Remove recommentation of non-normal mode Only specify the requirements for `normal` DICE mode and allow vendors to choose the non-normal mode that fits their need per the ope-dice specification. Add a note that RKP required `normal` mode in the DICE chain in order to trust the device. Test: n/a Bug: 263144485 Change-Id: Iaaa3799c53234de61a51ebc855822b93ab3e5bb8

commit: 9da6cf131900ed15a3b4f84810c3113a55e12123 [log] [tgz]
author: Andrew Scull <ascull@google.com> Fri May 12 19:36:22 2023 +0000
committer: Andrew Scull <ascull@google.com> Fri May 12 19:36:22 2023 +0000
tree: 5251d9616c64b8656af368b0f3697211748bdb00
parent: ed74a681ebf859f2652a4bbbd669f6000243aee9 [diff]
diff --git a/security/rkp/README.md b/security/rkp/README.md
index 7477f80..ab767d6 100644
--- a/security/rkp/README.md
+++ b/security/rkp/README.md

@@ -303,9 +303,10 @@
 *   debug ports, fuses or other debug facilities are disabled
 *   device booted software from the normal primary source e.g. internal flash
 
-If any of these conditions are not met then it is recommended to explicitly
-acknowledge this fact by using the `debug` mode. The mode should never be `not
-configured`.
+The mode should never be `not configured`.
+
+Every certificate in the DICE chain will need to be have the `normal` mode in
+order to be provisioned with production certificates by RKP.
 
 #### Configuration descriptor
commit	9da6cf131900ed15a3b4f84810c3113a55e12123	[log] [tgz]
author	Andrew Scull <ascull@google.com>	Fri May 12 19:36:22 2023 +0000
committer	Andrew Scull <ascull@google.com>	Fri May 12 19:36:22 2023 +0000
tree	5251d9616c64b8656af368b0f3697211748bdb00
parent	ed74a681ebf859f2652a4bbbd669f6000243aee9 [diff]