From 11794b30f9d10cd0288ec53d53021bbd52df40c9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 7 Jun 2021 23:21:50 +0200 Subject: [PATCH] Hopefully clarify the example Signed-off-by: Gilles Peskine --- include/psa/crypto_values.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 98c25f164b..3c82f2ad70 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1901,10 +1901,11 @@ * They must be created through platform-specific means that bypass the API. * * Some platforms may offer ways to destroy read-only keys. For example, - * a platform with multiple levels of privilege may expose a key to an - * application without allowing that application to destroy the key, in - * which case it may show the key a view of the key metadata where the - * lifetime is read-only. + * consider a platform with multiple levels of privilege, where a + * low-privilege application can use a key but is not allowed to destroy + * it, and the platform exposes the key to the application with a read-only + * lifetime. High-privilege code can destroy the key even though the + * application sees the key as read-only. * * \param lifetime The lifetime value to query (value of type * ::psa_key_lifetime_t).