diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 96a3e437d..9a75c02f1 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1468,6 +1468,19 @@
  */
 //#define MBEDTLS_PSA_INJECT_ENTROPY
 
+/**
+ * \def MBEDTLS_PSA_COPY_CALLER_BUFFERS
+ *
+ * Make local copies of buffers supplied by the callers of PSA functions.
+ *
+ * This should be enabled whenever caller-supplied buffers are owned by
+ * an untrusted party, for example where arguments to PSA calls are passed
+ * across a trust boundary.
+ *
+ * Note: Enabling this option increases memory usage and code size.
+ */
+#define MBEDTLS_PSA_COPY_CALLER_BUFFERS
+
 /**
  * \def MBEDTLS_RSA_NO_CRT
  *
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 070484cf9..667d4f407 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -110,6 +110,7 @@ mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state =
     if (global_data.initialized == 0)  \
     return PSA_ERROR_BAD_STATE;
 
+#if defined(MBEDTLS_PSA_COPY_CALLER_BUFFERS)
 /* Substitute an input buffer for a local copy of itself.
  * Assumptions:
  * - psa_status_t status exists
@@ -147,6 +148,12 @@ mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state =
     if (local_output_free_status != PSA_SUCCESS) { \
         status = local_output_free_status; \
     }
+#else /* MBEDTLS_PSA_COPY_CALLER_BUFFERS */
+#define SWAP_FOR_LOCAL_INPUT(input, length)
+#define FREE_LOCAL_INPUT(input)
+#define SWAP_FOR_LOCAL_OUTPUT(output, length)
+#define FREE_LOCAL_OUTPUT(output)
+#endif /* MBEDTLS_PSA_COPY_CALLER_BUFFERS */
 
 
 int psa_can_do_hash(psa_algorithm_t hash_alg)