2 files changed, 36 insertions, 0 deletions

diff --git a/chip/g/dcrypto/dcrypto.h b/chip/g/dcrypto/dcrypto.h
index f51907f767..848373dbcb 100644
--- a/chip/g/dcrypto/dcrypto.h
+++ b/chip/g/dcrypto/dcrypto.h
@@ -304,6 +304,13 @@ struct APPKEY_CTX {
 
 int DCRYPTO_ladder_compute_frk2(size_t major_fw_version, uint8_t *frk2);
 int DCRYPTO_ladder_random(void *output);
+void DCRYPTO_ladder_revoke(void);
+/*
+ * Query whether Key Ladder is enabled.
+ *
+ * @return 1 if Key Ladder is enabled, and 0 otherwise.
+ */
+int DCRYPTO_ladder_is_enabled(void);
 
 int DCRYPTO_appkey_init(enum dcrypto_appid id, struct APPKEY_CTX *ctx);
 void DCRYPTO_appkey_finish(struct APPKEY_CTX *ctx);
diff --git a/chip/g/dcrypto/key_ladder.c b/chip/g/dcrypto/key_ladder.c
index 913a667417..7aca0ad2b3 100644
--- a/chip/g/dcrypto/key_ladder.c
+++ b/chip/g/dcrypto/key_ladder.c
@@ -287,3 +287,32 @@ int dcrypto_ladder_derive(enum dcrypto_appid appid, const uint32_t salt[8],
 	dcrypto_release_sha_hw();
 	return !error;
 }
+
+void DCRYPTO_ladder_revoke(void)
+{
+	/* Revoke certificates */
+	GWRITE(KEYMGR, CERT_REVOKE_CTRL0, 0xffffffff);
+	GWRITE(KEYMGR, CERT_REVOKE_CTRL1, 0xffffffff);
+
+	/* Wipe out the hidden keys cached in AES and SHA engines. */
+	GWRITE_FIELD(KEYMGR, AES_USE_HIDDEN_KEY, ENABLE, 0);
+	GWRITE_FIELD(KEYMGR, SHA_USE_HIDDEN_KEY, ENABLE, 0);
+
+	/* Clear usr_ready[] */
+	memset(usr_ready, 0, sizeof(usr_ready));
+}
+
+#define KEYMGR_CERT_REVOKE_CTRL0_DEFAULT_VAL	0xa8028a82
+#define KEYMGR_CERT_REVOKE_CTRL1_DEFAULT_VAL	0xaaaaaaaa
+
+int DCRYPTO_ladder_is_enabled(void)
+{
+	uint32_t ctrl0;
+	uint32_t ctrl1;
+
+	ctrl0 = GREAD(KEYMGR, CERT_REVOKE_CTRL0);
+	ctrl1 = GREAD(KEYMGR, CERT_REVOKE_CTRL1);
+
+	return  ctrl0 == KEYMGR_CERT_REVOKE_CTRL0_DEFAULT_VAL &&
+		ctrl1 == KEYMGR_CERT_REVOKE_CTRL1_DEFAULT_VAL;
+}