diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 473d09b171..df6bf55ef5 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -350,7 +350,6 @@
  */
 //#define MBEDTLS_TIMING_ALT
 
-//#define MBEDTLS_DES_SETKEY_ALT
 //#define MBEDTLS_DES_CRYPT_ECB_ALT
 //#define MBEDTLS_DES3_CRYPT_ECB_ALT
 //#define MBEDTLS_AES_SETKEY_ENC_ALT
diff --git a/tf-psa-crypto/drivers/builtin/include/mbedtls/des.h b/tf-psa-crypto/drivers/builtin/include/mbedtls/des.h
index c2d910cbfa..dbe12edc9e 100644
--- a/tf-psa-crypto/drivers/builtin/include/mbedtls/des.h
+++ b/tf-psa-crypto/drivers/builtin/include/mbedtls/des.h
@@ -344,21 +344,6 @@ int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
                            unsigned char *output);
 #endif /* MBEDTLS_CIPHER_MODE_CBC */
 
-/**
- * \brief          Internal function for key expansion.
- *                 (Only exposed to allow overriding it,
- *                 see MBEDTLS_DES_SETKEY_ALT)
- *
- * \param SK       Round keys
- * \param key      Base key
- *
- * \warning        DES/3DES are considered weak ciphers and their use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- */
-void mbedtls_des_setkey(uint32_t SK[32],
-                        const unsigned char key[MBEDTLS_DES_KEY_SIZE]);
-
 #if defined(MBEDTLS_SELF_TEST)
 
 /**
diff --git a/tf-psa-crypto/drivers/builtin/src/des.c b/tf-psa-crypto/drivers/builtin/src/des.c
index 5410bd39be..7fd71002a4 100644
--- a/tf-psa-crypto/drivers/builtin/src/des.c
+++ b/tf-psa-crypto/drivers/builtin/src/des.c
@@ -389,8 +389,10 @@ int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
     return 0;
 }
 
-#if !defined(MBEDTLS_DES_SETKEY_ALT)
-void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE])
+/*
+ * Internal function for key expansion.
+ */
+static void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE])
 {
     int i;
     uint32_t X, Y, T;
@@ -454,7 +456,6 @@ void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY
                 | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
     }
 }
-#endif /* !MBEDTLS_DES_SETKEY_ALT */
 
 /*
  * DES key schedule (56-bit, encryption)