diff --git a/Makefile b/Makefile
index b92d3a9c4..a238ee444 100644
--- a/Makefile
+++ b/Makefile
@@ -768,15 +768,6 @@ ifeq ($(CTX_INCLUDE_MTE_REGS),1)
     endif
 endif
 
-# Trusted Boot is a prerequisite for Measured Boot. It provides trust that the
-# code taking the measurements and recording them has not been tampered
-# with. This is referred to as the Root of Trust for Measurement.
-ifeq ($(MEASURED_BOOT),1)
-    ifneq (${TRUSTED_BOARD_BOOT},1)
-        $(error MEASURED_BOOT requires TRUSTED_BOARD_BOOT=1)
-    endif
-endif
-
 ifeq ($(PSA_FWU_SUPPORT),1)
     $(info PSA_FWU_SUPPORT is an experimental feature)
 endif
diff --git a/bl1/bl1_main.c b/bl1/bl1_main.c
index 663ec642b..7399bc8fc 100644
--- a/bl1/bl1_main.c
+++ b/bl1/bl1_main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -15,6 +15,7 @@
 #include <common/bl_common.h>
 #include <common/debug.h>
 #include <drivers/auth/auth_mod.h>
+#include <drivers/auth/crypto_mod.h>
 #include <drivers/console.h>
 #include <lib/cpus/errata_report.h>
 #include <lib/utils.h>
@@ -121,10 +122,10 @@ void bl1_main(void)
 	/* Perform remaining generic architectural setup from EL3 */
 	bl1_arch_setup();
 
-#if TRUSTED_BOARD_BOOT
+	crypto_mod_init();
+
 	/* Initialize authentication module */
 	auth_mod_init();
-#endif /* TRUSTED_BOARD_BOOT */
 
 	/* Initialize the measured boot */
 	bl1_plat_mboot_init();
diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c
index 90fe39bc2..5da803795 100644
--- a/bl2/bl2_main.c
+++ b/bl2/bl2_main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -13,6 +13,7 @@
 #include <common/bl_common.h>
 #include <common/debug.h>
 #include <drivers/auth/auth_mod.h>
+#include <drivers/auth/crypto_mod.h>
 #include <drivers/console.h>
 #include <drivers/fwu/fwu.h>
 #include <lib/extensions/pauth.h>
@@ -89,10 +90,10 @@ void bl2_main(void)
 	fwu_init();
 #endif /* PSA_FWU_SUPPORT */
 
-#if TRUSTED_BOARD_BOOT
+	crypto_mod_init();
+
 	/* Initialize authentication module */
 	auth_mod_init();
-#endif /* TRUSTED_BOARD_BOOT */
 
 	/* Initialize the Measured Boot backend */
 	bl2_plat_mboot_init();
diff --git a/common/bl_common.c b/common/bl_common.c
index eb2352a77..9bfaafd2b 100644
--- a/common/bl_common.c
+++ b/common/bl_common.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -143,25 +143,6 @@ exit:
 	return io_result;
 }
 
-/*
- * Load an image and flush it out to main memory so that it can be executed
- * later by any CPU, regardless of cache and MMU state.
- */
-static int load_image_flush(unsigned int image_id,
-			    image_info_t *image_data)
-{
-	int rc;
-
-	rc = load_image(image_id, image_data);
-	if (rc == 0) {
-		flush_dcache_range(image_data->image_base,
-				   image_data->image_size);
-	}
-
-	return rc;
-}
-
-
 #if TRUSTED_BOARD_BOOT
 /*
  * This function uses recursion to authenticate the parent images up to the root
@@ -202,30 +183,6 @@ static int load_auth_image_recursive(unsigned int image_id,
 		return -EAUTH;
 	}
 
-	if (is_parent_image == 0) {
-		/*
-		 * Measure the image.
-		 * We do not measure its parents because these only play a role
-		 * in authentication, which is orthogonal to measured boot.
-		 *
-		 * TODO: Change this code if we change our minds about measuring
-		 * certificates.
-		 */
-		rc = plat_mboot_measure_image(image_id, image_data);
-		if (rc != 0) {
-			return rc;
-		}
-
-		/*
-		 * Flush the image to main memory so that it can be executed
-		 * later by any CPU, regardless of cache and MMU state. This
-		 * is only needed for child images, not for the parents
-		 * (certificates).
-		 */
-		flush_dcache_range(image_data->image_base,
-				   image_data->image_size);
-	}
-
 	return 0;
 }
 #endif /* TRUSTED_BOARD_BOOT */
@@ -239,7 +196,7 @@ static int load_auth_image_internal(unsigned int image_id,
 	}
 #endif
 
-	return load_image_flush(image_id, image_data);
+	return load_image(image_id, image_data);
 }
 
 /*******************************************************************************
@@ -266,6 +223,25 @@ int load_auth_image(unsigned int image_id, image_info_t *image_data)
 	} while ((err != 0) && (plat_try_next_boot_source() != 0));
 #endif /* PSA_FWU_SUPPORT */
 
+	if (err == 0) {
+		/*
+		 * If loading of the image gets passed (along with its
+		 * authentication in case of Trusted-Boot flow) then measure
+		 * it (if MEASURED_BOOT flag is enabled).
+		 */
+		err = plat_mboot_measure_image(image_id, image_data);
+		if (err != 0) {
+			return err;
+		}
+
+		/*
+		 * Flush the image to main memory so that it can be executed
+		 * later by any CPU, regardless of cache and MMU state.
+		 */
+		flush_dcache_range(image_data->image_base,
+				   image_data->image_size);
+	}
+
 	return err;
 }
 
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index d77875e2b..a34bb3cef 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -529,9 +529,9 @@ Common build options
    the build. The default value is 40 in debug builds and 20 in release builds.
 
 -  ``MEASURED_BOOT``: Boolean flag to include support for the Measured Boot
-   feature. If this flag is enabled ``TRUSTED_BOARD_BOOT`` must be set as well
-   in order to provide trust that the code taking the measurements and recording
-   them has not been tampered with.
+   feature. This flag can be enabled with ``TRUSTED_BOARD_BOOT`` in order to
+   provide trust that the code taking the measurements and recording them has
+   not been tampered with.
 
    This option defaults to 0.
 
diff --git a/drivers/auth/auth_mod.c b/drivers/auth/auth_mod.c
index 917ee4a28..a99a2c70c 100644
--- a/drivers/auth/auth_mod.c
+++ b/drivers/auth/auth_mod.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -339,9 +339,6 @@ void auth_mod_init(void)
 	/* Check we have a valid CoT registered */
 	assert(cot_desc_ptr != NULL);
 
-	/* Crypto module */
-	crypto_mod_init();
-
 	/* Image parser module */
 	img_parser_init();
 }
diff --git a/drivers/auth/crypto_mod.c b/drivers/auth/crypto_mod.c
index 127eb0df5..eada3579a 100644
--- a/drivers/auth/crypto_mod.c
+++ b/drivers/auth/crypto_mod.c
@@ -46,8 +46,13 @@ void crypto_mod_init(void)
 {
 	assert(crypto_lib_desc.name != NULL);
 	assert(crypto_lib_desc.init != NULL);
+#if TRUSTED_BOARD_BOOT
 	assert(crypto_lib_desc.verify_signature != NULL);
 	assert(crypto_lib_desc.verify_hash != NULL);
+#endif /* TRUSTED_BOARD_BOOT */
+#if MEASURED_BOOT
+	assert(crypto_lib_desc.calc_hash != NULL);
+#endif /* MEASURED_BOOT */
 
 	/* Initialize the cryptographic library */
 	crypto_lib_desc.init();
diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c
index 114e6adf1..0901d045a 100644
--- a/drivers/auth/mbedtls/mbedtls_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_crypto.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -60,6 +60,7 @@ static void init(void)
 	mbedtls_init();
 }
 
+#if TRUSTED_BOARD_BOOT
 /*
  * Verify a signature.
  *
@@ -218,6 +219,7 @@ static int verify_hash(void *data_ptr, unsigned int data_len,
 
 	return CRYPTO_SUCCESS;
 }
+#endif /* TRUSTED_BOARD_BOOT */
 
 #if MEASURED_BOOT
 /*
@@ -366,7 +368,7 @@ static int auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
 /*
  * Register crypto library descriptor
  */
-#if MEASURED_BOOT
+#if MEASURED_BOOT && TRUSTED_BOARD_BOOT
 #if TF_MBEDTLS_USE_AES_GCM
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
 		    auth_decrypt);
@@ -374,11 +376,13 @@ REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
 		    NULL);
 #endif
-#else /* MEASURED_BOOT */
+#elif TRUSTED_BOARD_BOOT
 #if TF_MBEDTLS_USE_AES_GCM
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash,
 		    auth_decrypt);
 #else
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, NULL);
 #endif
-#endif /* MEASURED_BOOT */
+#elif MEASURED_BOOT
+REGISTER_CRYPTO_LIB(LIB_NAME, init, calc_hash);
+#endif /* MEASURED_BOOT && TRUSTED_BOARD_BOOT */
diff --git a/include/drivers/auth/auth_mod.h b/include/drivers/auth/auth_mod.h
index d1fd52c86..94537f61a 100644
--- a/include/drivers/auth/auth_mod.h
+++ b/include/drivers/auth/auth_mod.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -7,8 +7,6 @@
 #ifndef AUTH_MOD_H
 #define AUTH_MOD_H
 
-#if TRUSTED_BOARD_BOOT
-
 #include <common/tbbr/cot_def.h>
 #include <common/tbbr/tbbr_img_def.h>
 #include <drivers/auth/auth_common.h>
@@ -46,7 +44,13 @@ typedef struct auth_img_desc_s {
 #endif /* COT_DESC_IN_DTB && !IMAGE_BL1 */
 
 /* Public functions */
+#if TRUSTED_BOARD_BOOT
 void auth_mod_init(void);
+#else
+static inline void auth_mod_init(void)
+{
+}
+#endif /* TRUSTED_BOARD_BOOT */
 int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id);
 int auth_mod_verify_img(unsigned int img_id,
 			void *img_ptr,
@@ -85,6 +89,4 @@ extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
 
 #endif
 
-#endif /* TRUSTED_BOARD_BOOT */
-
 #endif /* AUTH_MOD_H */
diff --git a/include/drivers/auth/crypto_mod.h b/include/drivers/auth/crypto_mod.h
index cdcf50402..73b2b998c 100644
--- a/include/drivers/auth/crypto_mod.h
+++ b/include/drivers/auth/crypto_mod.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -76,7 +76,14 @@ typedef struct crypto_lib_desc_s {
 } crypto_lib_desc_t;
 
 /* Public functions */
+#if CRYPTO_SUPPORT
 void crypto_mod_init(void);
+#else
+static inline void crypto_mod_init(void)
+{
+}
+#endif /* CRYPTO_SUPPORT */
+
 int crypto_mod_verify_signature(void *data_ptr, unsigned int data_len,
 				void *sig_ptr, unsigned int sig_len,
 				void *sig_alg_ptr, unsigned int sig_alg_len,
@@ -93,7 +100,9 @@ int crypto_mod_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
 int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
 			 unsigned int data_len,
 			 unsigned char output[CRYPTO_MD_MAX_SIZE]);
+#endif /* MEASURED_BOOT */
 
+#if MEASURED_BOOT && TRUSTED_BOARD_BOOT
 /* Macro to register a cryptographic library */
 #define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
 			    _calc_hash, _auth_decrypt) \
@@ -105,7 +114,7 @@ int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
 		.calc_hash = _calc_hash, \
 		.auth_decrypt = _auth_decrypt \
 	}
-#else
+#elif TRUSTED_BOARD_BOOT
 #define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
 			    _auth_decrypt) \
 	const crypto_lib_desc_t crypto_lib_desc = { \
@@ -115,7 +124,14 @@ int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
 		.verify_hash = _verify_hash, \
 		.auth_decrypt = _auth_decrypt \
 	}
-#endif	/* MEASURED_BOOT */
+#elif MEASURED_BOOT
+#define REGISTER_CRYPTO_LIB(_name, _init, _calc_hash) \
+	const crypto_lib_desc_t crypto_lib_desc = { \
+		.name = _name, \
+		.init = _init, \
+		.calc_hash = _calc_hash, \
+	}
+#endif	/* MEASURED_BOOT && TRUSTED_BOARD_BOOT */
 
 extern const crypto_lib_desc_t crypto_lib_desc;