diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..1946491
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "ext/mbedtls"]
+	path = ext/mbedtls
+	url = https://github.com/Mbed-TLS/mbedtls.git
diff --git a/docs/getting_started/obtain.rst b/docs/getting_started/obtain.rst
index cffab2d..68b4072 100644
--- a/docs/getting_started/obtain.rst
+++ b/docs/getting_started/obtain.rst
@@ -5,7 +5,9 @@
 
 ::
 
-    git clone https://git.trustedfirmware.org/TF-A/tf-a-tests.git
+    git clone --recursive https://git.trustedfirmware.org/TF-A/tf-a-tests.git
+
+Note that TF-A-Tests will also fetch the MbedTLS repo as a git submodule.
 
 --------------
 
diff --git a/docs/getting_started/requirements.rst b/docs/getting_started/requirements.rst
index 553975f..d94e0cf 100644
--- a/docs/getting_started/requirements.rst
+++ b/docs/getting_started/requirements.rst
@@ -16,6 +16,18 @@
 distributions should also work fine, provided that the tools and libraries
 can be installed.
 
+Dependencies
+------------
+
+This section lists the dependencies for TF-A-Tests which are added as
+as a git submodule.
+
+======================== =====================
+        Name             Version
+======================== =====================
+Mbed TLS                 3.6.3
+======================== =====================
+
 Toolchain
 ---------
 
diff --git a/ext/mbedtls b/ext/mbedtls
new file mode 160000
index 0000000..22098d4
--- /dev/null
+++ b/ext/mbedtls
@@ -0,0 +1 @@
+Subproject commit 22098d41c6620ce07cf8a0134d37302355e1e5ef
diff --git a/include/configs/tftf_mbedtls_config.h b/include/configs/tftf_mbedtls_config.h
new file mode 100644
index 0000000..9ad0b71
--- /dev/null
+++ b/include/configs/tftf_mbedtls_config.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/*
+ * Based on migration guide[1]:
+ *
+ * config.h was split into build_info.h and mbedtls_config.h. In code, use
+ * #include <mbedtls/build_info.h>. Don't include mbedtls/config.h and don't
+ * refer to MBEDTLS_CONFIG_FILE. And also the guide recommends, if you have a
+ * custom configuration file don't define MBEDTLS_CONFIG_H anymore.
+ *
+ * [1] https://github.com/Mbed-TLS/mbedtls/blob/v3.6.0/docs/3.0-migration-guide.md
+ */
+
+#include <limits.h>
+/* This is needed for size_t */
+#include <stddef.h>
+/* For snprintf function declaration */
+#include <stdio.h>
+
+/* This file is compatible with release 3.6.3 */
+#define MBEDTLS_CONFIG_VERSION         0x03060300
+
+/* Configuration file to build mbed TLS with the required features for TFTF */
+#define MBEDTLS_PLATFORM_MEMORY
+
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+
+#define MBEDTLS_CIPHER_C
+
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_RESTARTABLE
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_ECP_WINDOW_SIZE		(2U)	/* Valid range = [2,7] */
+
+/*
+ * This is enabled in TFTF as PSA calls are made within the trust boundary.
+ * Disabling this option causes mbedtls to create a local copy of input buffer
+ * using buffer_alloc_calloc().
+ */
+#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
+
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+
+#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
+
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_BIGNUM_C
+
+#define MBEDTLS_ERROR_C
+
+#define MBEDTLS_HKDF_C
+#define MBEDTLS_HMAC_DRBG_C
+
+#define MBEDTLS_MD_C
+
+#define MBEDTLS_PLATFORM_C
+
+#define MBEDTLS_SHA256_C
+#define MBEDTLS_SHA224_C
+#define MBEDTLS_SHA384_C
+#define MBEDTLS_SHA512_C
+
+#define MBEDTLS_VERSION_C
+
+/*
+ * Prevent the use of 128-bit division which
+ * creates dependency on external libraries.
+ */
+#define MBEDTLS_NO_UDBL_DIVISION
+
+/* Memory buffer allocator option */
+#define MBEDTLS_MEMORY_ALIGN_MULTIPLE	8
+
+#define MBEDTLS_GENPRIME
+
+#define MBEDTLS_X509_CRL_PARSE_C
+#define MBEDTLS_X509_CSR_PARSE_C
+#define MBEDTLS_X509_CREATE_C
+#define MBEDTLS_X509_CSR_WRITE_C
+
+#define MBEDTLS_AES_C
+#define MBEDTLS_GCM_C
+
+#define MBEDTLS_CHACHA20_C
+#define MBEDTLS_POLY1305_C
+#define MBEDTLS_CHACHAPOLY_C
+
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_DHM_C
+
+#define MBEDTLS_PK_WRITE_C
+
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+#define MBEDTLS_OID_C
+#define MBEDTLS_RSA_C
+#define MBEDTLS_PKCS1_V21
+
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
diff --git a/lib/ext_mbedtls/mbedtls.mk b/lib/ext_mbedtls/mbedtls.mk
new file mode 100644
index 0000000..1845bf9
--- /dev/null
+++ b/lib/ext_mbedtls/mbedtls.mk
@@ -0,0 +1,55 @@
+#
+# Copyright (c) 2024, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+MBEDTLS_DIR ?= ext/mbedtls
+ifeq (${MBEDTLS_DIR},)
+$(error Error: MBEDTLS_DIR not set)
+endif
+
+MBEDTLS_CHECK := $(shell find ${MBEDTLS_DIR}/include -name mbedtls)
+
+ifneq (${MBEDTLS_CHECK},)
+$(info Found mbedTLS at ${MBEDTLS_DIR})
+
+TFTF_INCLUDES += -I${MBEDTLS_DIR}/include
+MBEDTLS_CONFIG_FILE ?= "<configs/tftf_mbedtls_config.h>"
+$(eval $(call add_define,TFTF_DEFINES,MBEDTLS_CONFIG_FILE))
+
+#
+# Include mbedtls source required to parse x509 certificate and its helper
+# routines. This can be later extended to include other crypto/PSA crypto
+# library sources.
+#
+TESTS_SOURCES	+=				\
+	$(addprefix ${MBEDTLS_DIR}/library/,	\
+		asn1parse.c			\
+		asn1write.c			\
+		constant_time.c			\
+		bignum.c			\
+		oid.c				\
+		hmac_drbg.c			\
+		memory_buffer_alloc.c		\
+		platform.c 			\
+		platform_util.c			\
+		bignum_core.c			\
+		md.c				\
+		pk.c 				\
+		pk_ecc.c 			\
+		pk_wrap.c 			\
+		pkparse.c 			\
+		sha256.c            		\
+		sha512.c            		\
+		ecdsa.c				\
+		ecp_curves.c			\
+		ecp.c				\
+		rsa.c				\
+		rsa_alt_helpers.c		\
+		x509.c 				\
+		x509_crt.c 			\
+		)
+else
+$(info MbedTLS not found, some dependent tests will be skipped or failed.)
+endif
\ No newline at end of file