diff --git a/wolfcrypt/src/port/psa/psa.c b/wolfcrypt/src/port/psa/psa.c
index 8735b99aa..a019d3a5d 100644
--- a/wolfcrypt/src/port/psa/psa.c
+++ b/wolfcrypt/src/port/psa/psa.c
@@ -35,12 +35,35 @@
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/types.h>
 
+#if defined(WOLFSSL_PSA_GLOBAL_LOCK)
+static wolfSSL_Mutex psa_global_mutex;
+
+void PSA_LOCK()
+{
+    /* ideally we should propagate the return error here. Leaving out for code
+       simplicity for now. */
+    wc_LockMutex(&psa_global_mutex);
+}
+
+void PSA_UNLOCK()
+{
+    wc_UnLockMutex(&psa_global_mutex);
+}
+
+#endif
+
 
 int wc_psa_init()
 {
     psa_status_t s;
 
+#if defined(WOLFSSL_PSA_GLOBAL_LOCK)
+    wc_InitMutex(&psa_global_mutex);
+#endif
+
+    PSA_LOCK();
     s = psa_crypto_init();
+    PSA_UNLOCK();
     if (s != PSA_SUCCESS)
         return WC_HW_E;
 
@@ -59,7 +82,9 @@ int wc_psa_get_random(unsigned char *out, word32 sz)
 {
     psa_status_t s;
 
+    PSA_LOCK();
     s = psa_generate_random((uint8_t*)out, sz);
+    PSA_UNLOCK();
     if (s != PSA_SUCCESS)
         return WC_HW_E;
 
diff --git a/wolfcrypt/src/port/psa/psa_aes.c b/wolfcrypt/src/port/psa/psa_aes.c
index 421538643..e69ea9969 100644
--- a/wolfcrypt/src/port/psa/psa_aes.c
+++ b/wolfcrypt/src/port/psa/psa_aes.c
@@ -57,7 +57,9 @@ static int wc_psa_aes_import_key(Aes *aes, const uint8_t *key,
                             dir == AES_DECRYPTION ? PSA_KEY_USAGE_DECRYPT : 0);
     psa_set_key_algorithm(&key_attr, alg);
 
+    PSA_LOCK();
     s = psa_import_key(&key_attr, key, key_length, &id);
+    PSA_UNLOCK();
     if (s != PSA_SUCCESS)
         return WC_HW_E;
 
@@ -100,12 +102,16 @@ int wc_psa_aes_get_key_size(Aes *aes, word32 *keySize)
     if (aes->key_id == PSA_KEY_ID_NULL)
         return BAD_FUNC_ARG;
 
+    PSA_LOCK();
     s = psa_get_key_attributes(aes->key_id, &attr);
+    PSA_UNLOCK();
     if (s != PSA_SUCCESS)
         return WC_HW_E;
 
     *keySize = (word32)(psa_get_key_bits(&attr) / 8);
+    PSA_LOCK();
     psa_reset_key_attributes(&attr);
+    PSA_UNLOCK();
     return 0;
 }
 
@@ -135,15 +141,21 @@ int wc_psa_aes_set_key(Aes *aes, const uint8_t *key, size_t key_length,
 
     /* the object was already used for other encryption. Reset the context */
     if (aes->ctx_initialized) {
+        PSA_LOCK();
         s = psa_cipher_abort(&aes->psa_ctx);
+        PSA_UNLOCK();
         if (s != PSA_SUCCESS)
             return WC_HW_E;
+
         aes->ctx_initialized =0;
     }
 
     /* a key was already imported, destroy it first */
     if (aes->key_id != PSA_KEY_ID_NULL) {
+        PSA_LOCK();
         psa_destroy_key(aes->key_id);
+        PSA_UNLOCK();
+
         aes->key_id = PSA_KEY_ID_NULL;
     }
 
@@ -154,7 +166,9 @@ int wc_psa_aes_set_key(Aes *aes, const uint8_t *key, size_t key_length,
         XMEMCPY(aes->key, key, key_length);
         aes->key_need_importing = 1;
     } else {
+        PSA_LOCK();
         ret = wc_psa_aes_import_key(aes, key, key_length, alg, dir);
+        PSA_UNLOCK();
         if (ret != 0)
             return ret;
     }
@@ -203,9 +217,13 @@ int wc_psa_aes_encrypt_decrypt(Aes *aes, const uint8_t *input,
         }
 
         if (direction == AES_ENCRYPTION) {
+            PSA_LOCK();
             s = psa_cipher_encrypt_setup(&aes->psa_ctx, aes->key_id, alg);
+            PSA_UNLOCK();
         } else {
+            PSA_LOCK();
             s = psa_cipher_decrypt_setup(&aes->psa_ctx, aes->key_id, alg);
+            PSA_UNLOCK();
         }
 
         if (s != PSA_SUCCESS)
@@ -217,16 +235,21 @@ int wc_psa_aes_encrypt_decrypt(Aes *aes, const uint8_t *input,
         if (alg != PSA_ALG_ECB_NO_PADDING) {
 
             /* wc_SetIV stores the IV in reg */
+            PSA_LOCK();
             s = psa_cipher_set_iv(&aes->psa_ctx,
                                   (uint8_t*)aes->reg, AES_IV_SIZE);
+            PSA_UNLOCK();
+
             if (s != PSA_SUCCESS)
                 goto err;
         }
 
     }
 
+    PSA_LOCK();
     s = psa_cipher_update(&aes->psa_ctx, input,
                           length, output, length, &output_length);
+    PSA_UNLOCK();
     if (s != PSA_SUCCESS)
         goto err;
 
@@ -247,12 +270,16 @@ int wc_psa_aes_encrypt_decrypt(Aes *aes, const uint8_t *input,
 int wc_psa_aes_free(Aes *aes)
 {
     if (aes->key_id != PSA_KEY_ID_NULL) {
+        PSA_LOCK();
         psa_destroy_key(aes->key_id);
+        PSA_UNLOCK();
         aes->key_id = PSA_KEY_ID_NULL;
     }
 
     if (aes->ctx_initialized == 1) {
+        PSA_LOCK();
         psa_cipher_abort(&aes->psa_ctx);
+        PSA_UNLOCK();
         aes->ctx_initialized = 0;
     }
 
diff --git a/wolfcrypt/src/port/psa/psa_hash.c b/wolfcrypt/src/port/psa/psa_hash.c
index 38b27122a..9d3e678ea 100644
--- a/wolfcrypt/src/port/psa/psa_hash.c
+++ b/wolfcrypt/src/port/psa/psa_hash.c
@@ -50,10 +50,14 @@ static int wc_psa_hash_init_and_setup(psa_hash_operation_t *ctx,
 
     XMEMSET(ctx, 0, sizeof(*ctx));
 
+    PSA_LOCK();
     s = psa_hash_setup(ctx, alg);
+    PSA_UNLOCK();
 
     if (s != PSA_SUCCESS) {
+        PSA_LOCK();
         psa_hash_abort(ctx);
+        PSA_UNLOCK();
         return WC_HW_E;
     }
 
@@ -68,10 +72,14 @@ static int wc_psa_hash_update(psa_hash_operation_t *ctx, const uint8_t *input,
     if (ctx == NULL || (input == NULL && input_length > 0))
         return BAD_FUNC_ARG;
 
+    PSA_LOCK();
     s = psa_hash_update(ctx, input, input_length);
+    PSA_UNLOCK();
 
     if (s != PSA_SUCCESS) {
+        PSA_LOCK();
         psa_hash_abort(ctx);
+        PSA_UNLOCK();
         return WC_HW_E;
     }
 
@@ -87,15 +95,23 @@ static int wc_psa_hash_finish_setup(psa_hash_operation_t *ctx,
     if (ctx == NULL || output == NULL)
         return BAD_FUNC_ARG;
 
+    PSA_LOCK();
     s = psa_hash_finish(ctx, output, PSA_HASH_LENGTH(alg), &hash_length);
+    PSA_UNLOCK();
     if (s != PSA_SUCCESS) {
+        PSA_LOCK();
         psa_hash_abort(ctx);
+        PSA_UNLOCK();
         return WC_HW_E;
     }
 
+    PSA_LOCK();
     s = psa_hash_setup(ctx, alg);
+    PSA_UNLOCK();
     if (s != PSA_SUCCESS) {
+        PSA_LOCK();
         psa_hash_abort(ctx);
+        PSA_UNLOCK();
         return WC_HW_E;
     }
 
@@ -110,9 +126,14 @@ static int wc_psa_hash_clone(const psa_hash_operation_t *src,
     if (src == NULL || dst == NULL)
         return BAD_FUNC_ARG;
 
+    PSA_LOCK();
     psa_hash_abort(dst);
+    PSA_UNLOCK();
 
+    PSA_LOCK();
     s = psa_hash_clone(src, dst);
+    PSA_UNLOCK();
+
     if (s != PSA_SUCCESS)
         return WC_HW_E;
 
@@ -126,7 +147,9 @@ static int wc_psa_hash_abort(psa_hash_operation_t *ctx)
     if (ctx == NULL)
         return BAD_FUNC_ARG;
 
+    PSA_LOCK();
     s = psa_hash_abort(ctx);
+    PSA_UNLOCK();
     if (s != PSA_SUCCESS)
         return WC_HW_E;
 
@@ -146,15 +169,21 @@ static int wc_psa_get_hash(psa_hash_operation_t *ctx,
         return BAD_FUNC_ARG;
 
     XMEMSET(&tmp, 0, sizeof(tmp));
+    PSA_LOCK();
     s = psa_hash_clone(ctx, &tmp);
+    PSA_UNLOCK();
     if (s != PSA_SUCCESS) {
         psa_hash_abort(&tmp);
         return WC_HW_E;
     }
 
+    PSA_LOCK();
     s = psa_hash_finish(&tmp, out, PSA_HASH_LENGTH(alg), &hash_length);
+    PSA_UNLOCK();
     if (s != PSA_SUCCESS) {
+        PSA_LOCK();
         psa_hash_abort(&tmp);
+        PSA_UNLOCK();
         return WC_HW_E;
     }
 
diff --git a/wolfssl/wolfcrypt/port/psa/psa.h b/wolfssl/wolfcrypt/port/psa/psa.h
index d938ffefd..2c2179377 100644
--- a/wolfssl/wolfcrypt/port/psa/psa.h
+++ b/wolfssl/wolfcrypt/port/psa/psa.h
@@ -31,6 +31,7 @@
  * WOLFSSL_PSA_NO_RNG: disable PSA random generator support
  * WOLFSSL_PSA_NO_HASH: disable PSA hashing support
  * WOLFSSL_PSA_NO_AES: disable PSA AES support
+ * WOLFSSL_PSA_GLOBAL_LOCK: serialize the access to the underlying PSA lib
  */
 
 #ifndef WOLFSSL_PSA_H
@@ -54,6 +55,14 @@
 #endif
 #endif /* WOLFSSL_PSA_NO_AES */
 
+#if defined(WOLFSSL_PSA_GLOBAL_LOCK)
+void PSA_LOCK(void);
+void PSA_UNLOCK(void);
+#else
+#define PSA_LOCK()
+#define PSA_UNLOCK()
+#endif
+
 int wc_psa_init(void);
 
 #if !defined(WOLFSSL_PSA_NO_RNG)