From af8124f4bd679d1abdbdca8d5234cc067372c2e1 Mon Sep 17 00:00:00 2001 From: Sukuna0007Abhi Date: Mon, 22 Sep 2025 00:43:14 +0530 Subject: [PATCH] feat: add PSA profile support to cocli for veraison/cocli#42 - Add PSA profile CoRIM template with URI tag:arm.com,2025:psa#1.0.0 - Create comprehensive PSA CoMID examples: * Reference values for PSA software components * Attestation verification keys (IAK) * Certification claims for PSA Certified SAC * Software relations for updates/patches - Update corim submit command to support new PSA profile media type - Add PSA profile examples to corim create help text - Include comprehensive test coverage for new PSA profile functionality - Add documentation and usage examples for PSA profile workflow This makes the PSA profile functionality from veraison/corim#215 available through the command line interface as requested. Resolves veraison/cocli#42 Signed-off-by: Sukuna0007Abhi --- cmd/corimCreate.go | 6 ++ cmd/corimSubmit.go | 12 +++- cmd/corimSubmit_test.go | 29 +++++++++ data/comid/psa/README.md | 59 ++++++++++++++++++ data/comid/psa/psa-attestation-key.json | 29 +++++++++ data/comid/psa/psa-certification-claims.json | 42 +++++++++++++ data/comid/psa/psa-reference-values.json | 57 +++++++++++++++++ data/comid/psa/psa-software-relations.json | 65 ++++++++++++++++++++ data/corim/templates/corim-psa.json | 17 +++++ 9 files changed, 313 insertions(+), 3 deletions(-) create mode 100644 data/comid/psa/README.md create mode 100644 data/comid/psa/psa-attestation-key.json create mode 100644 data/comid/psa/psa-certification-claims.json create mode 100644 data/comid/psa/psa-reference-values.json create mode 100644 data/comid/psa/psa-software-relations.json create mode 100644 data/corim/templates/corim-psa.json diff --git a/cmd/corimCreate.go b/cmd/corimCreate.go index bf23a40..17c50ff 100644 --- a/cmd/corimCreate.go +++ b/cmd/corimCreate.go @@ -52,6 +52,12 @@ func NewCorimCreateCmd() *cobra.Command { --coswid=dir/coswid2.cbor \ --cots=cots1.cbor --output=corim.cbor + + Create a PSA profile CoRIM using the new PSA profile template and PSA CoMIDs: + + cocli corim create --template=data/corim/templates/corim-psa.json \ + --comid-dir=data/comid/psa \ + --output=psa-corim.cbor `, RunE: func(cmd *cobra.Command, args []string) error { diff --git a/cmd/corimSubmit.go b/cmd/corimSubmit.go index 80c1bd3..60d357e 100644 --- a/cmd/corimSubmit.go +++ b/cmd/corimSubmit.go @@ -35,10 +35,16 @@ func NewCorimSubmitCmd(submitter ISubmitter) *cobra.Command { Short: "submit a CBOR-encoded CoRIM payload", Long: `submit a CBOR-encoded CoRIM payload with supplied media type to the given API Server - To submit the CBOR-encoded CoRIM from file "unsigned-corim.cbor" with media type - "application/corim-unsigned+cbor; profile=http://arm.com/psa/iot/1" to the Veraison - provisioning API endpoint "https://veraison.example/endorsement-provisioning/v1", do: + To submit the CBOR-encoded CoRIM from file "unsigned-corim.cbor" with the new PSA profile + media type to the Veraison provisioning API endpoint + "https://veraison.example/endorsement-provisioning/v1", do: + cocli corim submit \ + --corim-file=unsigned-corim.cbor \ + --api-server="https://veraison.example/endorsement-provisioning/v1/submit" \ + --media-type="application/corim-unsigned+cbor; profile=tag:arm.com,2025:psa#1.0.0" + + For legacy PSA profile support, use the old media type: cocli corim submit \ --corim-file=unsigned-corim.cbor \ diff --git a/cmd/corimSubmit_test.go b/cmd/corimSubmit_test.go index 2c5001e..2481795 100644 --- a/cmd/corimSubmit_test.go +++ b/cmd/corimSubmit_test.go @@ -172,3 +172,32 @@ func Test_CorimSubmitCmd_submit_not_ok(t *testing.T) { err = cmd.Execute() assert.EqualError(t, err, "submit CoRIM payload failed reason: run failed: unexpected HTTP response code 404") } + +func Test_CorimSubmitCmd_new_psa_profile_ok(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + ms := mock_deps.NewMockISubmitter(ctrl) + cmd := NewCorimSubmitCmd(ms) + + args := []string{ + "--corim-file=corim.cbor", + "--api-server=http://veraison.example/endorsement-provisioning/v1/submit", + "--media-type=application/corim-unsigned+cbor; profile=tag:arm.com,2025:psa#1.0.0", + } + cmd.SetArgs(args) + + fs = afero.NewMemMapFs() + err := afero.WriteFile(fs, "corim.cbor", testSignedCorimValid, 0644) + require.NoError(t, err) + + ms.EXPECT().SetAuth(gomock.Any()) + ms.EXPECT().SetSubmitURI("http://veraison.example/endorsement-provisioning/v1/submit").Return(nil) + ms.EXPECT().SetIsInsecure(false) + ms.EXPECT().SetCerts([]string{}) + ms.EXPECT().SetDeleteSession(true) + + ms.EXPECT().Run(testSignedCorimValid, "application/corim-unsigned+cbor; profile=tag:arm.com,2025:psa#1.0.0").Return(nil) + err = cmd.Execute() + assert.NoError(t, err) +} diff --git a/data/comid/psa/README.md b/data/comid/psa/README.md new file mode 100644 index 0000000..86a9a45 --- /dev/null +++ b/data/comid/psa/README.md @@ -0,0 +1,59 @@ +# PSA Profile Support in CoRIM CLI + +This directory contains example templates and CoMID files for working with the new PSA profile according to draft-fdb-rats-psa-endorsements-08. + +## Profile URI + +The new PSA profile uses the URI: `tag:arm.com,2025:psa#1.0.0` + +## Example Files + +### CoRIM Template +- `corim-psa.json` - CoRIM template with the new PSA profile URI + +### CoMID Examples +- `psa-reference-values.json` - PSA software component reference values +- `psa-attestation-key.json` - PSA Initial Attestation Key (IAK) verification key +- `psa-certification-claims.json` - PSA Certified Security Assurance Certificate claims +- `psa-software-relations.json` - PSA software update/patch relationships + +## Usage Examples + +### Create a PSA CoRIM from JSON templates +```bash +# First convert JSON CoMIDs to CBOR format +cocli comid create --template=data/comid/psa/psa-reference-values.json --output=psa-ref-vals.cbor +cocli comid create --template=data/comid/psa/psa-attestation-key.json --output=psa-attest-key.cbor +cocli comid create --template=data/comid/psa/psa-certification-claims.json --output=psa-cert-claims.cbor +cocli comid create --template=data/comid/psa/psa-software-relations.json --output=psa-sw-rels.cbor + +# Create the PSA CoRIM +cocli corim create --template=data/corim/templates/corim-psa.json \ + --comid=psa-ref-vals.cbor \ + --comid=psa-attest-key.cbor \ + --comid=psa-cert-claims.cbor \ + --comid=psa-sw-rels.cbor \ + --output=psa-corim.cbor +``` + +### Submit PSA CoRIM to Veraison +```bash +cocli corim submit \ + --corim-file=psa-corim.cbor \ + --api-server="https://veraison.example/endorsement-provisioning/v1/submit" \ + --media-type="application/corim-unsigned+cbor; profile=tag:arm.com,2025:psa#1.0.0" +``` + +### Display PSA CoRIM contents +```bash +cocli corim display --corim-file=psa-corim.cbor +``` + +## PSA Profile Features + +The new PSA profile supports: + +1. **Reference Values**: Measurements of PSA RoT firmware components +2. **Attestation Verification Keys**: Public keys for verifying PSA attestation tokens +3. **Certification Claims**: Links to PSA Certified Security Assurance Certificates +4. **Software Relations**: Modeling of software updates and patches with security criticality flags diff --git a/data/comid/psa/psa-attestation-key.json b/data/comid/psa/psa-attestation-key.json new file mode 100644 index 0000000..46599a2 --- /dev/null +++ b/data/comid/psa/psa-attestation-key.json @@ -0,0 +1,29 @@ +{ + "tag-identity": { + "tag-id": "urn:uuid:3f06af63-a93c-11e4-9797-00505690773e" + }, + "triples": { + "attest-key-triples": [ + [ + { + "class": { + "class-id": { + "$class": "tagged-bytes", + "bytes": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" + } + }, + "instance": { + "$class": "tagged-ueid", + "ueid": "AUyj5PUL8kjDl4cCDWj/0FyIdndRvyZFypI/V6mL7NKW" + } + }, + [ + { + "$class": "tagged-pkix-base64-key", + "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETl4iCZ47zrRbRG0TVf0dw7VFlHtv18HInYhnmMNybo+A1wuECyVqrDSmLt4QQzZPBECV8ANHS5HgGCCSr7E/Lg==" + } + ] + ] + ] + } +} diff --git a/data/comid/psa/psa-certification-claims.json b/data/comid/psa/psa-certification-claims.json new file mode 100644 index 0000000..7569e25 --- /dev/null +++ b/data/comid/psa/psa-certification-claims.json @@ -0,0 +1,42 @@ +{ + "tag-identity": { + "tag-id": "urn:uuid:dbb0508a-c658-421c-99c9-04124bab59ca" + }, + "triples": { + "conditional-endorsement-triples": [ + [ + [ + { + "class": { + "class-id": { + "$class": "tagged-bytes", + "bytes": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" + } + } + }, + { + "mkey": "psa.software-component", + "mval": { + "digests": [ + { + "alg": "sha-256", + "val": "U8I05ehHK2rFHBrhyr/+Bv6tBT646P/Yl3sBBlW/3cM=" + } + ], + "name": "PRoT", + "cryptokeys": [ + { + "$class": "tagged-bytes", + "bytes": "U3h5YwdTXfPsjYsVoi7NxkFBnD0wYM/jIjjA+pc/eqQ=" + } + ] + } + } + ], + { + "psa-cert-num": "1234567890123 - 12345" + } + ] + ] + } +} diff --git a/data/comid/psa/psa-reference-values.json b/data/comid/psa/psa-reference-values.json new file mode 100644 index 0000000..9ef2110 --- /dev/null +++ b/data/comid/psa/psa-reference-values.json @@ -0,0 +1,57 @@ +{ + "tag-identity": { + "tag-id": "urn:uuid:3f06af63-a93c-11e4-9797-00505690773f" + }, + "triples": { + "reference-triples": [ + [ + { + "class": { + "class-id": { + "$class": "tagged-bytes", + "bytes": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" + } + } + }, + [ + { + "mkey": "psa.software-component", + "mval": { + "digests": [ + { + "alg": "sha-256", + "val": "mjcfKpFrC27mzsstJvCzIG7wdFeL5V2byU9vP+OrhqoA" + } + ], + "name": "BL", + "cryptokeys": [ + { + "$class": "tagged-bytes", + "bytes": "U3h5YwdTXfPsjYsVoi7NxkFBnD0wYM/jIjjA+pc/eqM=" + } + ] + } + }, + { + "mkey": "psa.software-component", + "mval": { + "digests": [ + { + "alg": "sha-256", + "val": "U8I05ehHK2rFHBrhyr/+Bv6tBT646P/Yl3sBBlW/3cM=" + } + ], + "name": "PRoT", + "cryptokeys": [ + { + "$class": "tagged-bytes", + "bytes": "U3h5YwdTXfPsjYsVoi7NxkFBnD0wYM/jIjjA+pc/eqQ=" + } + ] + } + } + ] + ] + ] + } +} diff --git a/data/comid/psa/psa-software-relations.json b/data/comid/psa/psa-software-relations.json new file mode 100644 index 0000000..f645dba --- /dev/null +++ b/data/comid/psa/psa-software-relations.json @@ -0,0 +1,65 @@ +{ + "tag-identity": { + "tag-id": "urn:uuid:3f06af63-a93c-11e4-9797-00505690773d" + }, + "triples": { + "psa-swrel-triples": [ + [ + { + "class": { + "class-id": { + "$class": "tagged-bytes", + "bytes": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" + } + } + }, + { + "new": { + "mval": { + "version": { + "version": "1.3.0" + }, + "digests": [ + { + "alg": "sha-256", + "val": "U8I05ehHK2rFHBrhyr/+Bv6tBT646P/Yl3sBBlW/3cM=" + } + ], + "name": "PRoT", + "cryptokeys": [ + { + "$class": "tagged-bytes", + "bytes": "U3h5YwdTXfPsjYsVoi7NxkFBnD0wYM/jIjjA+pc/eqQ=" + } + ] + } + }, + "rel": { + "type": 1, + "security-critical": true + }, + "old": { + "mval": { + "version": { + "version": "1.2.5" + }, + "digests": [ + { + "alg": "sha-256", + "val": "U8I05ehHK2rFHBrhyr/+Bv2tBT646P/Yl3sBBlW/3cM=" + } + ], + "name": "PRoT", + "cryptokeys": [ + { + "$class": "tagged-bytes", + "bytes": "U3h5YwdTXfPsjYsVoi7NxkFBnD0wYM/jIjjA+pc/eqQ=" + } + ] + } + } + } + ] + ] + } +} diff --git a/data/corim/templates/corim-psa.json b/data/corim/templates/corim-psa.json new file mode 100644 index 0000000..adb8e52 --- /dev/null +++ b/data/corim/templates/corim-psa.json @@ -0,0 +1,17 @@ +{ + "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfd", + "profile": "tag:arm.com,2025:psa#1.0.0", + "validity": { + "not-before": "2025-01-01T00:00:00Z", + "not-after": "2026-12-31T23:59:59Z" + }, + "entities": [ + { + "name": "ACME PSA Device Manufacturer", + "regid": "acme.example", + "roles": [ + "manifestCreator" + ] + } + ] +}