diff --git a/scripts/mbedtls_dev/psa_storage.py b/scripts/mbedtls_dev/psa_storage.py
index 45f0380e7..4cd3dfe91 100644
--- a/scripts/mbedtls_dev/psa_storage.py
+++ b/scripts/mbedtls_dev/psa_storage.py
@@ -101,6 +101,12 @@ class Key:
     LATEST_VERSION = 0
     """The latest version of the storage format."""
 
+    EXTENDABLE_USAGE_FLAGS = {
+        Expr('PSA_KEY_USAGE_SIGN_HASH'): Expr('PSA_KEY_USAGE_SIGN_MESSAGE'),
+        Expr('PSA_KEY_USAGE_VERIFY_HASH'): Expr('PSA_KEY_USAGE_VERIFY_MESSAGE')
+    } #type: Dict[Expr, Expr]
+    """The extendable usage flags with the corresponding extension flags."""
+
     def __init__(self, *,
                  version: Optional[int] = None,
                  id: Optional[int] = None, #pylint: disable=redefined-builtin
@@ -108,18 +114,27 @@ class Key:
                  type: Exprable, #pylint: disable=redefined-builtin
                  bits: int,
                  usage: Exprable, alg: Exprable, alg2: Exprable,
-                 material: bytes #pylint: disable=used-before-assignment
+                 material: bytes, #pylint: disable=used-before-assignment
+                 usage_extension: bool = True
                 ) -> None:
         self.version = self.LATEST_VERSION if version is None else version
         self.id = id #pylint: disable=invalid-name #type: Optional[int]
         self.lifetime = as_expr(lifetime) #type: Expr
         self.type = as_expr(type) #type: Expr
         self.bits = bits #type: int
-        self.usage = as_expr(usage) #type: Expr
+        self.original_usage = as_expr(usage) #type: Expr
+        self.updated_usage = self.original_usage #type: Expr
         self.alg = as_expr(alg) #type: Expr
         self.alg2 = as_expr(alg2) #type: Expr
         self.material = material #type: bytes
 
+        if usage_extension:
+            for flag, extension in self.EXTENDABLE_USAGE_FLAGS.items():
+                if self.original_usage.value() & flag.value() and \
+                   self.original_usage.value() & extension.value() == 0:
+                    self.updated_usage = Expr(self.updated_usage.string +
+                                              ' | ' + extension.string)
+
     MAGIC = b'PSA\000KEY\000'
 
     @staticmethod
@@ -151,7 +166,7 @@ class Key:
         if self.version == 0:
             attributes = self.pack('LHHLLL',
                                    self.lifetime, self.type, self.bits,
-                                   self.usage, self.alg, self.alg2)
+                                   self.updated_usage, self.alg, self.alg2)
             material = self.pack('L', len(self.material)) + self.material
         else:
             raise NotImplementedError
diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py
old mode 100644
new mode 100755
index 8e57f010b..da15d84ec
--- a/tests/scripts/generate_psa_tests.py
+++ b/tests/scripts/generate_psa_tests.py
@@ -230,12 +230,14 @@ class StorageKey(psa_storage.Key):
     def __init__(self, *, description: str, **kwargs) -> None:
         super().__init__(**kwargs)
         self.description = description #type: str
+        self.usage = self.original_usage #type: psa_storage.Expr
+
 class StorageKeyBuilder:
-    def __init__(self) -> None:
-        pass
+    def __init__(self, usage_extension: bool) -> None:
+        self.usage_extension = usage_extension #type: bool
 
     def build(self, **kwargs) -> StorageKey:
-        return StorageKey(**kwargs)
+        return StorageKey(usage_extension = self.usage_extension, **kwargs)
 
 class StorageFormat:
     """Storage format stability test cases."""
@@ -253,7 +255,7 @@ class StorageFormat:
         self.constructors = info.constructors #type: macro_collector.PSAMacroEnumerator
         self.version = version #type: int
         self.forward = forward #type: bool
-        self.key_builder = StorageKeyBuilder() #type: StorageKeyBuilder
+        self.key_builder = StorageKeyBuilder(usage_extension = True) #type: StorageKeyBuilder
 
     def make_test_case(self, key: StorageKey) -> test_case.TestCase:
         """Construct a storage format test case for the given key.
@@ -467,6 +469,24 @@ class StorageFormatV0(StorageFormat):
     def __init__(self, info: Information) -> None:
         super().__init__(info, 0, False)
 
+    def all_keys_for_usage_flags(self) -> List[StorageKey]:
+        """Generate test keys covering usage flags."""
+        # First generate keys without usage policy extension for
+        # compatibility testing, then generate the keys with extension
+        # to check the extension is working.
+        keys = [] #type: List[StorageKey]
+        prev_builder = self.key_builder
+
+        self.key_builder = StorageKeyBuilder(usage_extension = False)
+        keys += super().all_keys_for_usage_flags(extra_desc = 'without extension')
+
+        self.key_builder = StorageKeyBuilder(usage_extension = True)
+        keys += super().all_keys_for_usage_flags(extra_desc = 'with extension')
+
+        self.key_builder = prev_builder
+        return keys
+
+
 class TestGenerator:
     """Generate test data."""
 
diff --git a/tests/suites/test_suite_psa_crypto_storage_format.v0.data b/tests/suites/test_suite_psa_crypto_storage_format.v0.data
index 1a1177643..f0b21813e 100644
--- a/tests/suites/test_suite_psa_crypto_storage_format.v0.data
+++ b/tests/suites/test_suite_psa_crypto_storage_format.v0.data
@@ -20,79 +20,159 @@ PSA storage read: lifetime: PERSISTENT
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"4c":"505341004b455900000000000100000001100800010000000000000000000000010000004c":0
 
-PSA storage read: usage: 0
+PSA storage read: usage without extension: 0
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:0:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800000000000000000000000000010000004b":0
 
-PSA storage read: usage: COPY
+PSA storage read: usage without extension: COPY
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_COPY:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800020000000000000000000000010000004b":0
 
-PSA storage read: usage: DECRYPT
+PSA storage read: usage without extension: DECRYPT
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_DECRYPT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800000200000000000000000000010000004b":0
 
-PSA storage read: usage: DERIVE
+PSA storage read: usage without extension: DERIVE
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_DERIVE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800004000000000000000000000010000004b":0
 
-PSA storage read: usage: ENCRYPT
+PSA storage read: usage without extension: ENCRYPT
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_ENCRYPT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800000100000000000000000000010000004b":0
 
-PSA storage read: usage: EXPORT
+PSA storage read: usage without extension: EXPORT
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800010000000000000000000000010000004b":0
 
-PSA storage read: usage: SIGN_HASH
+PSA storage read: usage without extension: SIGN_HASH
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
-key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800001400000000000000000000010000004b":0
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800001000000000000000000000010000004b":0
 
-PSA storage read: usage: SIGN_MESSAGE
+PSA storage read: usage without extension: SIGN_MESSAGE
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_MESSAGE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800000400000000000000000000010000004b":0
 
-PSA storage read: usage: VERIFY_HASH
+PSA storage read: usage without extension: VERIFY_HASH
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
-key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800002800000000000000000000010000004b":0
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800002000000000000000000000010000004b":0
 
-PSA storage read: usage: VERIFY_MESSAGE
+PSA storage read: usage without extension: VERIFY_MESSAGE
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_MESSAGE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800000800000000000000000000010000004b":0
 
-PSA storage read: usage: COPY | DECRYPT
+PSA storage read: usage without extension: COPY | DECRYPT
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800020200000000000000000000010000004b":0
 
-PSA storage read: usage: DECRYPT | DERIVE
+PSA storage read: usage without extension: DECRYPT | DERIVE
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_DERIVE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800004200000000000000000000010000004b":0
 
-PSA storage read: usage: DERIVE | ENCRYPT
+PSA storage read: usage without extension: DERIVE | ENCRYPT
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_ENCRYPT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800004100000000000000000000010000004b":0
 
-PSA storage read: usage: ENCRYPT | EXPORT
+PSA storage read: usage without extension: ENCRYPT | EXPORT
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800010100000000000000000000010000004b":0
 
-PSA storage read: usage: EXPORT | SIGN_HASH
+PSA storage read: usage without extension: EXPORT | SIGN_HASH
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
-key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800011400000000000000000000010000004b":0
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800011000000000000000000000010000004b":0
 
-PSA storage read: usage: SIGN_HASH | SIGN_MESSAGE
+PSA storage read: usage without extension: SIGN_HASH | SIGN_MESSAGE
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800001400000000000000000000010000004b":0
 
-PSA storage read: usage: SIGN_MESSAGE | VERIFY_HASH
+PSA storage read: usage without extension: SIGN_MESSAGE | VERIFY_HASH
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
-key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800002c00000000000000000000010000004b":0
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800002400000000000000000000010000004b":0
 
-PSA storage read: usage: VERIFY_HASH | VERIFY_MESSAGE
+PSA storage read: usage without extension: VERIFY_HASH | VERIFY_MESSAGE
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800002800000000000000000000010000004b":0
 
-PSA storage read: usage: VERIFY_MESSAGE | COPY
+PSA storage read: usage without extension: VERIFY_MESSAGE | COPY
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_COPY:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800020800000000000000000000010000004b":0
+
+PSA storage read: usage: all known
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800037f00000000000000000000010000004b":0
+
+PSA storage read: usage with extension: 0
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:0:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800000000000000000000000000010000004b":0
+
+PSA storage read: usage with extension: COPY
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_COPY:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800020000000000000000000000010000004b":0
+
+PSA storage read: usage with extension: DECRYPT
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_DECRYPT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800000200000000000000000000010000004b":0
+
+PSA storage read: usage with extension: DERIVE
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_DERIVE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800004000000000000000000000010000004b":0
+
+PSA storage read: usage with extension: ENCRYPT
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_ENCRYPT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800000100000000000000000000010000004b":0
+
+PSA storage read: usage with extension: EXPORT
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800010000000000000000000000010000004b":0
+
+PSA storage read: usage with extension: SIGN_HASH
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800001400000000000000000000010000004b":0
+
+PSA storage read: usage with extension: SIGN_MESSAGE
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_MESSAGE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800000400000000000000000000010000004b":0
+
+PSA storage read: usage with extension: VERIFY_HASH
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800002800000000000000000000010000004b":0
+
+PSA storage read: usage with extension: VERIFY_MESSAGE
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_MESSAGE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800000800000000000000000000010000004b":0
+
+PSA storage read: usage with extension: COPY | DECRYPT
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_DECRYPT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800020200000000000000000000010000004b":0
+
+PSA storage read: usage with extension: DECRYPT | DERIVE
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_DERIVE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800004200000000000000000000010000004b":0
+
+PSA storage read: usage with extension: DERIVE | ENCRYPT
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_ENCRYPT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800004100000000000000000000010000004b":0
+
+PSA storage read: usage with extension: ENCRYPT | EXPORT
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800010100000000000000000000010000004b":0
+
+PSA storage read: usage with extension: EXPORT | SIGN_HASH
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800011400000000000000000000010000004b":0
+
+PSA storage read: usage with extension: SIGN_HASH | SIGN_MESSAGE
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800001400000000000000000000010000004b":0
+
+PSA storage read: usage with extension: SIGN_MESSAGE | VERIFY_HASH
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_HASH:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800002c00000000000000000000010000004b":0
+
+PSA storage read: usage with extension: VERIFY_HASH | VERIFY_MESSAGE
+depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
+key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_VERIFY_MESSAGE:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800002800000000000000000000010000004b":0
+
+PSA storage read: usage with extension: VERIFY_MESSAGE | COPY
 depends_on:PSA_WANT_KEY_TYPE_RAW_DATA
 key_storage_read:0x0001:PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_VERIFY_MESSAGE | PSA_KEY_USAGE_COPY:0x0000:0x0000:"4b":"505341004b455900000000000100000001100800020800000000000000000000010000004b":0