diff --git a/framework b/framework
index 5ef7e74c53..77f707a557 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 5ef7e74c537193912a31e1e03b56261116578896
+Subproject commit 77f707a5576c5bdd1ff9463c7b25d2488497f57e
diff --git a/scripts/data_files/config-options-current.txt b/scripts/data_files/config-options-current.txt
new file mode 100644
index 0000000000..81b233804c
--- /dev/null
+++ b/scripts/data_files/config-options-current.txt
@@ -0,0 +1,79 @@
+MBEDTLS_CONFIG_FILE
+MBEDTLS_CONFIG_VERSION
+MBEDTLS_DEBUG_C
+MBEDTLS_ERROR_C
+MBEDTLS_ERROR_STRERROR_DUMMY
+MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+MBEDTLS_NET_C
+MBEDTLS_PKCS7_C
+MBEDTLS_PSK_MAX_LEN
+MBEDTLS_SSL_ALL_ALERT_MESSAGES
+MBEDTLS_SSL_ALPN
+MBEDTLS_SSL_ASYNC_PRIVATE
+MBEDTLS_SSL_CACHE_C
+MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
+MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
+MBEDTLS_SSL_CID_IN_LEN_MAX
+MBEDTLS_SSL_CID_OUT_LEN_MAX
+MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
+MBEDTLS_SSL_CIPHERSUITES
+MBEDTLS_SSL_CLI_C
+MBEDTLS_SSL_CONTEXT_SERIALIZATION
+MBEDTLS_SSL_COOKIE_C
+MBEDTLS_SSL_COOKIE_TIMEOUT
+MBEDTLS_SSL_DEBUG_ALL
+MBEDTLS_SSL_DTLS_ANTI_REPLAY
+MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+MBEDTLS_SSL_DTLS_CONNECTION_ID
+MBEDTLS_SSL_DTLS_HELLO_VERIFY
+MBEDTLS_SSL_DTLS_MAX_BUFFERING
+MBEDTLS_SSL_DTLS_SRTP
+MBEDTLS_SSL_EARLY_DATA
+MBEDTLS_SSL_ENCRYPT_THEN_MAC
+MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+MBEDTLS_SSL_IN_CONTENT_LEN
+MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
+MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+MBEDTLS_SSL_NULL_CIPHERSUITES
+MBEDTLS_SSL_OUT_CONTENT_LEN
+MBEDTLS_SSL_PROTO_DTLS
+MBEDTLS_SSL_PROTO_TLS1_2
+MBEDTLS_SSL_PROTO_TLS1_3
+MBEDTLS_SSL_RECORD_SIZE_LIMIT
+MBEDTLS_SSL_RENEGOTIATION
+MBEDTLS_SSL_SERVER_NAME_INDICATION
+MBEDTLS_SSL_SESSION_TICKETS
+MBEDTLS_SSL_SRV_C
+MBEDTLS_SSL_TICKET_C
+MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS
+MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE
+MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH
+MBEDTLS_SSL_TLS_C
+MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
+MBEDTLS_TIMING_ALT
+MBEDTLS_TIMING_C
+MBEDTLS_USER_CONFIG_FILE
+MBEDTLS_VERSION_C
+MBEDTLS_VERSION_FEATURES
+MBEDTLS_X509_CREATE_C
+MBEDTLS_X509_CRL_PARSE_C
+MBEDTLS_X509_CRT_PARSE_C
+MBEDTLS_X509_CRT_WRITE_C
+MBEDTLS_X509_CSR_PARSE_C
+MBEDTLS_X509_CSR_WRITE_C
+MBEDTLS_X509_MAX_FILE_PATH_LEN
+MBEDTLS_X509_MAX_INTERMEDIATE_CA
+MBEDTLS_X509_REMOVE_INFO
+MBEDTLS_X509_RSASSA_PSS_SUPPORT
+MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
+MBEDTLS_X509_USE_C
diff --git a/scripts/generate_config_checks.py b/scripts/generate_config_checks.py
index bae93c3662..0f55936c8c 100755
--- a/scripts/generate_config_checks.py
+++ b/scripts/generate_config_checks.py
@@ -8,7 +8,7 @@ from typing import Iterator
 import framework_scripts_path # pylint: disable=unused-import
 from mbedtls_framework.config_checks_generator import * \
     #pylint: disable=wildcard-import,unused-wildcard-import
-from mbedtls_framework import config_history
+from mbedtls_framework import config_macros
 
 class CryptoInternal(SubprojectInternal):
     SUBPROJECT = 'TF-PSA-Crypto'
@@ -23,20 +23,23 @@ ALWAYS_ENABLED_SINCE_4_0 = frozenset([
 
 def checkers_for_removed_options() -> Iterator[Checker]:
     """Discover removed options. Yield corresponding checkers."""
-    history = config_history.ConfigHistory()
-    old_public = history.options('mbedtls', '3.6')
-    new_public = history.options('mbedtls', '4.0')
-    crypto_public = history.options('tfpsacrypto', '1.0')
-    crypto_internal = history.internal('tfpsacrypto', '1.0')
+    previous_major = config_macros.History('mbedtls', '3.6')
+    current = config_macros.Current()
+    crypto = config_macros.Current('tf-psa-crypto')
+    old_public = previous_major.options()
+    new_public = current.options()
     for option in sorted(old_public - new_public):
         if option in ALWAYS_ENABLED_SINCE_4_0:
             continue
-        if option in crypto_public:
+        if option in crypto.options():
             yield CryptoOption(option)
-        elif option in crypto_internal:
+        elif option in crypto.internal():
             yield CryptoInternal(option)
         else:
             yield Removed(option, 'Mbed TLS 4.0')
+    for option in (current.internal() - new_public - old_public -
+                   crypto.options() - crypto.internal()):
+        yield Internal(option)
 
 def all_checkers() -> Iterator[Checker]:
     """Yield all checkers."""
diff --git a/tests/scripts/check_option_lists.py b/tests/scripts/check_option_lists.py
new file mode 100755
index 0000000000..c9b643bb6d
--- /dev/null
+++ b/tests/scripts/check_option_lists.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+
+"""
+Check that files with lists of config options are up-to-date, or update them.
+
+This script checks the following file:
+scripts/data_files/config-options-current.txt
+"""
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+import argparse
+import sys
+
+import scripts_path # pylint: disable=unused-import
+from mbedtls_framework import config_macros
+
+
+def main():
+    parser = argparse.ArgumentParser(description=__doc__)
+    # For now this script only acts on one target file.
+    # If we check/update more files, we should add a way to select which
+    # file(s) to operate on.
+    parser.add_argument('--always-update', '-U',
+                        action='store_true',
+                        help=('Update target files unconditionally '
+                              '(overrides --update)'))
+    parser.add_argument('--update', '-u',
+                        action='store_true',
+                        help='Update target files if needed')
+    args = parser.parse_args()
+    data = config_macros.Current(shadow_missing_ok=True)
+    if args.update or args.always_update:
+        data.update_shadow_file(args.always_update)
+    else:
+        up_to_date = True
+        if not data.is_shadow_file_up_to_date():
+            print(f'{data.shadow_file_path()} is out of date')
+            print(f'After adding or removing a config option, you need to run')
+            print(f'{sys.argv[0]} -u and commit the result.')
+            up_to_date = False
+        sys.exit(0 if up_to_date else 1)
+
+if __name__ == "__main__":
+    main()
diff --git a/tests/scripts/components-basic-checks.sh b/tests/scripts/components-basic-checks.sh
index e791ad065c..199396df30 100644
--- a/tests/scripts/components-basic-checks.sh
+++ b/tests/scripts/components-basic-checks.sh
@@ -46,6 +46,9 @@ component_check_generated_files () {
 
     # This component ends with the generated files present in the source tree.
     # This is necessary for subsequent components!
+
+    msg "Check committed generated files"
+    tests/scripts/check_option_lists.py
 }
 
 component_check_doxy_blocks () {
diff --git a/tf-psa-crypto b/tf-psa-crypto
index 85af1a8fdc..ae74d3276a 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit 85af1a8fdc7b1caa85d99380c1607c3ec11bf87d
+Subproject commit ae74d3276a75c2419ee51621150006bd8fd3883c