From b450714667ab71ff23c6cee909fe06a9b468fae5 Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Tue, 9 May 2023 18:29:23 +0000 Subject: [PATCH] Document expectations of DICE mode The Open Profile for DICE give possible guidelines on the requirements for the DICE mode but Android needs those to be strictly specified. Fix: 263144485 Test: n/a (cherry picked from https://android-review.googlesource.com/q/commit:ed74a681ebf859f2652a4bbbd669f6000243aee9) Merged-In: Ia5fc937654504199cabf4709f1c15484242e0161 Change-Id: Ia5fc937654504199cabf4709f1c15484242e0161 --- security/rkp/README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/security/rkp/README.md b/security/rkp/README.md index 01c90a8db1..7477f803b3 100644 --- a/security/rkp/README.md +++ b/security/rkp/README.md @@ -291,6 +291,24 @@ available on the device it should appear in the certificate request as the leaf of a DKCertChain in AdditionalDKSignatures (see [CertificateRequest](#certificaterequest)). +#### Mode + +The Open Profile for DICE specifies four possible modes with the most important +mode being `normal`. A certificate must only set the mode to `normal` when all +of the following conditions are met when loading and verifying the software +component that is being described by the certificate: + +* verified boot with anti-rollback protection is enabled +* only the verified boot authorities for production images are enabled +* debug ports, fuses or other debug facilities are disabled +* device booted software from the normal primary source e.g. internal flash + +If any of these conditions are not met then it is recommended to explicitly +acknowledge this fact by using the `debug` mode. The mode should never be `not +configured`. + +#### Configuration descriptor + The Open Profile for DICE allows for an arbitrary configuration descriptor. For BCC entries, this configuration descriptor is a CBOR map with the following optional fields. If no fields are relevant, an empty map should be encoded.