diff --git a/components/mbedtls/port/aes/dma/esp_aes_dma_core.c b/components/mbedtls/port/aes/dma/esp_aes_dma_core.c
index c015fef781..396f72c496 100644
--- a/components/mbedtls/port/aes/dma/esp_aes_dma_core.c
+++ b/components/mbedtls/port/aes/dma/esp_aes_dma_core.c
@@ -863,12 +863,44 @@ cleanup:
  * 3. If AES interrupt is enabled and ISR initialisation fails
  * 4. Failure in any of the AES operations
  */
-int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, unsigned char *output, size_t len, crypto_dma_desc_t *aad_desc, size_t aad_len)
+int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, unsigned char *output, size_t len, const unsigned char *aad, size_t aad_len)
 {
+    crypto_dma_desc_t aad_desc[2] = {};
+    crypto_dma_desc_t *aad_head_desc = NULL;
     crypto_dma_desc_t *in_desc_head = NULL, *out_desc_head = NULL, *len_desc = NULL;
     crypto_dma_desc_t *out_desc_tail = NULL; /* pointer to the final output descriptor */
     crypto_dma_desc_t stream_in_desc, stream_out_desc;
     crypto_dma_desc_t *block_desc = NULL, *block_in_desc = NULL, *block_out_desc = NULL;
+
+    uint8_t stream_in_aad[AES_BLOCK_BYTES] = {};
+    unsigned stream_bytes_aad = aad_len % AES_BLOCK_BYTES;     // bytes which aren't in a full block
+    unsigned block_bytes_aad = aad_len - stream_bytes_aad;     // bytes which are in a full block
+
+    assert(esp_ptr_dma_capable(stream_in_aad));
+
+    if (block_bytes_aad > 0) {
+        aad_desc[0].dw0.length = block_bytes_aad;
+        aad_desc[0].dw0.size = block_bytes_aad;
+        aad_desc[0].dw0.owner = 1;
+        aad_desc[0].buffer = (void*)aad;
+    }
+
+    if (stream_bytes_aad > 0) {
+        memcpy(stream_in_aad, aad + block_bytes_aad, stream_bytes_aad);
+
+        aad_desc[0].next = &aad_desc[1];
+        aad_desc[1].dw0.length = AES_BLOCK_BYTES;
+        aad_desc[1].dw0.size = AES_BLOCK_BYTES;
+        aad_desc[1].dw0.owner = 1;
+        aad_desc[1].buffer = (void*)stream_in_aad;
+    }
+
+    if (block_bytes_aad > 0) {
+        aad_head_desc = &aad_desc[0];
+    } else if (stream_bytes_aad > 0) {
+        aad_head_desc = &aad_desc[1];
+    }
+
     size_t crypto_dma_desc_num = 0;
     uint32_t len_buf[4] = {};
     uint8_t stream_in[16] = {};
@@ -906,8 +938,8 @@ int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, un
     len_desc = block_desc + crypto_dma_desc_num;
     block_out_desc = block_desc + crypto_dma_desc_num + 1;
 
-    if (aad_desc != NULL) {
-        dma_desc_append(&in_desc_head, aad_desc);
+    if (aad_head_desc != NULL) {
+        dma_desc_append(&in_desc_head, aad_head_desc);
     }
 
     if (block_bytes > 0) {
diff --git a/components/mbedtls/port/aes/esp_aes_gcm.c b/components/mbedtls/port/aes/esp_aes_gcm.c
index c33c1fdaa2..380bee8379 100644
--- a/components/mbedtls/port/aes/esp_aes_gcm.c
+++ b/components/mbedtls/port/aes/esp_aes_gcm.c
@@ -586,7 +586,7 @@ int esp_aes_gcm_finish( esp_gcm_context *ctx,
 /* Due to restrictions in the hardware (e.g. need to do the whole conversion in one go),
    some combinations of inputs are not supported */
 static bool esp_aes_gcm_input_support_hw_accel(size_t length, const unsigned char *aad, size_t aad_len,
-                                               const unsigned char *input, unsigned char *output, uint8_t *stream_in)
+                                               const unsigned char *input, unsigned char *output)
 {
     bool support_hw_accel = true;
 
@@ -601,10 +601,6 @@ static bool esp_aes_gcm_input_support_hw_accel(size_t length, const unsigned cha
     } else if (!esp_ptr_dma_capable(output) && length > 0) {
         /* output in non internal DMA memory */
         support_hw_accel = false;
-    } else if (!esp_ptr_dma_capable(stream_in)) {
-        /* Stream in (and therefor other descriptors and buffers that come from the stack)
-           in non internal DMA memory */
-        support_hw_accel = false;
     } else if (length == 0) {
         support_hw_accel = false;
     }
@@ -672,15 +668,10 @@ int esp_aes_gcm_crypt_and_tag( esp_gcm_context *ctx,
 #endif
 #if CONFIG_MBEDTLS_HARDWARE_GCM
     int ret;
-    crypto_dma_desc_t aad_desc[2] = {};
-    crypto_dma_desc_t *aad_head_desc = NULL;
     size_t remainder_bit;
-    uint8_t stream_in[AES_BLOCK_BYTES] = {};
-    unsigned stream_bytes = aad_len % AES_BLOCK_BYTES; // bytes which aren't in a full block
-    unsigned block_bytes = aad_len - stream_bytes;     // bytes which are in a full block
 
     /* Due to hardware limition only certain cases are fully supported in HW */
-    if (!esp_aes_gcm_input_support_hw_accel(length, aad, aad_len, input, output, stream_in)) {
+    if (!esp_aes_gcm_input_support_hw_accel(length, aad, aad_len, input, output)) {
         return esp_aes_gcm_crypt_and_tag_partial_hw(ctx, mode, length, iv, iv_len, aad, aad_len, input, output, tag_len, tag);
     }
 
@@ -725,29 +716,6 @@ int esp_aes_gcm_crypt_and_tag( esp_gcm_context *ctx,
     ctx->aes_ctx.key_in_hardware = 0;
     ctx->aes_ctx.key_in_hardware = aes_hal_setkey(ctx->aes_ctx.key, ctx->aes_ctx.key_bytes, mode);
 
-    if (block_bytes > 0) {
-        aad_desc[0].dw0.length = block_bytes;
-        aad_desc[0].dw0.size = block_bytes;
-        aad_desc[0].dw0.owner = 1;
-        aad_desc[0].buffer = (void*)aad;
-    }
-
-    if (stream_bytes > 0) {
-        memcpy(stream_in, aad + block_bytes, stream_bytes);
-
-        aad_desc[0].next = &aad_desc[1];
-        aad_desc[1].dw0.length = AES_BLOCK_BYTES;
-        aad_desc[1].dw0.size = AES_BLOCK_BYTES;
-        aad_desc[1].dw0.owner = 1;
-        aad_desc[1].buffer = (void*)stream_in;
-    }
-
-    if (block_bytes > 0) {
-        aad_head_desc = &aad_desc[0];
-    } else if (stream_bytes > 0) {
-        aad_head_desc = &aad_desc[1];
-    }
-
     aes_hal_mode_init(ESP_AES_BLOCK_MODE_GCM);
 
     /* See TRM GCM chapter for description of this calculation */
@@ -760,7 +728,7 @@ int esp_aes_gcm_crypt_and_tag( esp_gcm_context *ctx,
 
     aes_hal_gcm_set_j0(ctx->J0);
 
-    ret = esp_aes_process_dma_gcm(&ctx->aes_ctx, input, output, length, aad_head_desc, aad_len);
+    ret = esp_aes_process_dma_gcm(&ctx->aes_ctx, input, output, length, aad, aad_len);
     if (ret != 0) {
         esp_aes_release_hardware();
         return ret;
diff --git a/components/mbedtls/port/aes/include/esp_aes_internal.h b/components/mbedtls/port/aes/include/esp_aes_internal.h
index 1c065927df..cbf5452859 100644
--- a/components/mbedtls/port/aes/include/esp_aes_internal.h
+++ b/components/mbedtls/port/aes/include/esp_aes_internal.h
@@ -43,7 +43,7 @@ int esp_aes_process_dma(esp_aes_context *ctx, const unsigned char *input, unsign
  * @param aad_len   GCM additional data length
  * @return int      -1 on error
  */
-int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, unsigned char *output, size_t len, crypto_dma_desc_t *aad_desc, size_t aad_len);
+int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, unsigned char *output, size_t len, const unsigned char *aad_desc, size_t aad_len);
 #endif
 
 #ifdef __cplusplus