Update the UdsCertChain comment to reflect the latest recommendation.
Bug: 331136391
Test: comment update only
Change-Id: I72f45c85d106d87fcd4c56d4c4fa86eb1af8f5a7
diff --git a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
index 3c43238..40cf685 100644
--- a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
+++ b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
@@ -62,9 +62,13 @@
SignerName = tstr
UdsCertChain = [
- 2* X509Certificate ; Root -> ... -> Leaf. "Root" is the vendor self-signed
- ; cert, "Leaf" contains UDS_Public. There may also be
- ; intermediate certificates between Root and Leaf.
+ + X509Certificate ; Root -> ... -> Leaf. "Root" is the vendor self-signed
+ ; cert, "Leaf" contains UDS_Public. It's recommended to
+ ; have at least 3 certificates in the chain.
+ ; The Root certificate is recommended to be generated in an air-gapped,
+ ; HSM-based secure environment. The intermediate signing keys may be
+ ; online, and should be rotated regularly (e.g. annually). Additionally,
+ ; the intermediate certificates may contain product family identifiers.
]
; A bstr containing a DER-encoded X.509 certificate (RSA, NIST P-curve, or EdDSA)