diff options
| author | Seth Moore <sethmo@google.com> | 2023-11-30 17:55:03 +0000 |
|---|---|---|
| committer | CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-11-30 17:55:03 +0000 |
| commit | 11e2ffb04000b77904d540f903a09f2b2f12fffb (patch) | |
| tree | a76a59e934f5b849d9477a457dda53d6240f0977 | |
| parent | 1ce7fb54be6d084f26a1faf1c0a00629d7c4a520 (diff) | |
| download | open-dice-11e2ffb04000b77904d540f903a09f2b2f12fffb.tar.gz | |
Remove description of RKP VM marker from Android profile docs
We hope to remove the RKP VM marker in the future, but if we
document it here, it will be difficult to remove. Favor documenting this marker in the Android HAL docs so we can version it alongside of
Android. This will allow us to remove it from the docs once it's no
longer needed by Android.
Change-Id: I6915efc152fbfac6f000b28c2ca22341727139c8
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/183159
Reviewed-by: Alan Stokes <alanstokes@google.com>
Reviewed-by: Andrew Scull <ascull@google.com>
Commit-Queue: Seth Moore <sethmo@google.com>
| -rw-r--r-- | docs/android.md | 23 |
1 files changed, 2 insertions, 21 deletions
diff --git a/docs/android.md b/docs/android.md index 11a8960..8c40f27 100644 --- a/docs/android.md +++ b/docs/android.md @@ -82,29 +82,10 @@ Component name | -70002 | tstr | Name of the component Component version | -70003 | int / tstr | Version of the component Resettable | -70004 | null | If present, key changes on factory reset Security version | -70005 | uint | Machine-comparable, monotonically increasing version of the component where a greater value indicates a newer version. This value must increment for every update that changes the code hash, for example by using the timestamp of the version's release. -[RKP VM][rkp-vm] marker | -70006 | null | If present, the component can take part in running a VM that can receive an attestation certificate from an [RKP Service][rkp-service]. +[RKP VM][rkp-vm] marker | -70006 | null | See the [Android HAL documentation][rkp-hal-readme] for precise semantics, as they vary by Android version. [rkp-vm]: https://android.googlesource.com/platform/packages/modules/Virtualization/+/main/service_vm/README.md#rkp-vm-remote-key-provisioning-virtual-machine -[rkp-service]: https://source.android.com/docs/core/ota/modular-system/remote-key-provisioning#stack-architecture - -### RKP VM - -The RKP VM marker is used to distinguish the RKP VM from other components. - -When parsing a DICE chain compliant with this profile, there are multiple types -of components that may be described by a given chain: -1. RKP VM: If a DICE chain has zero or more certificates without the RKP VM - marker followed by one or more certificates with the marker, then that chain - describes an RKP VM. If there are further certificates without the RKP VM - marker, then the chain does not describe an RKP VM. - - Implementations must include the first RPK VM marker as early as possible - after the point of divergence between TEE and non-TEE components in the DICE - chain, prior to loading the Android Bootloader (ABL). -2. A TEE Component (e.g. KeyMint): If there are no certificates with the RKP VM - marker then it describes a TEE component. -3. Other: Any component described by a DICE chain that does not match the above - two categories. +[rkp-hal-readme]: https://android.googlesource.com/platform/hardware/interfaces/+/main/security/rkp/README.md ### Versions |