commit 11e2ffb04000b77904d540f903a09f2b2f12fffb
author Seth Moore <sethmo@google.com> Thu Nov 30 17:55:03 2023 +0000
committer CQ Bot Account <pigweed-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Nov 30 17:55:03 2023 +0000
tree a76a59e934f5b849d9477a457dda53d6240f0977
parent 1ce7fb54be6d084f26a1faf1c0a00629d7c4a520

Remove description of RKP VM marker from Android profile docs

We hope to remove the RKP VM marker in the future, but if we
document it here, it will be difficult to remove. Favor documenting this marker in the Android HAL docs so we  can version it alongside of
Android. This will allow us to remove it from the docs once it's no
longer needed by Android.

Change-Id: I6915efc152fbfac6f000b28c2ca22341727139c8
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/183159
Reviewed-by: Alan Stokes <alanstokes@google.com>
Reviewed-by: Andrew Scull <ascull@google.com>
Commit-Queue: Seth Moore <sethmo@google.com>

docs/android.md

diff --git a/docs/android.md b/docs/android.md
index 11a8960..8c40f27 100644
--- a/docs/android.md
+++ b/docs/android.md
@@ -82,29 +82,10 @@
 Component version | -70003 | int / tstr | Version of the component
 Resettable             | -70004 | null                 | If present, key changes on factory reset
 Security version  | -70005 | uint                 | Machine-comparable, monotonically increasing version of the component where a greater value indicates a newer version. This value must increment for every update that changes the code hash, for example by using the timestamp of the version's release.
-[RKP VM][rkp-vm] marker | -70006 | null      | If present, the component can take part in running a VM that can receive an attestation certificate from an [RKP Service][rkp-service].
+[RKP VM][rkp-vm] marker | -70006 | null      | See the [Android HAL documentation][rkp-hal-readme] for precise semantics, as they vary by Android version.
 
 [rkp-vm]: https://android.googlesource.com/platform/packages/modules/Virtualization/+/main/service_vm/README.md#rkp-vm-remote-key-provisioning-virtual-machine
-[rkp-service]: https://source.android.com/docs/core/ota/modular-system/remote-key-provisioning#stack-architecture
-
-### RKP VM
-
-The RKP VM marker is used to distinguish the RKP VM from other components.
-
-When parsing a DICE chain compliant with this profile, there are multiple types
-of components that may be described by a given chain:
-1. RKP VM: If a DICE chain has zero or more certificates without the RKP VM
-   marker followed by one or more certificates with the marker, then that chain
-   describes an RKP VM. If there are further certificates without the RKP VM
-   marker, then the chain does not describe an RKP VM.
-
-   Implementations must include the first RPK VM marker as early as possible
-   after the point of divergence between TEE and non-TEE components in the DICE
-   chain, prior to loading the Android Bootloader (ABL).
-2. A TEE Component (e.g. KeyMint): If there are no certificates with the RKP VM
-   marker then it describes a TEE component.
-3. Other: Any component described by a DICE chain that does not match the above
-   two categories.
+[rkp-hal-readme]: https://android.googlesource.com/platform/hardware/interfaces/+/main/security/rkp/README.md
 
 ### Versions