEN_EXPORT_PUBLIC,
+} sign_verify_method_t;
+
 /* Check that the attributes of a key reported by psa_get_key_attributes()
  * are consistent with the attributes used when creating the key. */
 static int check_key_attributes(
@@ -212,6 +491,31 @@
                     psa_get_key_bits( reference_attributes ) );
     }
 
+    {
+        psa_key_slot_number_t actual_slot_number = 0xdeadbeef;
+        psa_key_slot_number_t desired_slot_number = 0xb90cc011;
+        psa_key_lifetime_t lifetime =
+            psa_get_key_lifetime( &actual_attributes );
+        psa_status_t status = psa_get_key_slot_number( &actual_attributes,
+                                                       &actual_slot_number );
+        if( lifetime < MIN_DRIVER_LIFETIME )
+        {
+            /* The key is not in a secure element. */
+            TEST_EQUAL( status, PSA_ERROR_INVALID_ARGUMENT );
+        }
+        else
+        {
+            /* The key is in a secure element. If it had been created
+             * in a specific slot, check that it is reported there. */
+            PSA_ASSERT( status );
+            status = psa_get_key_slot_number( reference_attributes,
+                                              &desired_slot_number );
+            if( status == PSA_SUCCESS )
+            {
+                TEST_EQUAL( desired_slot_number, actual_slot_number );
+            }
+        }
+    }
     ok = 1;
 
 exit:
@@ -485,11 +789,14 @@
     /* Test that the key was created in the expected slot. */
     TEST_ASSERT( ram_slots[min_slot].type == PSA_KEY_TYPE_RAW_DATA );
 
-    /* Test the key attributes and the key data. */
+    /* Test the key attributes, including the reported slot number. */
     psa_set_key_bits( &attributes,
                       PSA_BYTES_TO_BITS( sizeof( key_material ) ) );
+    psa_set_key_slot_number( &attributes, min_slot );
     if( ! check_key_attributes( handle, &attributes ) )
         goto exit;
+
+    /* Test the key data. */
     PSA_ASSERT( psa_export_key( handle,
                                 exported, sizeof( exported ),
                                 &exported_length ) );
@@ -497,6 +804,9 @@
                     exported, exported_length );
 
     PSA_ASSERT( psa_destroy_key( handle ) );
+    handle = 0;
+    TEST_EQUAL( psa_open_key( id, &handle ),
+                PSA_ERROR_DOES_NOT_EXIST );
 
     /* Test that the key has been erased from the designated slot. */
     TEST_ASSERT( ram_slots[min_slot].type == 0 );
@@ -509,8 +819,79 @@
 /* END_CASE */
 
 /* BEGIN_CASE */
-void key_creation_smoke( int type_arg, int alg_arg,
-                         data_t *key_material )
+void key_creation_in_chosen_slot( int slot_arg,
+                                  int restart,
+                                  int expected_status_arg )
+{
+    psa_key_slot_number_t wanted_slot = slot_arg;
+    psa_status_t expected_status = expected_status_arg;
+    psa_status_t status;
+    psa_drv_se_t driver;
+    psa_drv_se_key_management_t key_management;
+    psa_key_lifetime_t lifetime = 2;
+    psa_key_id_t id = 1;
+    psa_key_handle_t handle = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    const uint8_t key_material[3] = {0xfa, 0xca, 0xde};
+
+    memset( &driver, 0, sizeof( driver ) );
+    memset( &key_management, 0, sizeof( key_management ) );
+    driver.hal_version = PSA_DRV_SE_HAL_VERSION;
+    driver.key_management = &key_management;
+    driver.persistent_data_size = sizeof( ram_slot_usage_t );
+    key_management.p_validate_slot_number = ram_validate_slot_number;
+    key_management.p_import = ram_import;
+    key_management.p_destroy = ram_destroy;
+    key_management.p_export = ram_export;
+
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    /* Create a key. */
+    psa_set_key_id( &attributes, id );
+    psa_set_key_lifetime( &attributes, lifetime );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT );
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA );
+    psa_set_key_slot_number( &attributes, wanted_slot );
+    status = psa_import_key( &attributes,
+                             key_material, sizeof( key_material ),
+                             &handle );
+    TEST_EQUAL( status, expected_status );
+
+    if( status != PSA_SUCCESS )
+        goto exit;
+
+    /* Maybe restart, to check that the information is saved correctly. */
+    if( restart )
+    {
+        mbedtls_psa_crypto_free( );
+        PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+        PSA_ASSERT( psa_crypto_init( ) );
+        PSA_ASSERT( psa_open_key( id, &handle ) );
+    }
+
+    /* Test that the key was created in the expected slot. */
+    TEST_EQUAL( ram_slots[wanted_slot].type, PSA_KEY_TYPE_RAW_DATA );
+
+    /* Test that the key is reported with the correct attributes,
+     * including the expected slot. */
+    PSA_ASSERT( psa_get_key_attributes( handle, &attributes ) );
+
+    PSA_ASSERT( psa_destroy_key( handle ) );
+    handle = 0;
+    TEST_EQUAL( psa_open_key( id, &handle ),
+                PSA_ERROR_DOES_NOT_EXIST );
+
+exit:
+    PSA_DONE( );
+    ram_slots_reset( );
+    psa_purge_storage( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void import_key_smoke( int type_arg, int alg_arg,
+                       data_t *key_material )
 {
     psa_key_type_t type = type_arg;
     psa_algorithm_t alg = alg_arg;
@@ -528,6 +909,7 @@
     driver.persistent_data_size = sizeof( psa_key_slot_number_t );
     key_management.p_allocate = counter_allocate;
     key_management.p_import = null_import;
+    key_management.p_destroy = null_destroy;
 
     PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
     PSA_ASSERT( psa_crypto_init( ) );
@@ -559,10 +941,12 @@
 
     /* We're done. */
     PSA_ASSERT( psa_destroy_key( handle ) );
+    handle = 0;
+    TEST_EQUAL( psa_open_key( id, &handle ),
+                PSA_ERROR_DOES_NOT_EXIST );
 
 exit:
     PSA_DONE( );
-    ram_slots_reset( );
     psa_purge_storage( );
 }
 /* END_CASE */
@@ -585,6 +969,7 @@
     driver.key_management = &key_management;
     driver.persistent_data_size = sizeof( psa_key_slot_number_t );
     key_management.p_allocate = counter_allocate;
+    /* No p_generate method */
 
     PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
     PSA_ASSERT( psa_crypto_init( ) );
@@ -598,7 +983,309 @@
 
 exit:
     PSA_DONE( );
+    psa_purge_storage( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void generate_key_smoke( int type_arg, int bits_arg, int alg_arg )
+{
+    psa_key_type_t type = type_arg;
+    psa_key_bits_t bits = bits_arg;
+    psa_algorithm_t alg = alg_arg;
+    psa_drv_se_t driver;
+    psa_drv_se_key_management_t key_management;
+    psa_key_lifetime_t lifetime = 2;
+    psa_key_id_t id = 1;
+    psa_key_handle_t handle = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+    memset( &driver, 0, sizeof( driver ) );
+    memset( &key_management, 0, sizeof( key_management ) );
+    driver.hal_version = PSA_DRV_SE_HAL_VERSION;
+    driver.key_management = &key_management;
+    driver.persistent_data_size = sizeof( psa_key_slot_number_t );
+    key_management.p_allocate = counter_allocate;
+    key_management.p_generate = null_generate;
+    key_management.p_destroy = null_destroy;
+
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    /* Create a key. */
+    psa_set_key_id( &attributes, id );
+    psa_set_key_lifetime( &attributes, lifetime );
+    psa_set_key_usage_flags( &attributes,
+                             PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY |
+                             PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT |
+                             PSA_KEY_USAGE_EXPORT );
+    psa_set_key_algorithm( &attributes, alg );
+    psa_set_key_type( &attributes, type );
+    psa_set_key_bits( &attributes, bits );
+    PSA_ASSERT( psa_generate_key( &attributes, &handle ) );
+
+    /* Do stuff with the key. */
+    if( ! smoke_test_key( handle ) )
+        goto exit;
+
+    /* Restart and try again. */
+    mbedtls_psa_crypto_free( );
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+    PSA_ASSERT( psa_open_key( id, &handle ) );
+    if( ! smoke_test_key( handle ) )
+        goto exit;
+
+    /* We're done. */
+    PSA_ASSERT( psa_destroy_key( handle ) );
+    handle = 0;
+    TEST_EQUAL( psa_open_key( id, &handle ),
+                PSA_ERROR_DOES_NOT_EXIST );
+
+exit:
+    PSA_DONE( );
+    psa_purge_storage( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void sign_verify( int flow,
+                  int type_arg, int alg_arg,
+                  int bits_arg, data_t *key_material,
+                  data_t *input )
+{
+    psa_key_type_t type = type_arg;
+    psa_algorithm_t alg = alg_arg;
+    size_t bits = bits_arg;
+    /* Pass bits=0 to import, bits>0 to fake-generate */
+    int generating = ( bits != 0 );
+
+    psa_drv_se_t driver;
+    psa_drv_se_key_management_t key_management;
+    psa_drv_se_asymmetric_t asymmetric;
+
+    psa_key_lifetime_t lifetime = 2;
+    psa_key_id_t id = 1;
+    psa_key_handle_t drv_handle = 0; /* key managed by the driver */
+    psa_key_handle_t sw_handle = 0; /* transparent key */
+    psa_key_attributes_t sw_attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_attributes_t drv_attributes;
+    uint8_t signature[PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE];
+    size_t signature_length;
+
+    memset( &driver, 0, sizeof( driver ) );
+    memset( &key_management, 0, sizeof( key_management ) );
+    memset( &asymmetric, 0, sizeof( asymmetric ) );
+    driver.hal_version = PSA_DRV_SE_HAL_VERSION;
+    driver.key_management = &key_management;
+    driver.asymmetric = &asymmetric;
+    driver.persistent_data_size = sizeof( ram_slot_usage_t );
+    key_management.p_allocate = ram_allocate;
+    key_management.p_destroy = ram_destroy;
+    if( generating )
+        key_management.p_generate = ram_fake_generate;
+    else
+        key_management.p_import = ram_import;
+    switch( flow )
+    {
+        case SIGN_IN_SOFTWARE_AND_PARALLEL_CREATION:
+            break;
+        case SIGN_IN_DRIVER_AND_PARALLEL_CREATION:
+            asymmetric.p_sign = ram_sign;
+            break;
+        case SIGN_IN_DRIVER_THEN_EXPORT_PUBLIC:
+            asymmetric.p_sign = ram_sign;
+            key_management.p_export_public = ram_export_public;
+            break;
+        default:
+            TEST_ASSERT( ! "unsupported flow (should be SIGN_IN_xxx)" );
+            break;
+    }
+    asymmetric.p_verify = ram_verify;
+
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    /* Prepare to create two keys with the same key material: a transparent
+     * key, and one that goes through the driver. */
+    psa_set_key_usage_flags( &sw_attributes,
+                             PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY );
+    psa_set_key_algorithm( &sw_attributes, alg );
+    psa_set_key_type( &sw_attributes, type );
+    drv_attributes = sw_attributes;
+    psa_set_key_id( &drv_attributes, id );
+    psa_set_key_lifetime( &drv_attributes, lifetime );
+
+    /* Create the key in the driver. */
+    if( generating )
+    {
+        psa_set_key_bits( &drv_attributes, bits );
+        PSA_ASSERT( psa_generate_key( &drv_attributes, &drv_handle ) );
+        /* Since we called a generate method that does not actually
+         * generate material, store the desired result of generation in
+         * the mock secure element storage. */
+        PSA_ASSERT( psa_get_key_attributes( drv_handle, &drv_attributes ) );
+        TEST_ASSERT( key_material->len == PSA_BITS_TO_BYTES( bits ) );
+        memcpy( ram_slots[ram_min_slot].content, key_material->x,
+                key_material->len );
+    }
+    else
+    {
+        PSA_ASSERT( psa_import_key( &drv_attributes,
+                                    key_material->x, key_material->len,
+                                    &drv_handle ) );
+    }
+
+    /* Either import the same key in software, or export the driver's
+     * public key and import that. */
+    switch( flow )
+    {
+        case SIGN_IN_SOFTWARE_AND_PARALLEL_CREATION:
+        case SIGN_IN_DRIVER_AND_PARALLEL_CREATION:
+            PSA_ASSERT( psa_import_key( &sw_attributes,
+                                        key_material->x, key_material->len,
+                                        &sw_handle ) );
+            break;
+        case SIGN_IN_DRIVER_THEN_EXPORT_PUBLIC:
+        {
+            uint8_t public_key[PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE( PSA_VENDOR_ECC_MAX_CURVE_BITS )];
+            size_t public_key_length;
+            PSA_ASSERT( psa_export_public_key( drv_handle,
+                                               public_key, sizeof( public_key ),
+                                               &public_key_length ) );
+            psa_set_key_type( &sw_attributes,
+                              PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR( type ) );
+            PSA_ASSERT( psa_import_key( &sw_attributes,
+                                        public_key, public_key_length,
+                                        &sw_handle ) );
+            break;
+        }
+    }
+
+    /* Sign with the chosen key. */
+    switch( flow )
+    {
+        case SIGN_IN_DRIVER_AND_PARALLEL_CREATION:
+        case SIGN_IN_DRIVER_THEN_EXPORT_PUBLIC:
+            PSA_ASSERT_VIA_DRIVER(
+                psa_asymmetric_sign( drv_handle,
+                                     alg,
+                                     input->x, input->len,
+                                     signature, sizeof( signature ),
+                                     &signature_length ),
+                PSA_SUCCESS );
+            break;
+        case SIGN_IN_SOFTWARE_AND_PARALLEL_CREATION:
+            PSA_ASSERT( psa_asymmetric_sign( sw_handle,
+                                             alg,
+                                             input->x, input->len,
+                                             signature, sizeof( signature ),
+                                             &signature_length ) );
+            break;
+    }
+
+    /* Verify with both keys. */
+    PSA_ASSERT( psa_asymmetric_verify( sw_handle, alg,
+                                       input->x, input->len,
+                                       signature, signature_length ) );
+    PSA_ASSERT_VIA_DRIVER(
+        psa_asymmetric_verify( drv_handle, alg,
+                               input->x, input->len,
+                               signature, signature_length ),
+        PSA_SUCCESS );
+
+    /* Change the signature and verify again. */
+    signature[0] ^= 1;
+    TEST_EQUAL( psa_asymmetric_verify( sw_handle, alg,
+                                       input->x, input->len,
+                                       signature, signature_length ),
+                PSA_ERROR_INVALID_SIGNATURE );
+    PSA_ASSERT_VIA_DRIVER(
+        psa_asymmetric_verify( drv_handle, alg,
+                               input->x, input->len,
+                               signature, signature_length ),
+        PSA_ERROR_INVALID_SIGNATURE );
+
+exit:
+    psa_destroy_key( drv_handle );
+    psa_destroy_key( sw_handle );
+    PSA_DONE( );
     ram_slots_reset( );
     psa_purge_storage( );
 }
 /* END_CASE */
+
+/* BEGIN_CASE */
+void register_key_smoke_test( int lifetime_arg,
+                              int validate,
+                              int expected_status_arg )
+{
+    psa_key_lifetime_t lifetime = lifetime_arg;
+    psa_status_t expected_status = expected_status_arg;
+    psa_drv_se_t driver;
+    psa_drv_se_key_management_t key_management;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t id = 1;
+    size_t bit_size = 48;
+    psa_key_slot_number_t wanted_slot = 0x123456789;
+    psa_key_handle_t handle = 0;
+    psa_status_t status;
+
+    memset( &driver, 0, sizeof( driver ) );
+    driver.hal_version = PSA_DRV_SE_HAL_VERSION;
+    memset( &key_management, 0, sizeof( key_management ) );
+    driver.key_management = &key_management;
+    key_management.p_destroy = null_destroy;
+    if( validate >= 0 )
+    {
+        key_management.p_validate_slot_number = validate_slot_number_as_directed;
+        validate_slot_number_directions.slot_number = wanted_slot;
+        validate_slot_number_directions.method = PSA_KEY_CREATION_REGISTER;
+        validate_slot_number_directions.status =
+            ( validate > 0 ? PSA_SUCCESS : PSA_ERROR_NOT_PERMITTED );
+    }
+
+    PSA_ASSERT( psa_register_se_driver( MIN_DRIVER_LIFETIME, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    psa_set_key_id( &attributes, id );
+    psa_set_key_lifetime( &attributes, lifetime );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT );
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA );
+    psa_set_key_bits( &attributes, bit_size );
+    psa_set_key_slot_number( &attributes, wanted_slot );
+
+    status = mbedtls_psa_register_se_key( &attributes );
+    TEST_EQUAL( status, expected_status );
+
+    if( status != PSA_SUCCESS )
+        goto exit;
+
+    /* Test that the key exists and has the expected attributes. */
+    PSA_ASSERT( psa_open_key( id, &handle ) );
+    if( ! check_key_attributes( handle, &attributes ) )
+        goto exit;
+    PSA_ASSERT( psa_close_key( handle ) );
+
+    /* Restart and try again. */
+    PSA_DONE( );
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+    PSA_ASSERT( psa_open_key( id, &handle ) );
+    if( ! check_key_attributes( handle, &attributes ) )
+        goto exit;
+    /* This time, destroy the key. */
+    PSA_ASSERT( psa_destroy_key( handle ) );
+    handle = 0;
+    TEST_EQUAL( psa_open_key( id, &handle ),
+                PSA_ERROR_DOES_NOT_EXIST );
+
+exit:
+    psa_reset_key_attributes( &attributes );
+    psa_destroy_key( handle );
+    PSA_DONE( );
+    psa_purge_storage( );
+    memset( &validate_slot_number_directions, 0,
+            sizeof( validate_slot_number_directions ) );
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.data b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.data
new file mode 100644
index 0000000..dba6875
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.data
@@ -0,0 +1,47 @@
+SE key importing mock test
+mock_import:PSA_SUCCESS:PSA_SUCCESS:0:PSA_SUCCESS
+
+SE key importing mock test: max key bits
+mock_import:PSA_SUCCESS:PSA_SUCCESS:PSA_MAX_KEY_BITS:PSA_SUCCESS
+
+SE key importing mock test: more than max key bits
+mock_import:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_MAX_KEY_BITS+1:PSA_ERROR_NOT_SUPPORTED
+
+SE key importing mock test: alloc failed
+mock_import:PSA_ERROR_HARDWARE_FAILURE:PSA_SUCCESS:0:PSA_ERROR_HARDWARE_FAILURE
+
+SE key importing mock test: import failed
+mock_import:PSA_SUCCESS:PSA_ERROR_HARDWARE_FAILURE:0:PSA_ERROR_HARDWARE_FAILURE
+
+SE key exporting mock test
+mock_export:PSA_SUCCESS:PSA_SUCCESS
+
+SE key exporting mock test: export failed
+mock_export:PSA_ERROR_HARDWARE_FAILURE:PSA_ERROR_HARDWARE_FAILURE
+
+SE public key exporting mock test
+mock_export_public:PSA_SUCCESS:PSA_SUCCESS
+
+SE public key exporting mock test: export failed
+mock_export_public:PSA_ERROR_HARDWARE_FAILURE:PSA_ERROR_HARDWARE_FAILURE
+
+SE key generating mock test
+mock_generate:PSA_SUCCESS:PSA_SUCCESS:PSA_SUCCESS
+
+SE key generating mock test: alloc failed
+mock_generate:PSA_ERROR_HARDWARE_FAILURE:PSA_SUCCESS:PSA_ERROR_HARDWARE_FAILURE
+
+SE key generating mock test: generating failed
+mock_generate:PSA_SUCCESS:PSA_ERROR_HARDWARE_FAILURE:PSA_ERROR_HARDWARE_FAILURE
+
+SE signing mock test
+mock_sign:PSA_SUCCESS:PSA_SUCCESS
+
+SE signing mock test: sign failed
+mock_sign:PSA_ERROR_HARDWARE_FAILURE:PSA_ERROR_HARDWARE_FAILURE
+
+SE verification mock test
+mock_verify:PSA_SUCCESS:PSA_SUCCESS
+
+SE verification mock test: verify failed
+mock_verify:PSA_ERROR_HARDWARE_FAILURE:PSA_ERROR_HARDWARE_FAILURE
diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
new file mode 100644
index 0000000..e364178
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function
@@ -0,0 +1,581 @@
+/* BEGIN_HEADER */
+#include "psa_crypto_helpers.h"
+#include "psa/crypto_se_driver.h"
+
+#include "psa_crypto_se.h"
+#include "psa_crypto_storage.h"
+
+static struct
+{
+    uint16_t called;
+    psa_key_slot_number_t key_slot;
+    psa_key_attributes_t attributes;
+    size_t pubkey_size;
+    psa_status_t return_value;
+} mock_generate_data;
+
+static struct
+{
+    uint16_t called;
+    psa_key_slot_number_t key_slot;
+    psa_key_attributes_t attributes;
+    size_t bits;
+    size_t data_length;
+    psa_status_t return_value;
+} mock_import_data;
+
+static struct
+{
+    uint16_t called;
+    psa_key_slot_number_t slot_number;
+    size_t data_size;
+    psa_status_t return_value;
+} mock_export_data;
+
+static struct
+{
+    uint16_t called;
+    psa_key_slot_number_t slot_number;
+    size_t data_size;
+    psa_status_t return_value;
+} mock_export_public_data;
+
+static struct
+{
+    uint16_t called;
+    psa_key_slot_number_t key_slot;
+    psa_algorithm_t alg;
+    size_t hash_length;
+    size_t signature_size;
+    psa_status_t return_value;
+} mock_sign_data;
+
+static struct
+{
+    uint16_t called;
+    psa_key_slot_number_t key_slot;
+    psa_algorithm_t alg;
+    size_t hash_length;
+    size_t signature_length;
+    psa_status_t return_value;
+} mock_verify_data;
+
+static struct
+{
+    uint16_t called;
+    psa_status_t return_value;
+} mock_allocate_data;
+
+static struct
+{
+    uint16_t called;
+    psa_key_slot_number_t slot_number;
+    psa_status_t return_value;
+} mock_destroy_data;
+
+#define MAX_KEY_ID_FOR_TEST 10
+static void psa_purge_storage( void )
+{
+    psa_key_id_t id;
+    psa_key_lifetime_t lifetime;
+    /* The tests may have potentially created key ids from 1 to
+     * MAX_KEY_ID_FOR_TEST. In addition, run the destroy function on key id
+     * 0, which file-based storage uses as a temporary file. */
+    for( id = 0; id <= MAX_KEY_ID_FOR_TEST; id++ )
+        psa_destroy_persistent_key( id );
+    /* Purge the transaction file. */
+    psa_crypto_stop_transaction( );
+    /* Purge driver persistent data. */
+    for( lifetime = 0; lifetime < PSA_MAX_SE_LIFETIME; lifetime++ )
+        psa_destroy_se_persistent_data( lifetime );
+}
+
+static void mock_teardown( void )
+{
+    memset( &mock_import_data, 0, sizeof( mock_import_data ) );
+    memset( &mock_export_data, 0, sizeof( mock_export_data ) );
+    memset( &mock_export_public_data, 0, sizeof( mock_export_public_data ) );
+    memset( &mock_sign_data, 0, sizeof( mock_sign_data ) );
+    memset( &mock_verify_data, 0, sizeof( mock_verify_data ) );
+    memset( &mock_allocate_data, 0, sizeof( mock_allocate_data ) );
+    memset( &mock_destroy_data, 0, sizeof( mock_destroy_data ) );
+    memset( &mock_generate_data, 0, sizeof( mock_generate_data ) );
+    psa_purge_storage( );
+}
+
+static psa_status_t mock_generate( psa_drv_se_context_t *drv_context,
+                                   psa_key_slot_number_t key_slot,
+                                   const psa_key_attributes_t *attributes,
+                                   uint8_t *pubkey,
+                                   size_t pubkey_size,
+                                   size_t *pubkey_length )
+{
+    (void) drv_context;
+    (void) pubkey;
+    (void) pubkey_length;
+
+    mock_generate_data.called++;
+    mock_generate_data.key_slot = key_slot;
+    mock_generate_data.attributes = *attributes;
+    mock_generate_data.pubkey_size = pubkey_size;
+
+    return( mock_generate_data.return_value );
+}
+
+static psa_status_t mock_import( psa_drv_se_context_t *drv_context,
+                                 psa_key_slot_number_t key_slot,
+                                 const psa_key_attributes_t *attributes,
+                                 const uint8_t *data,
+                                 size_t data_length,
+                                 size_t *bits )
+{
+    (void) drv_context;
+    (void) data;
+
+    *bits = mock_import_data.bits;
+
+    mock_import_data.called++;
+    mock_import_data.key_slot = key_slot;
+    mock_import_data.attributes = *attributes;
+    mock_import_data.data_length = data_length;
+
+    return( mock_import_data.return_value );
+}
+
+psa_status_t mock_export( psa_drv_se_context_t *context,
+                          psa_key_slot_number_t slot_number,
+                          uint8_t *p_data,
+                          size_t data_size,
+                          size_t *p_data_length )
+{
+    (void) context;
+    (void) p_data;
+    (void) p_data_length;
+
+    mock_export_data.called++;
+    mock_export_data.slot_number = slot_number;
+    mock_export_data.data_size = data_size;
+
+    return( mock_export_data.return_value );
+}
+
+psa_status_t mock_export_public( psa_drv_se_context_t *context,
+                                 psa_key_slot_number_t slot_number,
+                                 uint8_t *p_data,
+                                 size_t data_size,
+                                 size_t *p_data_length )
+{
+    (void) context;
+    (void) p_data;
+    (void) p_data_length;
+
+    mock_export_public_data.called++;
+    mock_export_public_data.slot_number = slot_number;
+    mock_export_public_data.data_size = data_size;
+
+    return( mock_export_public_data.return_value );
+}
+
+psa_status_t mock_sign( psa_drv_se_context_t *context,
+                        psa_key_slot_number_t key_slot,
+                        psa_algorithm_t alg,
+                        const uint8_t *p_hash,
+                        size_t hash_length,
+                        uint8_t *p_signature,
+                        size_t signature_size,
+                        size_t *p_signature_length )
+{
+    (void) context;
+    (void) p_hash;
+    (void) p_signature;
+    (void) p_signature_length;
+
+    mock_sign_data.called++;
+    mock_sign_data.key_slot = key_slot;
+    mock_sign_data.alg = alg;
+    mock_sign_data.hash_length = hash_length;
+    mock_sign_data.signature_size = signature_size;
+
+    return mock_sign_data.return_value;
+}
+
+psa_status_t mock_verify( psa_drv_se_context_t *context,
+                          psa_key_slot_number_t key_slot,
+                          psa_algorithm_t alg,
+                          const uint8_t *p_hash,
+                          size_t hash_length,
+                          const uint8_t *p_signature,
+                          size_t signature_length )
+{
+    (void) context;
+    (void) p_hash;
+    (void) p_signature;
+
+    mock_verify_data.called++;
+    mock_verify_data.key_slot = key_slot;
+    mock_verify_data.alg = alg;
+    mock_verify_data.hash_length = hash_length;
+    mock_verify_data.signature_length = signature_length;
+
+    return mock_verify_data.return_value;
+}
+
+psa_status_t mock_allocate( psa_drv_se_context_t *drv_context,
+                            void *persistent_data,
+                            const psa_key_attributes_t *attributes,
+                            psa_key_creation_method_t method,
+                            psa_key_slot_number_t *key_slot )
+{
+    (void) drv_context;
+    (void) persistent_data;
+    (void) attributes;
+    (void) method;
+    (void) key_slot;
+
+    mock_allocate_data.called++;
+    *key_slot = 0;
+
+    return( mock_allocate_data.return_value );
+}
+
+psa_status_t mock_destroy( psa_drv_se_context_t *context,
+                           void *persistent_data,
+                           psa_key_slot_number_t slot_number )
+{
+    (void) context;
+    (void) persistent_data;
+
+    mock_destroy_data.called++;
+    mock_destroy_data.slot_number = slot_number;
+
+    return( mock_destroy_data.return_value );
+}
+
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_PSA_CRYPTO_SE_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void mock_import( int mock_alloc_return_value,
+                  int mock_import_return_value,
+                  int bits,
+                  int expected_result )
+{
+    psa_drv_se_t driver;
+    psa_drv_se_key_management_t key_management;
+    psa_key_lifetime_t lifetime = 2;
+    psa_key_id_t id = 1;
+    psa_key_handle_t handle = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    const uint8_t key_material[3] = {0xfa, 0xca, 0xde};
+
+    mock_allocate_data.return_value = mock_alloc_return_value;
+    mock_import_data.return_value = mock_import_return_value;
+    mock_import_data.bits = bits;
+    memset( &driver, 0, sizeof( driver ) );
+    memset( &key_management, 0, sizeof( key_management ) );
+    driver.hal_version = PSA_DRV_SE_HAL_VERSION;
+    driver.key_management = &key_management;
+    key_management.p_import = mock_import;
+    key_management.p_destroy = mock_destroy;
+    key_management.p_allocate = mock_allocate;
+
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    psa_set_key_id( &attributes, id );
+    psa_set_key_lifetime( &attributes, lifetime );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT );
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA );
+    TEST_ASSERT( psa_import_key( &attributes,
+                                 key_material, sizeof( key_material ),
+                                 &handle ) == expected_result );
+
+    TEST_ASSERT( mock_allocate_data.called == 1 );
+    TEST_ASSERT( mock_import_data.called ==
+        ( mock_alloc_return_value == PSA_SUCCESS? 1 : 0 ) );
+    TEST_ASSERT( mock_import_data.attributes.core.id ==
+        ( mock_alloc_return_value == PSA_SUCCESS? id : 0 ) );
+    TEST_ASSERT( mock_import_data.attributes.core.lifetime ==
+        ( mock_alloc_return_value == PSA_SUCCESS? lifetime : 0 ) );
+    TEST_ASSERT( mock_import_data.attributes.core.policy.usage ==
+        ( mock_alloc_return_value == PSA_SUCCESS? PSA_KEY_USAGE_EXPORT : 0 ) );
+    TEST_ASSERT( mock_import_data.attributes.core.type ==
+        ( mock_alloc_return_value == PSA_SUCCESS? PSA_KEY_TYPE_RAW_DATA : 0 ) );
+
+    if( expected_result == PSA_SUCCESS )
+    {
+        PSA_ASSERT( psa_destroy_key( handle ) );
+        TEST_ASSERT( mock_destroy_data.called == 1 );
+    }
+exit:
+    PSA_DONE( );
+    mock_teardown( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mock_export( int mock_export_return_value, int expected_result )
+{
+    psa_drv_se_t driver;
+    psa_drv_se_key_management_t key_management;
+    psa_key_lifetime_t lifetime = 2;
+    psa_key_id_t id = 1;
+    psa_key_handle_t handle = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    const uint8_t key_material[3] = {0xfa, 0xca, 0xde};
+    uint8_t exported[sizeof( key_material )];
+    size_t exported_length;
+
+    mock_export_data.return_value = mock_export_return_value;
+    memset( &driver, 0, sizeof( driver ) );
+    memset( &key_management, 0, sizeof( key_management ) );
+    driver.hal_version = PSA_DRV_SE_HAL_VERSION;
+    driver.key_management = &key_management;
+    key_management.p_import = mock_import;
+    key_management.p_export = mock_export;
+    key_management.p_destroy = mock_destroy;
+    key_management.p_allocate = mock_allocate;
+
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    psa_set_key_id( &attributes, id );
+    psa_set_key_lifetime( &attributes, lifetime );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT );
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA );
+    PSA_ASSERT( psa_import_key( &attributes,
+                                key_material, sizeof( key_material ),
+                                &handle ) );
+
+    TEST_ASSERT( psa_export_key( handle,
+                                exported, sizeof( exported ),
+                                &exported_length ) == expected_result );
+
+    TEST_ASSERT( mock_export_data.called == 1 );
+
+    PSA_ASSERT( psa_destroy_key( handle ) );
+
+    TEST_ASSERT( mock_destroy_data.called == 1 );
+
+exit:
+    PSA_DONE( );
+    mock_teardown( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mock_generate( int mock_alloc_return_value,
+                    int mock_generate_return_value,
+                    int expected_result )
+{
+    psa_drv_se_t driver;
+    psa_drv_se_key_management_t key_management;
+    psa_key_lifetime_t lifetime = 2;
+    psa_key_id_t id = 1;
+    psa_key_handle_t handle = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+    mock_allocate_data.return_value = mock_alloc_return_value;
+    mock_generate_data.return_value = mock_generate_return_value;
+    memset( &driver, 0, sizeof( driver ) );
+    memset( &key_management, 0, sizeof( key_management ) );
+    driver.hal_version = PSA_DRV_SE_HAL_VERSION;
+    driver.key_management = &key_management;
+    key_management.p_generate = mock_generate;
+    key_management.p_destroy = mock_destroy;
+    key_management.p_allocate = mock_allocate;
+
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    psa_set_key_id( &attributes, id );
+    psa_set_key_lifetime( &attributes, lifetime );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT );
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA );
+    TEST_ASSERT( psa_generate_key( &attributes, &handle ) == expected_result );
+    TEST_ASSERT( mock_allocate_data.called == 1 );
+    TEST_ASSERT( mock_generate_data.called ==
+        ( mock_alloc_return_value == PSA_SUCCESS? 1 : 0 ) );
+    TEST_ASSERT( mock_generate_data.attributes.core.id ==
+        ( mock_alloc_return_value == PSA_SUCCESS? id : 0 ) );
+    TEST_ASSERT( mock_generate_data.attributes.core.lifetime ==
+        ( mock_alloc_return_value == PSA_SUCCESS? lifetime : 0 ) );
+    TEST_ASSERT( mock_generate_data.attributes.core.policy.usage ==
+        ( mock_alloc_return_value == PSA_SUCCESS? PSA_KEY_USAGE_EXPORT : 0 ) );
+    TEST_ASSERT( mock_generate_data.attributes.core.type ==
+        ( mock_alloc_return_value == PSA_SUCCESS? PSA_KEY_TYPE_RAW_DATA : 0 ) );
+
+    if( expected_result == PSA_SUCCESS )
+    {
+        PSA_ASSERT( psa_destroy_key( handle ) );
+        TEST_ASSERT( mock_destroy_data.called == 1 );
+    }
+
+exit:
+    PSA_DONE( );
+    mock_teardown( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mock_export_public( int mock_export_public_return_value,
+                         int expected_result )
+{
+    psa_drv_se_t driver;
+    psa_drv_se_key_management_t key_management;
+    psa_key_lifetime_t lifetime = 2;
+    psa_key_id_t id = 1;
+    psa_key_handle_t handle = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    const uint8_t key_material[3] = {0xfa, 0xca, 0xde};
+    uint8_t exported[sizeof( key_material )];
+    size_t exported_length;
+
+    mock_export_public_data.return_value = mock_export_public_return_value;
+    memset( &driver, 0, sizeof( driver ) );
+    memset( &key_management, 0, sizeof( key_management ) );
+    driver.hal_version = PSA_DRV_SE_HAL_VERSION;
+    driver.key_management = &key_management;
+    key_management.p_import = mock_import;
+    key_management.p_export_public = mock_export_public;
+    key_management.p_destroy = mock_destroy;
+    key_management.p_allocate = mock_allocate;
+
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    psa_set_key_id( &attributes, id );
+    psa_set_key_lifetime( &attributes, lifetime );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT );
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY );
+
+    PSA_ASSERT( psa_import_key( &attributes,
+                                key_material, sizeof( key_material ),
+                                &handle ) );
+
+    TEST_ASSERT( psa_export_public_key( handle, exported, sizeof(exported),
+                                        &exported_length ) == expected_result );
+    TEST_ASSERT( mock_export_public_data.called == 1 );
+
+    PSA_ASSERT( psa_destroy_key( handle ) );
+    TEST_ASSERT( mock_destroy_data.called == 1 );
+
+exit:
+    PSA_DONE( );
+    mock_teardown( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mock_sign( int mock_sign_return_value, int expected_result )
+{
+    psa_drv_se_t driver;
+    psa_drv_se_key_management_t key_management;
+    psa_drv_se_asymmetric_t asymmetric;
+    psa_key_lifetime_t lifetime = 2;
+    psa_key_id_t id = 1;
+    psa_key_handle_t handle = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    const uint8_t key_material[3] = {0xfa, 0xca, 0xde};
+    psa_algorithm_t algorithm = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
+    size_t signature_length;
+
+    mock_sign_data.return_value = mock_sign_return_value;
+    memset( &driver, 0, sizeof( driver ) );
+    memset( &key_management, 0, sizeof( key_management ) );
+    memset( &asymmetric, 0, sizeof( asymmetric ) );
+
+    driver.hal_version = PSA_DRV_SE_HAL_VERSION;
+
+    driver.key_management = &key_management;
+    key_management.p_import = mock_import;
+    key_management.p_destroy = mock_destroy;
+    key_management.p_allocate = mock_allocate;
+
+    driver.asymmetric = &asymmetric;
+    asymmetric.p_sign = mock_sign;
+
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    psa_set_key_id( &attributes, id );
+    psa_set_key_lifetime( &attributes, lifetime );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN );
+    psa_set_key_algorithm( &attributes, algorithm );
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_KEY_PAIR );
+
+    PSA_ASSERT( psa_import_key( &attributes,
+                                key_material, sizeof( key_material ),
+                                &handle ) );
+
+    TEST_ASSERT( psa_asymmetric_sign( handle, algorithm, NULL, 0, NULL, 0,
+                                      &signature_length)
+                 == expected_result );
+    TEST_ASSERT( mock_sign_data.called == 1 );
+
+    PSA_ASSERT( psa_destroy_key( handle ) );
+    TEST_ASSERT( mock_destroy_data.called == 1 );
+
+exit:
+    PSA_DONE( );
+    mock_teardown( );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mock_verify( int mock_verify_return_value, int expected_result )
+{
+    psa_drv_se_t driver;
+    psa_drv_se_key_management_t key_management;
+    psa_drv_se_asymmetric_t asymmetric;
+    psa_key_lifetime_t lifetime = 2;
+    psa_key_id_t id = 1;
+    psa_key_handle_t handle = 0;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    const uint8_t key_material[3] = {0xfa, 0xca, 0xde};
+    psa_algorithm_t algorithm = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
+
+    mock_verify_data.return_value = mock_verify_return_value;
+    memset( &driver, 0, sizeof( driver ) );
+    memset( &key_management, 0, sizeof( key_management ) );
+    memset( &asymmetric, 0, sizeof( asymmetric ) );
+
+    driver.hal_version = PSA_DRV_SE_HAL_VERSION;
+
+    driver.key_management = &key_management;
+    key_management.p_import = mock_import;
+    key_management.p_destroy = mock_destroy;
+    key_management.p_allocate = mock_allocate;
+
+    driver.asymmetric = &asymmetric;
+    asymmetric.p_verify = mock_verify;
+
+    PSA_ASSERT( psa_register_se_driver( lifetime, &driver ) );
+    PSA_ASSERT( psa_crypto_init( ) );
+
+    psa_set_key_id( &attributes, id );
+    psa_set_key_lifetime( &attributes, lifetime );
+    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY );
+    psa_set_key_algorithm( &attributes, algorithm );
+    psa_set_key_type( &attributes, PSA_KEY_TYPE_RAW_DATA );
+
+    PSA_ASSERT( psa_import_key( &attributes,
+                                key_material, sizeof( key_material ),
+                                &handle ) );
+
+    TEST_ASSERT( psa_asymmetric_verify( handle, algorithm, NULL, 0, NULL, 0)
+                 == expected_result );
+    TEST_ASSERT( mock_verify_data.called == 1 );
+
+    PSA_ASSERT( psa_destroy_key( handle ) );
+    TEST_ASSERT( mock_destroy_data.called == 1 );
+
+exit:
+    PSA_DONE( );
+    mock_teardown( );
+}
+/* END_CASE */