diff --git a/include/interface/hwcrypto/hwcrypto.h b/include/interface/hwcrypto/hwcrypto.h
index 270c579..4579d8c 100644
--- a/include/interface/hwcrypto/hwcrypto.h
+++ b/include/interface/hwcrypto/hwcrypto.h
@@ -39,6 +39,7 @@ enum hwcrypto_command {
     HWCRYPTO_HASH            = (1 << HWCRYPTO_REQ_SHIFT),
     HWCRYPTO_ENCAP_BLOB      = (2 << HWCRYPTO_REQ_SHIFT),
     HWCRYPTO_GEN_RNG         = (3 << HWCRYPTO_REQ_SHIFT),
+    HWCRYPTO_GEN_BKEK        = (4 << HWCRYPTO_REQ_SHIFT),
 };
 
 /**
@@ -105,4 +106,13 @@ typedef struct hwcrypto_rng_msg {
     uint32_t buf;
     uint32_t len;
 }hwcrypto_rng_msg;
+
+/**
+ * @buf:  physical start address of the output bkek buf.
+ * @len:  size of required rng.
+ */
+typedef struct hwcrypto_bkek_msg {
+    uint32_t buf;
+    uint32_t len;
+}hwcrypto_bkek_msg;
 #endif /* TRUSTY_INTERFACE_HWCRYPTO_H_ */
diff --git a/include/trusty/hwcrypto.h b/include/trusty/hwcrypto.h
index 9a510a8..d6837d6 100644
--- a/include/trusty/hwcrypto.h
+++ b/include/trusty/hwcrypto.h
@@ -74,4 +74,12 @@ int hwcrypto_gen_blob(uint32_t plain_pa,
  * @len: size of required rng.
  * */
 int hwcrypto_gen_rng(uint32_t buf, uint32_t len);
+
+/* Send request to secure side to generate bkek with caam.
+ * Returns one of trusty_err.
+ *
+ * @buf: physical start address of the output rng buf.
+ * @len: size of required rng.
+ * */
+int hwcrypto_gen_bkek(uint32_t buf, uint32_t len);
 #endif /* TRUSTY_HWCRYPTO_H_ */
diff --git a/lib/trusty/ql-tipc/hwcrypto.c b/lib/trusty/ql-tipc/hwcrypto.c
index ccaf18b..50532b0 100644
--- a/lib/trusty/ql-tipc/hwcrypto.c
+++ b/lib/trusty/ql-tipc/hwcrypto.c
@@ -240,3 +240,25 @@ int hwcrypto_gen_rng(uint32_t buf, uint32_t len)
                               sizeof(req), NULL, 0, false);
     return rc;
 }
+
+int hwcrypto_gen_bkek(uint32_t buf, uint32_t len)
+{
+    hwcrypto_bkek_msg req;
+    unsigned long start, end;
+
+    /* check the address */
+    if (buf == 0)
+        return TRUSTY_ERR_INVALID_ARGS;
+    /* fill the request buffer */
+    req.buf = buf;
+    req.len = len;
+
+    /* invalidate dcache for output buffer */
+    start = (unsigned long)buf & ~(ARCH_DMA_MINALIGN - 1);
+    end   = ALIGN((unsigned long)buf + len, ARCH_DMA_MINALIGN);
+    invalidate_dcache_range(start, end);
+
+    int rc = hwcrypto_do_tipc(HWCRYPTO_GEN_BKEK, (void*)&req,
+                              sizeof(req), NULL, 0, false);
+    return rc;
+}