veraison · Sukuna0007Abhi · Sep 21, 2025
diff --git a/cmd/corimCreate.go b/cmd/corimCreate.go
@@ -52,6 +52,12 @@ func NewCorimCreateCmd() *cobra.Command {
 	                   --coswid=dir/coswid2.cbor \
 					   --cots=cots1.cbor
 	                   --output=corim.cbor
+
+	Create a PSA profile CoRIM using the new PSA profile template and PSA CoMIDs:
+
+	  cocli corim create --template=data/corim/templates/corim-psa.json \
+	                   --comid-dir=data/comid/psa \
+	                   --output=psa-corim.cbor
 	`,
 
 		RunE: func(cmd *cobra.Command, args []string) error {

diff --git a/cmd/corimSubmit.go b/cmd/corimSubmit.go
@@ -35,10 +35,16 @@ func NewCorimSubmitCmd(submitter ISubmitter) *cobra.Command {
 		Short: "submit a CBOR-encoded CoRIM payload",
 		Long: `submit a CBOR-encoded CoRIM payload with supplied media type to the given API Server
 
-	To submit the CBOR-encoded CoRIM from file "unsigned-corim.cbor" with media type
-	"application/corim-unsigned+cbor; profile=http://arm.com/psa/iot/1" to the Veraison
-	provisioning API endpoint "https://veraison.example/endorsement-provisioning/v1", do:
+	To submit the CBOR-encoded CoRIM from file "unsigned-corim.cbor" with the new PSA profile
+	media type to the Veraison provisioning API endpoint 
+	"https://veraison.example/endorsement-provisioning/v1", do:
 
+	cocli corim submit \
+			--corim-file=unsigned-corim.cbor \
+			--api-server="https://veraison.example/endorsement-provisioning/v1/submit" \
+			--media-type="application/corim-unsigned+cbor; profile=tag:arm.com,2025:psa#1.0.0"
+
+	For legacy PSA profile support, use the old media type:
 
 	cocli corim submit \
 			--corim-file=unsigned-corim.cbor \

diff --git a/cmd/corimSubmit_test.go b/cmd/corimSubmit_test.go
@@ -172,3 +172,32 @@ func Test_CorimSubmitCmd_submit_not_ok(t *testing.T) {
 	err = cmd.Execute()
 	assert.EqualError(t, err, "submit CoRIM payload failed reason: run failed: unexpected HTTP response code 404")
 }
+
+func Test_CorimSubmitCmd_new_psa_profile_ok(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	ms := mock_deps.NewMockISubmitter(ctrl)
+	cmd := NewCorimSubmitCmd(ms)
+
+	args := []string{
+		"--corim-file=corim.cbor",
+		"--api-server=http://veraison.example/endorsement-provisioning/v1/submit",
+		"--media-type=application/corim-unsigned+cbor; profile=tag:arm.com,2025:psa#1.0.0",
+	}
+	cmd.SetArgs(args)
+
+	fs = afero.NewMemMapFs()
+	err := afero.WriteFile(fs, "corim.cbor", testSignedCorimValid, 0644)
+	require.NoError(t, err)
+
+	ms.EXPECT().SetAuth(gomock.Any())
+	ms.EXPECT().SetSubmitURI("http://veraison.example/endorsement-provisioning/v1/submit").Return(nil)
+	ms.EXPECT().SetIsInsecure(false)
+	ms.EXPECT().SetCerts([]string{})
+	ms.EXPECT().SetDeleteSession(true)
+
+	ms.EXPECT().Run(testSignedCorimValid, "application/corim-unsigned+cbor; profile=tag:arm.com,2025:psa#1.0.0").Return(nil)
+	err = cmd.Execute()
+	assert.NoError(t, err)
+}
diff --git a/data/comid/psa/README.md b/data/comid/psa/README.md
@@ -0,0 +1,59 @@
+# PSA Profile Support in CoRIM CLI
+
+This directory contains example templates and CoMID files for working with the new PSA profile according to draft-fdb-rats-psa-endorsements-08.
+
+## Profile URI
+
+The new PSA profile uses the URI: `tag:arm.com,2025:psa#1.0.0`
+
+## Example Files
+
+### CoRIM Template
+- `corim-psa.json` - CoRIM template with the new PSA profile URI
+
+### CoMID Examples
+- `psa-reference-values.json` - PSA software component reference values
+- `psa-attestation-key.json` - PSA Initial Attestation Key (IAK) verification key
+- `psa-certification-claims.json` - PSA Certified Security Assurance Certificate claims
+- `psa-software-relations.json` - PSA software update/patch relationships
+
+## Usage Examples
+
+### Create a PSA CoRIM from JSON templates
+```bash
+# First convert JSON CoMIDs to CBOR format
+cocli comid create --template=data/comid/psa/psa-reference-values.json --output=psa-ref-vals.cbor
+cocli comid create --template=data/comid/psa/psa-attestation-key.json --output=psa-attest-key.cbor  
+cocli comid create --template=data/comid/psa/psa-certification-claims.json --output=psa-cert-claims.cbor
+cocli comid create --template=data/comid/psa/psa-software-relations.json --output=psa-sw-rels.cbor
+
+# Create the PSA CoRIM
+cocli corim create --template=data/corim/templates/corim-psa.json \
+                   --comid=psa-ref-vals.cbor \
+                   --comid=psa-attest-key.cbor \
+                   --comid=psa-cert-claims.cbor \
+                   --comid=psa-sw-rels.cbor \
+                   --output=psa-corim.cbor
+```
+
+### Submit PSA CoRIM to Veraison
+```bash
+cocli corim submit \
+        --corim-file=psa-corim.cbor \
+        --api-server="https://veraison.example/endorsement-provisioning/v1/submit" \
+        --media-type="application/corim-unsigned+cbor; profile=tag:arm.com,2025:psa#1.0.0"
+```
+
+### Display PSA CoRIM contents
+```bash
+cocli corim display --corim-file=psa-corim.cbor
+```
+
+## PSA Profile Features
+
+The new PSA profile supports:
+
+1. **Reference Values**: Measurements of PSA RoT firmware components
+2. **Attestation Verification Keys**: Public keys for verifying PSA attestation tokens
+3. **Certification Claims**: Links to PSA Certified Security Assurance Certificates
+4. **Software Relations**: Modeling of software updates and patches with security criticality flags
diff --git a/data/comid/psa/psa-attestation-key.json b/data/comid/psa/psa-attestation-key.json
@@ -0,0 +1,29 @@
+{
+  "tag-identity": {
+    "tag-id": "urn:uuid:3f06af63-a93c-11e4-9797-00505690773e"
+  },
+  "triples": {
+    "attest-key-triples": [
+      [
+        {
+          "class": {
+            "class-id": {
+              "$class": "tagged-bytes", 
+              "bytes": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE="
+            }
+          },
+          "instance": {
+            "$class": "tagged-ueid",
+            "ueid": "AUyj5PUL8kjDl4cCDWj/0FyIdndRvyZFypI/V6mL7NKW"
+          }
+        },
+        [
+          {
+            "$class": "tagged-pkix-base64-key",
+            "key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETl4iCZ47zrRbRG0TVf0dw7VFlHtv18HInYhnmMNybo+A1wuECyVqrDSmLt4QQzZPBECV8ANHS5HgGCCSr7E/Lg=="
+          }
+        ]
+      ]
+    ]
+  }
+}
diff --git a/data/comid/psa/psa-certification-claims.json b/data/comid/psa/psa-certification-claims.json
@@ -0,0 +1,42 @@
+{
+  "tag-identity": {
+    "tag-id": "urn:uuid:dbb0508a-c658-421c-99c9-04124bab59ca"
+  },
+  "triples": {
+    "conditional-endorsement-triples": [
+      [
+        [
+          {
+            "class": {
+              "class-id": {
+                "$class": "tagged-bytes",
+                "bytes": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE="
+              }
+            }
+          },
+          {
+            "mkey": "psa.software-component",
+            "mval": {
+              "digests": [
+                {
+                  "alg": "sha-256", 
+                  "val": "U8I05ehHK2rFHBrhyr/+Bv6tBT646P/Yl3sBBlW/3cM="
+                }
+              ],
+              "name": "PRoT",
+              "cryptokeys": [
+                {
+                  "$class": "tagged-bytes",
+                  "bytes": "U3h5YwdTXfPsjYsVoi7NxkFBnD0wYM/jIjjA+pc/eqQ="
+                }
+              ]
+            }
+          }
+        ],
+        {
+          "psa-cert-num": "1234567890123 - 12345"
+        }
+      ]
+    ]
+  }
+}
diff --git a/data/comid/psa/psa-reference-values.json b/data/comid/psa/psa-reference-values.json
@@ -0,0 +1,57 @@
+{
+  "tag-identity": {
+    "tag-id": "urn:uuid:3f06af63-a93c-11e4-9797-00505690773f"
+  },
+  "triples": {
+    "reference-triples": [
+      [
+        {
+          "class": {
+            "class-id": {
+              "$class": "tagged-bytes",
+              "bytes": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE="
+            }
+          }
+        },
+        [
+          {
+            "mkey": "psa.software-component",
+            "mval": {
+              "digests": [
+                {
+                  "alg": "sha-256",
+                  "val": "mjcfKpFrC27mzsstJvCzIG7wdFeL5V2byU9vP+OrhqoA"
+                }
+              ],
+              "name": "BL",
+              "cryptokeys": [
+                {
+                  "$class": "tagged-bytes",
+                  "bytes": "U3h5YwdTXfPsjYsVoi7NxkFBnD0wYM/jIjjA+pc/eqM="
+                }
+              ]
+            }
+          },
+          {
+            "mkey": "psa.software-component", 
+            "mval": {
+              "digests": [
+                {
+                  "alg": "sha-256",
+                  "val": "U8I05ehHK2rFHBrhyr/+Bv6tBT646P/Yl3sBBlW/3cM="
+                }
+              ],
+              "name": "PRoT",
+              "cryptokeys": [
+                {
+                  "$class": "tagged-bytes", 
+                  "bytes": "U3h5YwdTXfPsjYsVoi7NxkFBnD0wYM/jIjjA+pc/eqQ="
+                }
+              ]
+            }
+          }
+        ]
+      ]
+    ]
+  }
+}
diff --git a/data/comid/psa/psa-software-relations.json b/data/comid/psa/psa-software-relations.json
@@ -0,0 +1,65 @@
+{
+  "tag-identity": {
+    "tag-id": "urn:uuid:3f06af63-a93c-11e4-9797-00505690773d"
+  },
+  "triples": {
+    "psa-swrel-triples": [
+      [
+        {
+          "class": {
+            "class-id": {
+              "$class": "tagged-bytes",
+              "bytes": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE="
+            }
+          }
+        },
+        {
+          "new": {
+            "mval": {
+              "version": {
+                "version": "1.3.0"
+              },
+              "digests": [
+                {
+                  "alg": "sha-256",
+                  "val": "U8I05ehHK2rFHBrhyr/+Bv6tBT646P/Yl3sBBlW/3cM="
+                }
+              ],
+              "name": "PRoT",
+              "cryptokeys": [
+                {
+                  "$class": "tagged-bytes",
+                  "bytes": "U3h5YwdTXfPsjYsVoi7NxkFBnD0wYM/jIjjA+pc/eqQ="
+                }
+              ]
+            }
+          },
+          "rel": {
+            "type": 1,
+            "security-critical": true
+          },
+          "old": {
+            "mval": {
+              "version": {
+                "version": "1.2.5" 
+              },
+              "digests": [
+                {
+                  "alg": "sha-256",
+                  "val": "U8I05ehHK2rFHBrhyr/+Bv2tBT646P/Yl3sBBlW/3cM="
+                }
+              ],
+              "name": "PRoT",
+              "cryptokeys": [
+                {
+                  "$class": "tagged-bytes",
+                  "bytes": "U3h5YwdTXfPsjYsVoi7NxkFBnD0wYM/jIjjA+pc/eqQ="
+                }
+              ]
+            }
+          }
+        }
+      ]
+    ]
+  }
+}
diff --git a/data/corim/templates/corim-psa.json b/data/corim/templates/corim-psa.json
@@ -0,0 +1,17 @@
+{
+  "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfd",
+  "profile": "tag:arm.com,2025:psa#1.0.0",
+  "validity": {
+    "not-before": "2025-01-01T00:00:00Z",
+    "not-after": "2026-12-31T23:59:59Z"
+  },
+  "entities": [
+    {
+      "name": "ACME PSA Device Manufacturer",
+      "regid": "acme.example",
+      "roles": [
+        "manifestCreator"
+      ]
+    }
+  ]
+}