diff --git a/picokeys_sdk_import.cmake b/picokeys_sdk_import.cmake
index 3c87e21..0da0530 100644
--- a/picokeys_sdk_import.cmake
+++ b/picokeys_sdk_import.cmake
@@ -331,6 +331,7 @@ list(APPEND PICOKEYS_SOURCES
     ${CMAKE_CURRENT_LIST_DIR}/src/button.c
     ${CMAKE_CURRENT_LIST_DIR}/src/led/led.c
     ${CMAKE_CURRENT_LIST_DIR}/src/signal.c
+    ${CMAKE_CURRENT_LIST_DIR}/src/trusted.c
 )
 
 if(ESP_PLATFORM)
@@ -433,7 +434,9 @@ set(LIBCVC_SOURCES
 
 set(LIBRARIES)
 if(NOT SKIP_MBEDTLS_FOR_OPENSSL_EMULATION)
-    list(APPEND LIBRARIES mbedtls)
+    if(ESP_PLATFORM OR ENABLE_EMULATION OR NOT PICO_PLATFORM)
+        list(APPEND LIBRARIES mbedtls)
+    endif()
 endif()
 if(USE_OPENSSL_EMULATION_WRAPPER)
     list(APPEND LIBRARIES OpenSSL::Crypto)
@@ -453,6 +456,48 @@ if(NOT ESP_PLATFORM)
     if(NOT SKIP_MBEDTLS_FOR_OPENSSL_EMULATION)
         add_library(mbedtls STATIC ${MBEDTLS_SOURCES})
         target_include_directories(mbedtls SYSTEM PUBLIC ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/include)
+
+        if(PICO_PLATFORM AND NOT ENABLE_EMULATION)
+            set(TRUSTED_MBEDTLS_ARCHIVE ${CMAKE_CURRENT_BINARY_DIR}/libtrusted_mbedtls.a)
+            add_custom_command(
+                OUTPUT ${TRUSTED_MBEDTLS_ARCHIVE}
+                COMMAND ${CMAKE_COMMAND} -E rm -f ${TRUSTED_MBEDTLS_ARCHIVE}
+                COMMAND ${CMAKE_OBJCOPY} --prefix-alloc-sections=.trusted $<TARGET_FILE:mbedtls> ${TRUSTED_MBEDTLS_ARCHIVE}
+                DEPENDS mbedtls
+                VERBATIM
+            )
+            add_custom_target(trusted_mbedtls_archive DEPENDS ${TRUSTED_MBEDTLS_ARCHIVE})
+            add_library(trusted_mbedtls STATIC IMPORTED GLOBAL)
+            add_dependencies(trusted_mbedtls trusted_mbedtls_archive)
+            set_target_properties(trusted_mbedtls PROPERTIES
+                IMPORTED_LOCATION ${TRUSTED_MBEDTLS_ARCHIVE}
+            )
+            add_compile_definitions(PICOKEYS_HAS_TRUSTED_REGION=1)
+        elseif(ENABLE_EMULATION AND NOT MSVC)
+            set(TRUSTED_REGION_EMBED_INPUT
+                ${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_STATIC_LIBRARY_PREFIX}mbedtls${CMAKE_STATIC_LIBRARY_SUFFIX}
+            )
+            if(APPLE)
+                set(PICOKEYS_TRUSTED_SECTION_DIRECTIVE ".section __DATA,__trusted_region,regular,no_dead_strip")
+                set(PICOKEYS_TRUSTED_START_SYM "___trusted_start")
+                set(PICOKEYS_TRUSTED_END_SYM "___trusted_end")
+                set(PICOKEYS_TRUSTED_LOAD_START_SYM "___trusted_load_start")
+                set(PICOKEYS_TRUSTED_LOAD_END_SYM "___trusted_load_end")
+            else()
+                set(PICOKEYS_TRUSTED_SECTION_DIRECTIVE ".section .trusted_region,\"a\",@progbits")
+                set(PICOKEYS_TRUSTED_START_SYM "__trusted_start")
+                set(PICOKEYS_TRUSTED_END_SYM "__trusted_end")
+                set(PICOKEYS_TRUSTED_LOAD_START_SYM "__trusted_load_start")
+                set(PICOKEYS_TRUSTED_LOAD_END_SYM "__trusted_load_end")
+            endif()
+            set(TRUSTED_REGION_EMBED_SOURCE ${CMAKE_CURRENT_BINARY_DIR}/trusted_region_embed.S)
+            configure_file(
+                ${CMAKE_CURRENT_LIST_DIR}/src/trusted_region_embed.in.S
+                ${TRUSTED_REGION_EMBED_SOURCE}
+                @ONLY
+            )
+            add_compile_definitions(PICOKEYS_HAS_TRUSTED_REGION=1)
+        endif()
     endif()
     if(ENABLE_LIBCVC)
         add_library(libcvc STATIC ${LIBCVC_SOURCES})
@@ -472,6 +517,30 @@ if(NOT ESP_PLATFORM)
     endif()
 endif()
 
+if(ESP_PLATFORM AND NOT SKIP_MBEDTLS_FOR_OPENSSL_EMULATION)
+    add_library(trusted_mbedtls_payload STATIC ${MBEDTLS_SOURCES})
+    target_include_directories(trusted_mbedtls_payload
+        SYSTEM PRIVATE
+            ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/include
+            ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/library
+    )
+    set(TRUSTED_REGION_EMBED_INPUT
+        ${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_STATIC_LIBRARY_PREFIX}trusted_mbedtls_payload${CMAKE_STATIC_LIBRARY_SUFFIX}
+    )
+    set(PICOKEYS_TRUSTED_SECTION_DIRECTIVE ".section .rodata.trusted_region,\"a\",@progbits")
+    set(PICOKEYS_TRUSTED_START_SYM "__trusted_start")
+    set(PICOKEYS_TRUSTED_END_SYM "__trusted_end")
+    set(PICOKEYS_TRUSTED_LOAD_START_SYM "__trusted_load_start")
+    set(PICOKEYS_TRUSTED_LOAD_END_SYM "__trusted_load_end")
+    set(TRUSTED_REGION_EMBED_SOURCE ${CMAKE_CURRENT_BINARY_DIR}/trusted_region_embed.S)
+    configure_file(
+        ${CMAKE_CURRENT_LIST_DIR}/src/trusted_region_embed.in.S
+        ${TRUSTED_REGION_EMBED_SOURCE}
+        @ONLY
+    )
+    add_compile_definitions(PICOKEYS_HAS_TRUSTED_REGION=1)
+endif()
+
 if(PICO_PLATFORM)
     list(APPEND LIBRARIES
         pico_stdlib
@@ -545,6 +614,15 @@ else()
         ${CMAKE_CURRENT_LIST_DIR}/src/fs/mman.c
     )
 endif()
+if(DEFINED TRUSTED_REGION_EMBED_SOURCE)
+    set_source_files_properties(${TRUSTED_REGION_EMBED_SOURCE} PROPERTIES
+        OBJECT_DEPENDS "${TRUSTED_REGION_EMBED_INPUT}"
+    )
+    list(APPEND PICOKEYS_SOURCES
+        ${TRUSTED_REGION_EMBED_SOURCE}
+    )
+endif()
+
 if(ENABLE_EMULATION)
     if(APPLE)
         add_definitions("-Wno-deprecated-declarations")
@@ -680,7 +758,7 @@ if(PICO_RP2350)
         target_include_directories(mbedtls PRIVATE
             ${CMAKE_CURRENT_LIST_DIR}/config/rp2350/alt
         )
-        target_link_libraries(mbedtls PRIVATE pico_sha256)
+        target_link_libraries(mbedtls PRIVATE pico_sha256_headers)
     endif()
     list(APPEND PICOKEYS_SOURCES
         ${CMAKE_CURRENT_LIST_DIR}/config/rp2350/alt/sha256_alt.c
@@ -694,6 +772,19 @@ if(NOT TARGET picokeys_sdk)
     if(PICO_PLATFORM)
         pico_add_library(picokeys_sdk)
 
+        if(TARGET trusted_mbedtls)
+            target_link_libraries(${CMAKE_PROJECT_NAME} PRIVATE
+                "-Wl,--whole-archive"
+                trusted_mbedtls
+                "-Wl,--no-whole-archive"
+            )
+            target_link_options(${CMAKE_PROJECT_NAME} PRIVATE
+                "LINKER:-T,${CMAKE_CURRENT_LIST_DIR}/../trusted_region.ld"
+            )
+            set_property(TARGET ${CMAKE_PROJECT_NAME} APPEND PROPERTY LINK_DEPENDS
+                ${CMAKE_CURRENT_LIST_DIR}/../trusted_region.ld
+            )
+        endif()
         target_link_libraries(${CMAKE_PROJECT_NAME} PRIVATE ${LIBRARIES})
     else()
         add_impl_library(picokeys_sdk)
diff --git a/src/trusted.c b/src/trusted.c
new file mode 100644
index 0000000..f333257
--- /dev/null
+++ b/src/trusted.c
@@ -0,0 +1,48 @@
+/*
+ * This file is part of the Pico Keys SDK distribution (https://github.com/polhenarejos/pico-keys-sdk).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include "trusted.h"
+
+#include "mbedtls/sha256.h"
+
+const uint8_t *trusted_region_start(void) {
+    return __trusted_start;
+}
+
+const uint8_t *trusted_region_end(void) {
+    return __trusted_end;
+}
+
+const uint8_t *trusted_region_load_start(void) {
+    return __trusted_start;
+}
+
+const uint8_t *trusted_region_load_end(void) {
+    return __trusted_end;
+}
+
+size_t trusted_region_size(void) {
+    return (size_t)(__trusted_end - __trusted_start);
+}
+
+void trusted_region_init(void) {
+    /* The trusted measurement is always taken from its flash image range. */
+}
+
+int trusted_region_sha256(uint8_t out[32]) {
+    return mbedtls_sha256(__trusted_start, trusted_region_size(), out, 0);
+}
diff --git a/src/trusted.h b/src/trusted.h
new file mode 100644
index 0000000..d3d9534
--- /dev/null
+++ b/src/trusted.h
@@ -0,0 +1,38 @@
+/*
+ * This file is part of the Pico Keys SDK distribution (https://github.com/polhenarejos/pico-keys-sdk).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifndef TRUSTED_FIRMWARE_H
+#define TRUSTED_FIRMWARE_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+extern const uint8_t __trusted_start[];
+extern const uint8_t __trusted_end[];
+extern const uint8_t __trusted_load_start[];
+extern const uint8_t __trusted_load_end[];
+
+/* The canonical trusted measurement is always the flash image range. */
+const uint8_t *trusted_region_start(void);
+const uint8_t *trusted_region_end(void);
+const uint8_t *trusted_region_load_start(void);
+const uint8_t *trusted_region_load_end(void);
+size_t trusted_region_size(void);
+void trusted_region_init(void);
+int trusted_region_sha256(uint8_t out[32]);
+
+#endif
diff --git a/src/trusted_region_embed.in.S b/src/trusted_region_embed.in.S
new file mode 100644
index 0000000..f5792f9
--- /dev/null
+++ b/src/trusted_region_embed.in.S
@@ -0,0 +1,12 @@
+@PICOKEYS_TRUSTED_SECTION_DIRECTIVE@
+    .balign 16
+    .globl @PICOKEYS_TRUSTED_START_SYM@
+@PICOKEYS_TRUSTED_START_SYM@:
+    .globl @PICOKEYS_TRUSTED_LOAD_START_SYM@
+@PICOKEYS_TRUSTED_LOAD_START_SYM@:
+    .incbin "@TRUSTED_REGION_EMBED_INPUT@"
+    .balign 16
+    .globl @PICOKEYS_TRUSTED_END_SYM@
+@PICOKEYS_TRUSTED_END_SYM@:
+    .globl @PICOKEYS_TRUSTED_LOAD_END_SYM@
+@PICOKEYS_TRUSTED_LOAD_END_SYM@: