diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c
index 5eaf67ff529..9a8accfc5ce 100644
--- a/core/arch/arm/kernel/boot.c
+++ b/core/arch/arm/kernel/boot.c
@@ -188,6 +188,29 @@ static void init_vfp_nsec(void)
 }
 #endif
 
+/*
+ * Check for supported Crypto Extensions (ARMv8 aarch32/aarch64)
+ * In case one of instructions is not supported false is returned.
+*/
+static bool check_cpuid_ce(void)
+{
+	uint32_t isar5 = read_isar5();
+
+	if (!(isar5 | ID_ISAR5_AES))
+		return false;
+
+	if (!(isar5 | ID_ISAR5_SHA1))
+		return false;
+
+	if (!(isar5 | ID_ISAR5_SHA2))
+		return false;
+
+	if (!(isar5 | ID_ISAR5_CRC32))
+		return false;
+
+	return true;
+}
+
 #if defined(CFG_WITH_VFP)
 
 #ifdef ARM32
@@ -1148,6 +1171,13 @@ static void init_primary(unsigned long pageable_part, unsigned long nsec_entry)
 	thread_set_exceptions(THREAD_EXCP_ALL);
 	primary_save_cntfrq();
 	init_vfp_sec();
+
+	if (IS_ENABLED(CFG_CRYPTO_WITH_CE) && !check_cpuid_ce()) {
+		EMSG("OP-TEE is built with CFG_CRYPTO_WITH_CE=y"
+			 ", but CE instructions are not supported by CPU\n");
+		panic();
+	}
+
 	/*
 	 * Pager: init_runtime() calls thread_kernel_enable_vfp() so we must
 	 * set a current thread right now to avoid a chicken-and-egg problem