From 9da6cf131900ed15a3b4f84810c3113a55e12123 Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Fri, 12 May 2023 19:36:22 +0000 Subject: [PATCH] Remove recommentation of non-normal mode Only specify the requirements for `normal` DICE mode and allow vendors to choose the non-normal mode that fits their need per the ope-dice specification. Add a note that RKP required `normal` mode in the DICE chain in order to trust the device. Test: n/a Bug: 263144485 Change-Id: Iaaa3799c53234de61a51ebc855822b93ab3e5bb8 --- security/rkp/README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/rkp/README.md b/security/rkp/README.md index 7477f803b3..ab767d6b46 100644 --- a/security/rkp/README.md +++ b/security/rkp/README.md @@ -303,9 +303,10 @@ component that is being described by the certificate: * debug ports, fuses or other debug facilities are disabled * device booted software from the normal primary source e.g. internal flash -If any of these conditions are not met then it is recommended to explicitly -acknowledge this fact by using the `debug` mode. The mode should never be `not -configured`. +The mode should never be `not configured`. + +Every certificate in the DICE chain will need to be have the `normal` mode in +order to be provisioned with production certificates by RKP. #### Configuration descriptor