diff --git a/tests/src/psa_exercise_key.c b/tests/src/psa_exercise_key.c
index 20d3102e61..84e52315ac 100644
--- a/tests/src/psa_exercise_key.c
+++ b/tests/src/psa_exercise_key.c
@@ -627,6 +627,7 @@ static int exercise_key_agreement_key( mbedtls_svc_key_id_t key,
     unsigned char output[1];
     int ok = 0;
     psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF( alg );
+    psa_status_t expected_key_agreement_status = PSA_SUCCESS;
 
     if( usage & PSA_KEY_USAGE_DERIVE )
     {
@@ -648,7 +649,25 @@ static int exercise_key_agreement_key( mbedtls_svc_key_id_t key,
                 input, sizeof( input ) ) );
         }
 
-        PSA_ASSERT( mbedtls_test_psa_key_agreement_with_self( &operation, key ) );
+        /* For HKDF_EXPAND input secret may fail as secret size may not match
+           to expected PRK size. In practice it means that key bits must match
+           hash length. Otherwise test should fail with INVALID_ARGUMENT. */
+        if( PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) )
+        {
+            psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+            PSA_ASSERT( psa_get_key_attributes( key, &attributes ) );
+            size_t key_bits = psa_get_key_bits( &attributes );
+            psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
+
+            if( PSA_BITS_TO_BYTES( key_bits ) != PSA_HASH_LENGTH( hash_alg ) )
+                expected_key_agreement_status = PSA_ERROR_INVALID_ARGUMENT;
+        }
+
+        TEST_EQUAL( mbedtls_test_psa_key_agreement_with_self( &operation, key ),
+                    expected_key_agreement_status );
+
+        if( expected_key_agreement_status != PSA_SUCCESS )
+            return( 1 );
 
         if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
             PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
@@ -657,7 +676,7 @@ static int exercise_key_agreement_key( mbedtls_svc_key_id_t key,
                             &operation, PSA_KEY_DERIVATION_INPUT_LABEL,
                             input, sizeof( input ) ) );
         }
-        else if( PSA_ALG_IS_HKDF( kdf_alg ) )
+        else if( PSA_ALG_IS_HKDF( kdf_alg ) || PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) )
         {
             PSA_ASSERT( psa_key_derivation_input_bytes(
                             &operation, PSA_KEY_DERIVATION_INPUT_INFO,
diff --git a/tests/suites/test_suite_psa_crypto_storage_format.function b/tests/suites/test_suite_psa_crypto_storage_format.function
index 14d7d80f13..c52dae1882 100644
--- a/tests/suites/test_suite_psa_crypto_storage_format.function
+++ b/tests/suites/test_suite_psa_crypto_storage_format.function
@@ -151,11 +151,6 @@ static int can_exercise( const psa_key_attributes_t *attributes )
         PSA_ALG_NONE;
     psa_key_usage_t usage = psa_get_key_usage_flags( attributes );
 
-    /* Disable KA(ECDH,HKDF_EXTRACT/EXPAND...) test cases. */
-    if( PSA_ALG_IS_KEY_AGREEMENT( alg ) &&
-        ( PSA_ALG_HKDF_EXTRACT( alg ) || PSA_ALG_HKDF_EXPAND( alg ) ) )
-        return 0;
-
 #if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
     /* We test some configurations using drivers where the driver doesn't
      * support certain hash algorithms, but declares that it supports