Update DeviceKey document after root of trust refactoring.

tymoteuszblochmobica · tymoteuszblochmobica · commit a6ad065caeb5 · 2020-02-25T11:58:44.000+01:00
diff --git a/docs/api/security/Devicekey.md b/docs/api/security/Devicekey.md
@@ -19,17 +19,51 @@ The characteristics required by this root of trust are:
 
 The DeviceKey feature keeps the root of trust key in internal storage, using the KVStore component. Internal storage provides protection from external physical attacks to the device.
 
-The root of trust is generated at the first use of DeviceKey if the true random number generator is available in the device. If no true random number generator is available, you must pass the injected root of trust key to the DeviceKey before you call the key derivation API.
+The root of trust must be created before its first use. Otherwise key  derivation API  will fail.
 
 ## Key derivation API
 
 `generate_derived_key`: This API generates a new key based on an array of data ([salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) the caller provides. A single salt value always generates the same key, so if you need a new key, you must use a new salt value. The salt can have any value - array, string and so on.
 
 The generated keys can be 128 or 256 bits in length.
 
-### Root of Trust Injection API
+### Root of Trust generation API
 
-`device_inject_root_of_trust`: You must call this API once in the lifecycle of the device, before any call to key derivation, if the device does not support true random number generator (`DEVICE_TRNG` is not defined).
+DeviceKey class needs ROT ready to use  before derivation API first call. There are two options to achieve it:
+
+
+- Create device key using built-in random number generator 
+
+- Manually fill device key data array 
+
+Both cases requires injecting this key data to kvstore  reserved area.  
+
+The first way is used when device supports random number generator -  ` DEVICE_TRNG` is defined.
+Then  `generate_root_of_trust` must be called only once.
+
+```c++
+int status = DeviceKey::get_instance().generate_root_of_trust();
+if(status == DEVICEKEY_SUCCESS) {
+    //success
+} else {
+   //error
+}
+```
+
+If `DEVICE_TRNG` is not defined  then key buffer must be filled manually and followed by `device_inject_root_of_trust` call. The example below shows an injection of a dummy key.  
+
+```c++
+uint32_t key[DEVICE_KEY_32BYTE / sizeof(uint32_t)];
+memcpy(key, "12345678123456781234567812345678", DEVICE_KEY_32BYTE);
+int size = DEVICE_KEY_32BYTE;
+
+int status = DeviceKey::get_instance().device_inject_root_of_trust(key, size);
+if(status == DEVICEKEY_SUCCESS) {
+    //success
+} else {
+    //error
+}
+``` 
 
 ### Using DeviceKey
 
