diff --git a/docs/architecture/psa-migration/tasks-g1.md b/docs/architecture/psa-migration/tasks-g1.md
index 599a11d3d..d906bf9ea 100644
--- a/docs/architecture/psa-migration/tasks-g1.md
+++ b/docs/architecture/psa-migration/tasks-g1.md
@@ -14,54 +14,31 @@ Hashes
 
 ### Use `psa_hash` in all of X.509
 
-Conditionally on `MBEDTLS_USE_PSA_CRYPTO`, replace all remaining calls to
-`mbedtls_md()` or `mbedtls_sha1_ret()` by calls `psa_hash` functions, namely:
-- replace `mbedtls_md()` in `x509_crt_verifycrl()` in `x509_crt.c`
-- replace `mbedtls_md()` in `mbedtls_x509write_crt_der()` in `x509write_crt.c`
-- replace `mbedtls_sha1_ret() in
-  `mbedtls_x509write_crt_set_subject_key_identifier()` in `x509write_crt.c`
-- replace `mbedtls_sha1_ret() in
-  `mbedtls_x509write_crt_set_authority_key_identifier()` in `x509write_crt.c`
-- already done in `x509_crt_check_signature()` in `x509_crt.c`, but might
-  want to replace multi-part with single-part.
-- already done in `mbedtls_x509write_csr_der_internal()` in
-  `x509write_csr.c`, but might want to replace multi-part with single-part.
+https://github.com/ARMmbed/mbedtls/issues/5157
 
 HMAC
 ----
 
 ### Variable-time HMAC in TLS record protection
 
-- This is about the calls to `mbedtls_md_hmac_xxx()` in
-`mbedtls_ssl_decrypt_buf()` and `mbedtls_ssl_encrypt_buf()`, but excludes the
-call in `mbedtls_ssl_cf_hmad()` (which it its own task).
-- Might need to change the `transform` structure to hold a PSA context instead
-  of an MD context. Note: might keep the MD context in parallel until the
-constant-time part is done as well.
-
-TODO: study this better so it can be estimated.
+https://github.com/ARMmbed/mbedtls/issues/5177
 
 ### Constant-time HMAC in TLS record protection
 
-This is `mbedtls_ssl_cf_hmac()`. The PSA code might look a bit different as
-we'll probably need to store the HMAC key somewhere and compute the ipad/opad
-explicitly instead of using (the internals of) the MD layers for that.
+https://github.com/ARMmbed/mbedtls/issues/5178
 
-TODO: study this better so it can be estimated.
 
 Ciphers
 -------
 
 ### Use PSA for all cipher operations in TLS
 
-- extend existing `mbedtls_cipher_setup_psa()` and related code to support
-  other ciphers than AES that can be used in TLS: ARIA (depends on #4959),
-Camellia, ChachaPoly.
-- extend unit-testing in `test_suite_cipher` to test those new ciphers as
-  AES-based cipher are already tested
-- remove the fallback mechanism in all places where `cipher_setup_psa()` is
-  called from TLS code
-- expand use of `run_test_psa()` in `ssl-opt.sh`
+https://github.com/ARMmbed/mbedtls/issues/5181
+https://github.com/ARMmbed/mbedtls/issues/5182
+https://github.com/ARMmbed/mbedtls/issues/5203
+https://github.com/ARMmbed/mbedtls/issues/5204
+https://github.com/ARMmbed/mbedtls/issues/5205
+https://github.com/ARMmbed/mbedtls/issues/5206
 
 Asymmetric crypto
 =================
@@ -71,82 +48,67 @@ ECDSA
 
 ### Make `mbedtls_pk_sign()` use PSA for ECDSA operations
 
-- This is already done with `PK_OPAQUE` contexts, but this task is about doing
-it for regulard `ECKEY`/`ECDSA` contexts.
-- May share some code (transcoding) with the exist support for `PK_OPAQUE`
-  contexts
+https://github.com/ARMmbed/mbedtls/issues/5274
 
 RSA signature (and verification)
 --------------------------------
 
 ### Make `mbedtls_pk_sign()` use PSA for RSA operations
 
-- with regular `PK_RSA` context
-- only PKCS#1 v1.5 for this task
-- similar to what's done for ECDSA, except no need for transcoding (I think)
+https://github.com/ARMmbed/mbedtls/issues/5162
 
 ### Make `mbedtls_pk_verify()` use PSA for RSA operations
 
-- with regular `PK_RSA` context
-- only PKCS#1 v1.5 for this task
-- similar to what's done for ECDSA, except no need for transcoding (I think)
+https://github.com/ARMmbed/mbedtls/issues/5159
 
 ### Make `mbedtls_pk_verify_ext()` use PSA for RSA operations
 
-- with regular `PK_RSA` context
-- this is for RSA-PSS
-- similar to what's done for ECDSA, except no need for transcoding (I think)
-- acceptable to enforce that all hashes are equal in the parameters (as
-  imposed by the PSA API) and reject the signature otherwise
-- then need to check if all X.509 tests still pass, and if some don't, make
-  them depend on `!MBEDTLS_USE_PSA_CRYPTO`
-
-RISK: see `psa-limitations.md`
+https://github.com/ARMmbed/mbedtls/issues/5333 (partial)
+https://github.com/ARMmbed/mbedtls/issues/5277 (futher)
 
 RSA en/decryption
 -----------------
 
 ### Make `mbedtls_pk_encrypt()` use PSA for RSA operations
 
-- with regular `PK_RSA` context
+
+https://github.com/ARMmbed/mbedtls/issues/5161
 
 ### Make `mbedtls_pk_decrypt()` use PSA for RSA operations
 
-- with regular `PK_RSA` context
+https://github.com/ARMmbed/mbedtls/issues/5160
 
 ECDH
 ----
 
+Additional:
+https://github.com/ARMmbed/mbedtls/issues/5291 (pre clean-up)
+https://github.com/ARMmbed/mbedtls/issues/5321 (TLS 1.3)
+https://github.com/ARMmbed/mbedtls/issues/5322 (post clean-up)
+
 ### Write remaining utilities for ECDH parsing/writing
 
-- PSA only provides an API for the operation, need to parse and write
-  parameters and public keys to/from grp ID + string of bytes
-- need to complete what was done in 4a.1
-- testing: positive: extract known-good inputs/outputs from actual handshakes?
-- testing: negative: manipulate known-good input to make it invalid
-
-Note: future task in this section depend on this one, but not on each other.
+(not a task on its own, part of other tasks)
 
 ### Use PSA for ECDHE in ECDHE-ECDSA and ECDHE-RSA server-side
 
-- may need to separate branches from other ECDHE-based key exchanges
-- only server-side (client-side is already done, can be used for inspiration)
+https://github.com/ARMmbed/mbedtls/issues/5317
 
 ### Use PSA for ECDH in ECDHE-PSK (all sides and versions)
 
-- only with non-opaque PSK (support for opaque PSK here is part of G2)
+https://github.com/ARMmbed/mbedtls/issues/5318
 
 ### Use PSA for ECDH in static-ECDH key exchanges
 
-- may require additional utility functions to load from cert to PSA
+https://github.com/ARMmbed/mbedtls/issues/5319
+https://github.com/ARMmbed/mbedtls/issues/5320
 
 FFDH
 ----
 
-This may be hard, see `psa-limitations.md`
+https://github.com/ARMmbed/mbedtls/issues/5287
 
 EC J-PAKE
 ---------
 
-Use PSA for all EC J-PAKE operations in TLS (both sides).
-(TODO: consider how this could be split.)
+https://github.com/ARMmbed/mbedtls/issues/5275