diff --git a/boot/bootutil/include/bootutil/enc_key_public.h b/boot/bootutil/include/bootutil/enc_key_public.h
index 6874cfbc8..0887c8579 100644
--- a/boot/bootutil/include/bootutil/enc_key_public.h
+++ b/boot/bootutil/include/bootutil/enc_key_public.h
@@ -59,6 +59,28 @@ extern "C" {
 #define BOOT_ENC_TLV_SIZE TLV_ENC_KW_SZ
 #endif
 
+#define EXPECTED_ENC_LEN        BOOT_ENC_TLV_SIZE
+
+#if defined(MCUBOOT_ENCRYPT_RSA)
+#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_RSA2048
+#elif defined(MCUBOOT_ENCRYPT_KW)
+#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_KW
+#elif defined(MCUBOOT_ENCRYPT_EC256)
+#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_EC256
+#    define EC_PUBK_INDEX       (0)
+#    define EC_TAG_INDEX        (65)
+#    define EC_CIPHERKEY_INDEX  (65 + 32)
+_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
+        "Please fix ECIES-P256 component indexes");
+#elif defined(MCUBOOT_ENCRYPT_X25519)
+#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_X25519
+#    define EC_PUBK_INDEX       (0)
+#    define EC_TAG_INDEX        (32)
+#    define EC_CIPHERKEY_INDEX  (32 + 32)
+_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
+        "Please fix ECIES-X25519 component indexes");
+#endif
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c
index 8449a28dd..7bd38ccc6 100644
--- a/boot/bootutil/src/encrypted.c
+++ b/boot/bootutil/src/encrypted.c
@@ -383,28 +383,6 @@ boot_enc_set_key(struct enc_key_data *enc_state, uint8_t slot,
     return 0;
 }
 
-#define EXPECTED_ENC_LEN        BOOT_ENC_TLV_SIZE
-
-#if defined(MCUBOOT_ENCRYPT_RSA)
-#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_RSA2048
-#elif defined(MCUBOOT_ENCRYPT_KW)
-#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_KW
-#elif defined(MCUBOOT_ENCRYPT_EC256)
-#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_EC256
-#    define EC_PUBK_INDEX       (0)
-#    define EC_TAG_INDEX        (65)
-#    define EC_CIPHERKEY_INDEX  (65 + 32)
-_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
-        "Please fix ECIES-P256 component indexes");
-#elif defined(MCUBOOT_ENCRYPT_X25519)
-#    define EXPECTED_ENC_TLV    IMAGE_TLV_ENC_X25519
-#    define EC_PUBK_INDEX       (0)
-#    define EC_TAG_INDEX        (32)
-#    define EC_CIPHERKEY_INDEX  (32 + 32)
-_Static_assert(EC_CIPHERKEY_INDEX + BOOT_ENC_KEY_SIZE == EXPECTED_ENC_LEN,
-        "Please fix ECIES-X25519 component indexes");
-#endif
-
 #if ( (defined(MCUBOOT_ENCRYPT_RSA) && defined(MCUBOOT_USE_MBED_TLS) && !defined(MCUBOOT_USE_PSA_CRYPTO)) || \
       (defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS)) )
 #if MBEDTLS_VERSION_NUMBER >= 0x03000000
diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
index ec5d986df..7d0cddde1 100644
--- a/boot/bootutil/src/image_validate.c
+++ b/boot/bootutil/src/image_validate.c
@@ -358,20 +358,18 @@ bootutil_get_img_security_cnt(struct image_header *hdr,
  * TLV section.  All other TLV entries must be in the protected section.
  */
 static const uint16_t allowed_unprot_tlvs[] = {
-     IMAGE_TLV_KEYHASH,
-     IMAGE_TLV_PUBKEY,
-     IMAGE_TLV_SHA256,
-     IMAGE_TLV_SHA384,
-     IMAGE_TLV_SHA512,
-     IMAGE_TLV_RSA2048_PSS,
-     IMAGE_TLV_ECDSA224,
-     IMAGE_TLV_ECDSA_SIG,
-     IMAGE_TLV_RSA3072_PSS,
-     IMAGE_TLV_ED25519,
-     IMAGE_TLV_ENC_RSA2048,
-     IMAGE_TLV_ENC_KW,
-     IMAGE_TLV_ENC_EC256,
-     IMAGE_TLV_ENC_X25519,
+#ifdef EXPECTED_KEY_TLV
+     EXPECTED_KEY_TLV,
+#endif
+#ifdef EXPECTED_HASH_TLV
+     EXPECTED_HASH_TLV,
+#endif
+#ifdef EXPECTED_SIG_TLV
+     EXPECTED_SIG_TLV,
+#endif
+#ifdef EXPECTED_ENC_TLV
+     EXPECTED_ENC_TLV,
+#endif
      /* Mark end with ANY. */
      IMAGE_TLV_ANY,
 };