diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 000000000..d25c9a6b6
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,4 @@
+[submodule "crypto"]
+	path = crypto
+	url = git@github.com:ARMmbed/mbedtls-psa.git
+	branch = feature-psa
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 06f897e13..19ab4eb5f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -9,6 +9,7 @@ option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library.
 option(ENABLE_ZLIB_SUPPORT "Build mbed TLS with zlib library." OFF)
 
 option(ENABLE_PROGRAMS "Build mbed TLS programs." ON)
+option(USE_CRYPTO_SUBMODULE "Build and use libmbedcrypto from the crypto submodule." OFF)
 
 option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
 
@@ -177,6 +178,10 @@ endif(ENABLE_ZLIB_SUPPORT)
 
 add_subdirectory(library)
 add_subdirectory(include)
+if(USE_CRYPTO_SUBMODULE)
+    add_subdirectory(crypto/library)
+    add_subdirectory(crypto/include)
+endif()
 
 if(ENABLE_PROGRAMS)
     add_subdirectory(programs)
diff --git a/Makefile b/Makefile
index f4c0a0021..87b5a0c0f 100644
--- a/Makefile
+++ b/Makefile
@@ -28,7 +28,13 @@ install: no_test
 	mkdir -p $(DESTDIR)/lib
 	cp -RP library/libmbedtls.*    $(DESTDIR)/lib
 	cp -RP library/libmbedx509.*   $(DESTDIR)/lib
+ifdef USE_CRYPTO_SUBMODULE
+	mkdir -p $(DESTDIR)/include/psa
+	cp -rp crypto/include/psa $(DESTDIR)/include
+	cp -RP crypto/library/libmbedcrypto.* $(DESTDIR)/lib
+else
 	cp -RP library/libmbedcrypto.* $(DESTDIR)/lib
+endif
 
 	mkdir -p $(DESTDIR)/bin
 	for p in programs/*/* ; do              \
@@ -44,6 +50,9 @@ uninstall:
 	rm -f $(DESTDIR)/lib/libmbedtls.*
 	rm -f $(DESTDIR)/lib/libmbedx509.*
 	rm -f $(DESTDIR)/lib/libmbedcrypto.*
+ifdef USE_CRYPTO_SUBMODULE
+	$(MAKE) -C crypto uninstall
+endif
 
 	for p in programs/*/* ; do              \
 	    if [ -x $$p ] && [ ! -d $$p ] ;     \
@@ -85,6 +94,9 @@ clean:
 	$(MAKE) -C library clean
 	$(MAKE) -C programs clean
 	$(MAKE) -C tests clean
+ifdef USE_CRYPTO_SUBMODULE
+	$(MAKE) -C crypto clean
+endif
 ifndef WINDOWS
 	find . \( -name \*.gcno -o -name \*.gcda -o -name \*.info \) -exec rm {} +
 endif
diff --git a/crypto b/crypto
new file mode 160000
index 000000000..dbb83ac5f
--- /dev/null
+++ b/crypto
@@ -0,0 +1 @@
+Subproject commit dbb83ac5f7b96077b21fc9fe72b2687986acf963
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index da1eb6426..cab8c27c4 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -140,48 +140,80 @@ elseif(USE_STATIC_MBEDTLS_LIBRARY)
 endif()
 
 if(USE_STATIC_MBEDTLS_LIBRARY)
-    add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
-    set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
-    target_link_libraries(${mbedcrypto_static_target} ${libs})
-    target_include_directories(${mbedcrypto_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/)
+    if(NOT USE_CRYPTO_SUBMODULE)
+        add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
+        set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
+        target_link_libraries(${mbedcrypto_static_target} ${libs})
+        target_include_directories(${mbedcrypto_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/)
+    endif()
 
     add_library(${mbedx509_static_target} STATIC ${src_x509})
     set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509)
     target_link_libraries(${mbedx509_static_target} ${libs} ${mbedcrypto_static_target})
-    target_include_directories(${mbedx509_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/)
+    target_include_directories(${mbedx509_static_target}
+        PUBLIC ${CMAKE_SOURCE_DIR}/include/
+        PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/)
 
     add_library(${mbedtls_static_target} STATIC ${src_tls})
     set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls)
     target_link_libraries(${mbedtls_static_target} ${libs} ${mbedx509_static_target})
-    target_include_directories(${mbedtls_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/)
+    target_include_directories(${mbedtls_static_target}
+        PUBLIC ${CMAKE_SOURCE_DIR}/include/
+        PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/
+        )
 
-    install(TARGETS ${mbedtls_static_target} ${mbedx509_static_target} ${mbedcrypto_static_target}
-            DESTINATION ${LIB_INSTALL_DIR}
-            PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+    if(USE_CRYPTO_SUBMODULE)
+        install(TARGETS ${mbedtls_static_target} ${mbedx509_static_target}
+                DESTINATION ${LIB_INSTALL_DIR}
+                PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+    else()
+        install(TARGETS ${mbedtls_static_target} ${mbedx509_static_target} ${mbedcrypto_static_target}
+                DESTINATION ${LIB_INSTALL_DIR}
+                PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+    endif()
 endif(USE_STATIC_MBEDTLS_LIBRARY)
 
 if(USE_SHARED_MBEDTLS_LIBRARY)
-    add_library(mbedcrypto SHARED ${src_crypto})
-    set_target_properties(mbedcrypto PROPERTIES VERSION 2.14.0 SOVERSION 3)
-    target_link_libraries(mbedcrypto ${libs})
-    target_include_directories(mbedcrypto PUBLIC ${CMAKE_SOURCE_DIR}/include/)
+    if(NOT USE_CRYPTO_SUBMODULE)
+        add_library(mbedcrypto SHARED ${src_crypto})
+        set_target_properties(mbedcrypto PROPERTIES VERSION 2.14.0 SOVERSION 3)
+        target_link_libraries(mbedcrypto ${libs})
+        target_include_directories(mbedcrypto PUBLIC ${CMAKE_SOURCE_DIR}/include/)
+    endif()
 
     add_library(mbedx509 SHARED ${src_x509})
     set_target_properties(mbedx509 PROPERTIES VERSION 2.14.0 SOVERSION 0)
     target_link_libraries(mbedx509 ${libs} mbedcrypto)
-    target_include_directories(mbedx509 PUBLIC ${CMAKE_SOURCE_DIR}/include/)
+    target_include_directories(mbedx509
+        PUBLIC ${CMAKE_SOURCE_DIR}/include/
+        PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/)
 
     add_library(mbedtls SHARED ${src_tls})
     set_target_properties(mbedtls PROPERTIES VERSION 2.14.0 SOVERSION 12)
     target_link_libraries(mbedtls ${libs} mbedx509)
-    target_include_directories(mbedtls PUBLIC ${CMAKE_SOURCE_DIR}/include/)
+    target_include_directories(mbedtls
+        PUBLIC ${CMAKE_SOURCE_DIR}/include/
+        PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/)
 
-    install(TARGETS mbedtls mbedx509 mbedcrypto
-            DESTINATION ${LIB_INSTALL_DIR}
-            PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+    if(USE_CRYPTO_SUBMODULE)
+        install(TARGETS mbedtls mbedx509
+                DESTINATION ${LIB_INSTALL_DIR}
+                PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+    else()
+        install(TARGETS mbedtls mbedx509 mbedcrypto
+                DESTINATION ${LIB_INSTALL_DIR}
+                PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+    endif()
 endif(USE_SHARED_MBEDTLS_LIBRARY)
 
-add_custom_target(lib DEPENDS mbedcrypto mbedx509 mbedtls)
-if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
-    add_dependencies(lib mbedcrypto_static mbedx509_static mbedtls_static)
+if(USE_CRYPTO_SUBMODULE)
+    add_custom_target(lib DEPENDS mbedx509 mbedtls)
+    if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
+        add_dependencies(lib mbedx509_static mbedtls_static)
+    endif()
+else()
+    add_custom_target(lib DEPENDS mbedcrypto mbedx509 mbedtls)
+    if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
+        add_dependencies(lib mbedcrypto_static mbedx509_static mbedtls_static)
+    endif()
 endif()
diff --git a/library/Makefile b/library/Makefile
index 430c59881..f01b1a150 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -63,6 +63,13 @@ DLEXT = dylib
 endif
 endif
 
+
+ifdef USE_CRYPTO_SUBMODULE
+# Look in crypto for libmbedcrypto.
+LOCAL_LDFLAGS += -L../crypto/library
+LOCAL_CFLAGS += -I../crypto/include
+CRYPTO := ../crypto/library/
+else
 OBJS_CRYPTO=	aes.o		aesni.o		arc4.o		\
 		aria.o		asn1parse.o	asn1write.o	\
 		base64.o	bignum.o	blowfish.o	\
@@ -85,6 +92,8 @@ OBJS_CRYPTO=	aes.o		aesni.o		arc4.o		\
 		sha1.o		sha256.o	sha512.o	\
 		threading.o	timing.o	version.o	\
 		version_features.o		xtea.o
+CRYPTO :=
+endif
 
 OBJS_X509=	certs.o		pkcs11.o	x509.o		\
 		x509_create.o	x509_crl.o	x509_crt.o	\
@@ -148,7 +157,7 @@ ifneq ($(APPLE_BUILD),0)
 endif
 endif
 
-libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so
+libmbedx509.$(SOEXT_X509): $(OBJS_X509) $(CRYPTO)libmbedcrypto.so
 	echo "  LD    $@"
 	$(CC) -shared -Wl,-soname,$@ -L. -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_X509)
 
@@ -165,6 +174,10 @@ libmbedx509.dll: $(OBJS_X509) libmbedcrypto.dll
 	$(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_X509) -lws2_32 -lwinmm -lgdi32 -L. -lmbedcrypto -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS)
 
 # crypto
+ifdef USE_CRYPTO_SUBMODULE
+libmbedcrypto.%:
+	$(MAKE) CRYPTO_INCLUDES:="-I../../include -I../include" -C ../crypto/library $@
+else
 libmbedcrypto.a: $(OBJS_CRYPTO)
 	echo "  AR    $@"
 	$(AR) $(ARFLAGS) $@ $(OBJS_CRYPTO)
@@ -190,6 +203,7 @@ libmbedcrypto.dylib: $(OBJS_CRYPTO)
 libmbedcrypto.dll: $(OBJS_CRYPTO)
 	echo "  LD    $@"
 	$(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_CRYPTO) -lws2_32 -lwinmm -lgdi32 -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS)
+endif
 
 .c.o:
 	echo "  CC    $<"
diff --git a/programs/Makefile b/programs/Makefile
index b6d1fa25b..d379ddf20 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -14,6 +14,10 @@ LOCAL_LDFLAGS = -L../library 			\
 		-lmbedx509$(SHARED_SUFFIX)	\
 		-lmbedcrypto$(SHARED_SUFFIX)
 
+ifdef USE_CRYPTO_SUBMODULE
+LOCAL_LDFLAGS += -L../crypto/library
+endif
+
 ifndef SHARED
 DEP=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a
 else
diff --git a/tests/Makefile b/tests/Makefile
index b6e49bf8a..4118c1439 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -12,15 +12,22 @@ LOCAL_LDFLAGS = -L../library			\
 		-lmbedx509$(SHARED_SUFFIX)	\
 		-lmbedcrypto$(SHARED_SUFFIX)
 
+ifdef USE_CRYPTO_SUBMODULE
+LOCAL_LDFLAGS += -L../crypto/library
+CRYPTO := ../crypto/library/
+else
+CRYPTO := ../library/
+endif
+
 # Enable definition of various functions used throughout the testsuite
 # (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless
 # on non-POSIX platforms.
 LOCAL_CFLAGS += -D_POSIX_C_SOURCE=200809L
 
 ifndef SHARED
-DEP=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a
+DEP=$(CRYPTO)libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a
 else
-DEP=../library/libmbedcrypto.$(DLEXT) ../library/libmbedx509.$(DLEXT) ../library/libmbedtls.$(DLEXT)
+DEP=$(CRYPTO)libmbedcrypto.$(DLEXT) ../library/libmbedx509.$(DLEXT) ../library/libmbedtls.$(DLEXT)
 endif
 
 ifdef DEBUG
diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl
index 6fe6abfa5..4e576582f 100755
--- a/tests/scripts/run-test-suites.pl
+++ b/tests/scripts/run-test-suites.pl
@@ -41,8 +41,8 @@ my @suites = grep { -x $_ || /\.exe$/ } glob 'test_suite_*';
 die "$0: no test suite found\n" unless @suites;
 
 # in case test suites are linked dynamically
-$ENV{'LD_LIBRARY_PATH'} = '../library';
-$ENV{'DYLD_LIBRARY_PATH'} = '../library';
+$ENV{'LD_LIBRARY_PATH'} = '../library:../crypto/library';
+$ENV{'DYLD_LIBRARY_PATH'} = '../library:../crypto/library';
 
 my $prefix = $^O eq "MSWin32" ? '' : './';