diff --git a/security/rkp/README.md b/security/rkp/README.md
index 01c90a8db1..7477f803b3 100644
--- a/security/rkp/README.md
+++ b/security/rkp/README.md
@@ -291,6 +291,24 @@ available on the device it should appear in the certificate request as the leaf
 of a DKCertChain in AdditionalDKSignatures (see
 [CertificateRequest](#certificaterequest)).
 
+#### Mode
+
+The Open Profile for DICE specifies four possible modes with the most important
+mode being `normal`. A certificate must only set the mode to `normal` when all
+of the following conditions are met when loading and verifying the software
+component that is being described by the certificate:
+
+*   verified boot with anti-rollback protection is enabled
+*   only the verified boot authorities for production images are enabled
+*   debug ports, fuses or other debug facilities are disabled
+*   device booted software from the normal primary source e.g. internal flash
+
+If any of these conditions are not met then it is recommended to explicitly
+acknowledge this fact by using the `debug` mode. The mode should never be `not
+configured`.
+
+#### Configuration descriptor
+
 The Open Profile for DICE allows for an arbitrary configuration descriptor. For
 BCC entries, this configuration descriptor is a CBOR map with the following
 optional fields. If no fields are relevant, an empty map should be encoded.