According to the PSA crypto driver interface specification, in multipart operations, the driver's setup entry point should receive an operation object that is initialized to 0. As of Mbed TLS 2.28.9 and 3.6.2, there are several operations where this is not always the case:

• When the operation object is reused after finishing or aborting another operation. The core may leave whatever content was left there by the driver's finish/abort entry point.
• With compilers that do not initialize all the members of a union to zero when doing union myunion x = {0} or the like. Such compilers also break the built-in implementation, and this case is tracked separately at HMAC-SHA-256 test failures on upcoming gcc-15 (after partial union initialization changes) #9814.

Workaround: if your driver needs to work with Mbed TLS versions where this issue is present, make sure that the setup entry point does not make any assumption on the content of the operation on entry.