Merge "Document expectations of DICE mode"
diff --git a/security/rkp/README.md b/security/rkp/README.md
index 01c90a8..7477f80 100644
--- a/security/rkp/README.md
+++ b/security/rkp/README.md
@@ -291,6 +291,24 @@
of a DKCertChain in AdditionalDKSignatures (see
[CertificateRequest](#certificaterequest)).
+#### Mode
+
+The Open Profile for DICE specifies four possible modes with the most important
+mode being `normal`. A certificate must only set the mode to `normal` when all
+of the following conditions are met when loading and verifying the software
+component that is being described by the certificate:
+
+* verified boot with anti-rollback protection is enabled
+* only the verified boot authorities for production images are enabled
+* debug ports, fuses or other debug facilities are disabled
+* device booted software from the normal primary source e.g. internal flash
+
+If any of these conditions are not met then it is recommended to explicitly
+acknowledge this fact by using the `debug` mode. The mode should never be `not
+configured`.
+
+#### Configuration descriptor
+
The Open Profile for DICE allows for an arbitrary configuration descriptor. For
BCC entries, this configuration descriptor is a CBOR map with the following
optional fields. If no fields are relevant, an empty map should be encoded.