sys/dev/sfxge/common/ef10_image.c

root/sys/dev/sfxge/common/ef10_image.c
/*-
 * SPDX-License-Identifier: BSD-2-Clause
 *
 * Copyright (c) 2017-2018 Solarflare Communications Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * The views and conclusions contained in the software and documentation are
 * those of the authors and should not be interpreted as representing official
 * policies, either expressed or implied, of the FreeBSD Project.
 */

#include <sys/cdefs.h>
#include "efx.h"
#include "efx_impl.h"

#if EFSYS_OPT_MEDFORD || EFSYS_OPT_MEDFORD2

#if EFSYS_OPT_IMAGE_LAYOUT

/*
 * Utility routines to support limited parsing of ASN.1 tags. This is not a
 * general purpose ASN.1 parser, but is sufficient to locate the required
 * objects in a signed image with CMS headers.
 */

/* DER encodings for ASN.1 tags (see ITU-T X.690) */
#define ASN1_TAG_INTEGER            (0x02)
#define ASN1_TAG_OCTET_STRING       (0x04)
#define ASN1_TAG_OBJ_ID             (0x06)
#define ASN1_TAG_SEQUENCE           (0x30)
#define ASN1_TAG_SET                (0x31)

#define ASN1_TAG_IS_PRIM(tag)       ((tag & 0x20) == 0)

#define ASN1_TAG_PRIM_CONTEXT(n)    (0x80 + (n))
#define ASN1_TAG_CONS_CONTEXT(n)    (0xA0 + (n))

typedef struct efx_asn1_cursor_s {
        uint8_t         *buffer;
        uint32_t        length;

        uint8_t         tag;
        uint32_t        hdr_size;
        uint32_t        val_size;
} efx_asn1_cursor_t;

/* Parse header of DER encoded ASN.1 TLV and match tag */
static  __checkReturn   efx_rc_t
efx_asn1_parse_header_match_tag(
        __inout         efx_asn1_cursor_t       *cursor,
        __in            uint8_t                 tag)
{
        efx_rc_t rc;

        if (cursor == NULL || cursor->buffer == NULL || cursor->length < 2) {
                rc = EINVAL;
                goto fail1;
        }

        cursor->tag = cursor->buffer[0];
        if (cursor->tag != tag) {
                /* Tag not matched */
                rc = ENOENT;
                goto fail2;
        }

        if ((cursor->tag & 0x1F) == 0x1F) {
                /* Long tag format not used in CMS syntax */
                rc = EINVAL;
                goto fail3;
        }

        if ((cursor->buffer[1] & 0x80) == 0) {
                /* Short form: length is 0..127 */
                cursor->hdr_size = 2;
                cursor->val_size = cursor->buffer[1];
        } else {
                /* Long form: length encoded as [0x80+nbytes][length bytes] */
                uint32_t nbytes = cursor->buffer[1] & 0x7F;
                uint32_t offset;

                if (nbytes == 0) {
                        /* Indefinite length not allowed in DER encoding */
                        rc = EINVAL;
                        goto fail4;
                }
                if (2 + nbytes > cursor->length) {
                        /* Header length overflows image buffer */
                        rc = EINVAL;
                        goto fail6;
                }
                if (nbytes > sizeof (uint32_t)) {
                        /* Length encoding too big */
                        rc = E2BIG;
                        goto fail5;
                }
                cursor->hdr_size = 2 + nbytes;
                cursor->val_size = 0;
                for (offset = 2; offset < cursor->hdr_size; offset++) {
                        cursor->val_size =
                            (cursor->val_size << 8) | cursor->buffer[offset];
                }
        }

        if ((cursor->hdr_size + cursor->val_size) > cursor->length) {
                /* Length overflows image buffer */
                rc = E2BIG;
                goto fail7;
        }

        return (0);

fail7:
        EFSYS_PROBE(fail7);
fail6:
        EFSYS_PROBE(fail6);
fail5:
        EFSYS_PROBE(fail5);
fail4:
        EFSYS_PROBE(fail4);
fail3:
        EFSYS_PROBE(fail3);
fail2:
        EFSYS_PROBE(fail2);
fail1:
        EFSYS_PROBE1(fail1, efx_rc_t, rc);

        return (rc);
}

/* Enter nested ASN.1 TLV (contained in value of current TLV) */
static  __checkReturn   efx_rc_t
efx_asn1_enter_tag(
        __inout         efx_asn1_cursor_t       *cursor,
        __in            uint8_t                 tag)
{
        efx_rc_t rc;

        if (cursor == NULL) {
                rc = EINVAL;
                goto fail1;
        }

        if (ASN1_TAG_IS_PRIM(tag)) {
                /* Cannot enter a primitive tag */
                rc = ENOTSUP;
                goto fail2;
        }
        rc = efx_asn1_parse_header_match_tag(cursor, tag);
        if (rc != 0) {
                /* Invalid TLV or wrong tag */
                goto fail3;
        }

        /* Limit cursor range to nested TLV */
        cursor->buffer += cursor->hdr_size;
        cursor->length = cursor->val_size;

        return (0);

fail3:
        EFSYS_PROBE(fail3);
fail2:
        EFSYS_PROBE(fail2);
fail1:
        EFSYS_PROBE1(fail1, efx_rc_t, rc);

        return (rc);
}

/*
 * Check that the current ASN.1 TLV matches the given tag and value.
 * Advance cursor to next TLV on a successful match.
 */
static  __checkReturn   efx_rc_t
efx_asn1_match_tag_value(
        __inout         efx_asn1_cursor_t       *cursor,
        __in            uint8_t                 tag,
        __in            const void              *valp,
        __in            uint32_t                val_size)
{
        efx_rc_t rc;

        if (cursor == NULL) {
                rc = EINVAL;
                goto fail1;
        }
        rc = efx_asn1_parse_header_match_tag(cursor, tag);
        if (rc != 0) {
                /* Invalid TLV or wrong tag */
                goto fail2;
        }
        if (cursor->val_size != val_size) {
                /* Value size is different */
                rc = EINVAL;
                goto fail3;
        }
        if (memcmp(cursor->buffer + cursor->hdr_size, valp, val_size) != 0) {
                /* Value content is different */
                rc = EINVAL;
                goto fail4;
        }
        cursor->buffer += cursor->hdr_size + cursor->val_size;
        cursor->length -= cursor->hdr_size + cursor->val_size;

        return (0);

fail4:
        EFSYS_PROBE(fail4);
fail3:
        EFSYS_PROBE(fail3);
fail2:
        EFSYS_PROBE(fail2);
fail1:
        EFSYS_PROBE1(fail1, efx_rc_t, rc);

        return (rc);
}

/* Advance cursor to next TLV */
static  __checkReturn   efx_rc_t
efx_asn1_skip_tag(
        __inout         efx_asn1_cursor_t       *cursor,
        __in            uint8_t                 tag)
{
        efx_rc_t rc;

        if (cursor == NULL) {
                rc = EINVAL;
                goto fail1;
        }

        rc = efx_asn1_parse_header_match_tag(cursor, tag);
        if (rc != 0) {
                /* Invalid TLV or wrong tag */
                goto fail2;
        }
        cursor->buffer += cursor->hdr_size + cursor->val_size;
        cursor->length -= cursor->hdr_size + cursor->val_size;

        return (0);

fail2:
        EFSYS_PROBE(fail2);
fail1:
        EFSYS_PROBE1(fail1, efx_rc_t, rc);

        return (rc);
}

/* Return pointer to value octets and value size from current TLV */
static  __checkReturn   efx_rc_t
efx_asn1_get_tag_value(
        __inout         efx_asn1_cursor_t       *cursor,
        __in            uint8_t                 tag,
        __out           uint8_t                 **valp,
        __out           uint32_t                *val_sizep)
{
        efx_rc_t rc;

        if (cursor == NULL || valp == NULL || val_sizep == NULL) {
                rc = EINVAL;
                goto fail1;
        }

        rc = efx_asn1_parse_header_match_tag(cursor, tag);
        if (rc != 0) {
                /* Invalid TLV or wrong tag */
                goto fail2;
        }
        *valp = cursor->buffer + cursor->hdr_size;
        *val_sizep = cursor->val_size;

        return (0);

fail2:
        EFSYS_PROBE(fail2);
fail1:
        EFSYS_PROBE1(fail1, efx_rc_t, rc);

        return (rc);
}

/*
 * Utility routines for parsing CMS headers (see RFC2315, PKCS#7)
 */

/* OID 1.2.840.113549.1.7.2 */
static const uint8_t PKCS7_SignedData[] =
{ 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };

/* OID 1.2.840.113549.1.7.1 */
static const uint8_t PKCS7_Data[] =
{ 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01 };

/* SignedData structure version */
static const uint8_t SignedData_Version[] =
{ 0x03 };

/*
 * Check for a valid image in signed image format. This uses CMS syntax
 * (see RFC2315, PKCS#7) to provide signatures, and certificates required
 * to validate the signatures. The encapsulated content is in unsigned image
 * format (reflash header, image code, trailer checksum).
 */
static  __checkReturn   efx_rc_t
efx_check_signed_image_header(
        __in            void            *bufferp,
        __in            uint32_t        buffer_size,
        __out           uint32_t        *content_offsetp,
        __out           uint32_t        *content_lengthp)
{
        efx_asn1_cursor_t cursor;
        uint8_t *valp;
        uint32_t val_size;
        efx_rc_t rc;

        if (content_offsetp == NULL || content_lengthp == NULL) {
                rc = EINVAL;
                goto fail1;
        }
        cursor.buffer = (uint8_t *)bufferp;
        cursor.length = buffer_size;

        /* ContextInfo */
        rc = efx_asn1_enter_tag(&cursor, ASN1_TAG_SEQUENCE);
        if (rc != 0)
                goto fail2;

        /* ContextInfo.contentType */
        rc = efx_asn1_match_tag_value(&cursor, ASN1_TAG_OBJ_ID,
            PKCS7_SignedData, sizeof (PKCS7_SignedData));
        if (rc != 0)
                goto fail3;

        /* ContextInfo.content */
        rc = efx_asn1_enter_tag(&cursor, ASN1_TAG_CONS_CONTEXT(0));
        if (rc != 0)
                goto fail4;

        /* SignedData */
        rc = efx_asn1_enter_tag(&cursor, ASN1_TAG_SEQUENCE);
        if (rc != 0)
                goto fail5;

        /* SignedData.version */
        rc = efx_asn1_match_tag_value(&cursor, ASN1_TAG_INTEGER,
            SignedData_Version, sizeof (SignedData_Version));
        if (rc != 0)
                goto fail6;

        /* SignedData.digestAlgorithms */
        rc = efx_asn1_skip_tag(&cursor, ASN1_TAG_SET);
        if (rc != 0)
                goto fail7;

        /* SignedData.encapContentInfo */
        rc = efx_asn1_enter_tag(&cursor, ASN1_TAG_SEQUENCE);
        if (rc != 0)
                goto fail8;

        /* SignedData.encapContentInfo.econtentType */
        rc = efx_asn1_match_tag_value(&cursor, ASN1_TAG_OBJ_ID,
            PKCS7_Data, sizeof (PKCS7_Data));
        if (rc != 0)
                goto fail9;

        /* SignedData.encapContentInfo.econtent */
        rc = efx_asn1_enter_tag(&cursor, ASN1_TAG_CONS_CONTEXT(0));
        if (rc != 0)
                goto fail10;

        /*
         * The octet string contains the image header, image code bytes and
         * image trailer CRC (same as unsigned image layout).
         */
        valp = NULL;
        val_size = 0;
        rc = efx_asn1_get_tag_value(&cursor, ASN1_TAG_OCTET_STRING,
            &valp, &val_size);
        if (rc != 0)
                goto fail11;

        if ((valp == NULL) || (val_size == 0)) {
                rc = EINVAL;
                goto fail12;
        }
        if (valp < (uint8_t *)bufferp) {
                rc = EINVAL;
                goto fail13;
        }
        if ((valp + val_size) > ((uint8_t *)bufferp + buffer_size)) {
                rc = EINVAL;
                goto fail14;
        }

        *content_offsetp = (uint32_t)(valp - (uint8_t *)bufferp);
        *content_lengthp = val_size;

        return (0);

fail14:
        EFSYS_PROBE(fail14);
fail13:
        EFSYS_PROBE(fail13);
fail12:
        EFSYS_PROBE(fail12);
fail11:
        EFSYS_PROBE(fail11);
fail10:
        EFSYS_PROBE(fail10);
fail9:
        EFSYS_PROBE(fail9);
fail8:
        EFSYS_PROBE(fail8);
fail7:
        EFSYS_PROBE(fail7);
fail6:
        EFSYS_PROBE(fail6);
fail5:
        EFSYS_PROBE(fail5);
fail4:
        EFSYS_PROBE(fail4);
fail3:
        EFSYS_PROBE(fail3);
fail2:
        EFSYS_PROBE(fail2);
fail1:
        EFSYS_PROBE1(fail1, efx_rc_t, rc);

        return (rc);
}

static  __checkReturn   efx_rc_t
efx_check_unsigned_image(
        __in            void            *bufferp,
        __in            uint32_t        buffer_size)
{
        efx_image_header_t *header;
        efx_image_trailer_t *trailer;
        uint32_t crc;
        efx_rc_t rc;

        EFX_STATIC_ASSERT(sizeof (*header) == EFX_IMAGE_HEADER_SIZE);
        EFX_STATIC_ASSERT(sizeof (*trailer) == EFX_IMAGE_TRAILER_SIZE);

        /* Must have at least enough space for required image header fields */
        if (buffer_size < (EFX_FIELD_OFFSET(efx_image_header_t, eih_size) +
                sizeof (header->eih_size))) {
                rc = ENOSPC;
                goto fail1;
        }
        header = (efx_image_header_t *)bufferp;

        if (header->eih_magic != EFX_IMAGE_HEADER_MAGIC) {
                rc = EINVAL;
                goto fail2;
        }

        /*
         * Check image header version is same or higher than lowest required
         * version.
         */
        if (header->eih_version < EFX_IMAGE_HEADER_VERSION) {
                rc = EINVAL;
                goto fail3;
        }

        /* Buffer must have space for image header, code and image trailer. */
        if (buffer_size < (header->eih_size + header->eih_code_size +
                EFX_IMAGE_TRAILER_SIZE)) {
                rc = ENOSPC;
                goto fail4;
        }

        /* Check CRC from image buffer matches computed CRC. */
        trailer = (efx_image_trailer_t *)((uint8_t *)header +
            header->eih_size + header->eih_code_size);

        crc = efx_crc32_calculate(0, (uint8_t *)header,
            (header->eih_size + header->eih_code_size));

        if (trailer->eit_crc != crc) {
                rc = EINVAL;
                goto fail5;
        }

        return (0);

fail5:
        EFSYS_PROBE(fail5);
fail4:
        EFSYS_PROBE(fail4);
fail3:
        EFSYS_PROBE(fail3);
fail2:
        EFSYS_PROBE(fail2);
fail1:
        EFSYS_PROBE1(fail1, efx_rc_t, rc);

        return (rc);
}

        __checkReturn   efx_rc_t
efx_check_reflash_image(
        __in            void                    *bufferp,
        __in            uint32_t                buffer_size,
        __out           efx_image_info_t        *infop)
{
        efx_image_format_t format = EFX_IMAGE_FORMAT_NO_IMAGE;
        uint32_t image_offset;
        uint32_t image_size;
        void *imagep;
        efx_rc_t rc;

        EFSYS_ASSERT(infop != NULL);
        if (infop == NULL) {
                rc = EINVAL;
                goto fail1;
        }
        memset(infop, 0, sizeof (*infop));

        if (bufferp == NULL || buffer_size == 0) {
                rc = EINVAL;
                goto fail2;
        }

        /*
         * Check if the buffer contains an image in signed format, and if so,
         * locate the image header.
         */
        rc = efx_check_signed_image_header(bufferp, buffer_size,
            &image_offset, &image_size);
        if (rc == 0) {
                /*
                 * Buffer holds signed image format. Check that the encapsulated
                 * content is in unsigned image format.
                 */
                format = EFX_IMAGE_FORMAT_SIGNED;
        } else {
                /* Check if the buffer holds image in unsigned image format */
                format = EFX_IMAGE_FORMAT_UNSIGNED;
                image_offset = 0;
                image_size = buffer_size;
        }
        if (image_offset + image_size > buffer_size) {
                rc = E2BIG;
                goto fail3;
        }
        imagep = (uint8_t *)bufferp + image_offset;

        /* Check unsigned image layout (image header, code, image trailer) */
        rc = efx_check_unsigned_image(imagep, image_size);
        if (rc != 0)
                goto fail4;

        /* Return image details */
        infop->eii_format = format;
        infop->eii_imagep = bufferp;
        infop->eii_image_size = buffer_size;
        infop->eii_headerp = (efx_image_header_t *)imagep;

        return (0);

fail4:
        EFSYS_PROBE(fail4);
fail3:
        EFSYS_PROBE(fail3);
fail2:
        EFSYS_PROBE(fail2);
        infop->eii_format = EFX_IMAGE_FORMAT_INVALID;
        infop->eii_imagep = NULL;
        infop->eii_image_size = 0;

fail1:
        EFSYS_PROBE1(fail1, efx_rc_t, rc);

        return (rc);
}

        __checkReturn   efx_rc_t
efx_build_signed_image_write_buffer(
        __out_bcount(buffer_size)
                        uint8_t                 *bufferp,
        __in            uint32_t                buffer_size,
        __in            efx_image_info_t        *infop,
        __out           efx_image_header_t      **headerpp)
{
        signed_image_chunk_hdr_t chunk_hdr;
        uint32_t hdr_offset;
        struct {
                uint32_t offset;
                uint32_t size;
        } cms_header, image_header, code, image_trailer, signature;
        efx_rc_t rc;

        EFSYS_ASSERT((infop != NULL) && (headerpp != NULL));

        if ((bufferp == NULL) || (buffer_size == 0) ||
            (infop == NULL) || (headerpp == NULL)) {
                /* Invalid arguments */
                rc = EINVAL;
                goto fail1;
        }
        if ((infop->eii_format != EFX_IMAGE_FORMAT_SIGNED) ||
            (infop->eii_imagep == NULL) ||
            (infop->eii_headerp == NULL) ||
            ((uint8_t *)infop->eii_headerp < (uint8_t *)infop->eii_imagep) ||
            (infop->eii_image_size < EFX_IMAGE_HEADER_SIZE) ||
            ((size_t)((uint8_t *)infop->eii_headerp - infop->eii_imagep) >
            (infop->eii_image_size - EFX_IMAGE_HEADER_SIZE))) {
                /* Invalid image info */
                rc = EINVAL;
                goto fail2;
        }

        /* Locate image chunks in original signed image */
        cms_header.offset = 0;
        cms_header.size =
            (uint32_t)((uint8_t *)infop->eii_headerp - infop->eii_imagep);
        if ((cms_header.size > buffer_size) ||
            (cms_header.offset > (buffer_size - cms_header.size))) {
                rc = EINVAL;
                goto fail3;
        }

        image_header.offset = cms_header.offset + cms_header.size;
        image_header.size = infop->eii_headerp->eih_size;
        if ((image_header.size > buffer_size) ||
            (image_header.offset > (buffer_size - image_header.size))) {
                rc = EINVAL;
                goto fail4;
        }

        code.offset = image_header.offset + image_header.size;
        code.size = infop->eii_headerp->eih_code_size;
        if ((code.size > buffer_size) ||
            (code.offset > (buffer_size - code.size))) {
                rc = EINVAL;
                goto fail5;
        }

        image_trailer.offset = code.offset + code.size;
        image_trailer.size = EFX_IMAGE_TRAILER_SIZE;
        if ((image_trailer.size > buffer_size) ||
            (image_trailer.offset > (buffer_size - image_trailer.size))) {
                rc = EINVAL;
                goto fail6;
        }

        signature.offset = image_trailer.offset + image_trailer.size;
        signature.size = (uint32_t)(infop->eii_image_size - signature.offset);
        if ((signature.size > buffer_size) ||
            (signature.offset > (buffer_size - signature.size))) {
                rc = EINVAL;
                goto fail7;
        }

        EFSYS_ASSERT3U(infop->eii_image_size, ==, cms_header.size +
            image_header.size + code.size + image_trailer.size +
            signature.size);

        /* BEGIN CSTYLED */
        /*
         * Build signed image partition, inserting chunk headers.
         *
         *  Signed Image:                  Image in NVRAM partition:
         *
         *  +-----------------+            +-----------------+
         *  | CMS header      |            |  mcfw.update    |<----+
         *  +-----------------+            |                 |     |
         *  | reflash header  |            +-----------------+     |
         *  +-----------------+            | chunk header:   |-->--|-+
         *  | mcfw.update     |            | REFLASH_TRAILER |     | |
         *  |                 |            +-----------------+     | |
         *  +-----------------+        +-->| CMS header      |     | |
         *  | reflash trailer |        |   +-----------------+     | |
         *  +-----------------+        |   | chunk header:   |->-+ | |
         *  | signature       |        |   | REFLASH_HEADER  |   | | |
         *  +-----------------+        |   +-----------------+   | | |
         *                             |   | reflash header  |<--+ | |
         *                             |   +-----------------+     | |
         *                             |   | chunk header:   |-->--+ |
         *                             |   | IMAGE           |       |
         *                             |   +-----------------+       |
         *                             |   | reflash trailer |<------+
         *                             |   +-----------------+
         *                             |   | chunk header:   |
         *                             |   | SIGNATURE       |->-+
         *                             |   +-----------------+   |
         *                             |   | signature       |<--+
         *                             |   +-----------------+
         *                             |   | ...unused...    |
         *                             |   +-----------------+
         *                             +-<-| chunk header:   |
         *                             >-->| CMS_HEADER      |
         *                                 +-----------------+
         *
         * Each chunk header gives the partition offset and length of the image
         * chunk's data. The image chunk data is immediately followed by the
         * chunk header for the next chunk.
         *
         * The data chunk for the firmware code must be at the start of the
         * partition (needed for the bootloader). The first chunk header in the
         * chain (for the CMS header) is stored at the end of the partition. The
         * chain of chunk headers maintains the same logical order of image
         * chunks as the original signed image file. This set of constraints
         * results in the layout used for the data chunks and chunk headers.
         */
        /* END CSTYLED */
        memset(bufferp, 0xFF, buffer_size);

        EFX_STATIC_ASSERT(sizeof (chunk_hdr) == SIGNED_IMAGE_CHUNK_HDR_LEN);
        memset(&chunk_hdr, 0, SIGNED_IMAGE_CHUNK_HDR_LEN);

        /*
         * CMS header
         */
        if (buffer_size < SIGNED_IMAGE_CHUNK_HDR_LEN) {
                rc = ENOSPC;
                goto fail8;
        }
        hdr_offset = buffer_size - SIGNED_IMAGE_CHUNK_HDR_LEN;

        chunk_hdr.magic         = SIGNED_IMAGE_CHUNK_HDR_MAGIC;
        chunk_hdr.version       = SIGNED_IMAGE_CHUNK_HDR_VERSION;
        chunk_hdr.id            = SIGNED_IMAGE_CHUNK_CMS_HEADER;
        chunk_hdr.offset        = code.size + SIGNED_IMAGE_CHUNK_HDR_LEN;
        chunk_hdr.len           = cms_header.size;

        memcpy(bufferp + hdr_offset, &chunk_hdr, sizeof (chunk_hdr));

        if ((chunk_hdr.len > buffer_size) ||
            (chunk_hdr.offset > (buffer_size - chunk_hdr.len))) {
                rc = ENOSPC;
                goto fail9;
        }
        memcpy(bufferp + chunk_hdr.offset,
            infop->eii_imagep + cms_header.offset,
            cms_header.size);

        /*
         * Image header
         */
        hdr_offset = chunk_hdr.offset + chunk_hdr.len;
        if (hdr_offset > (buffer_size - SIGNED_IMAGE_CHUNK_HDR_LEN)) {
                rc = ENOSPC;
                goto fail10;
        }
        chunk_hdr.magic         = SIGNED_IMAGE_CHUNK_HDR_MAGIC;
        chunk_hdr.version       = SIGNED_IMAGE_CHUNK_HDR_VERSION;
        chunk_hdr.id            = SIGNED_IMAGE_CHUNK_REFLASH_HEADER;
        chunk_hdr.offset        = hdr_offset + SIGNED_IMAGE_CHUNK_HDR_LEN;
        chunk_hdr.len           = image_header.size;

        memcpy(bufferp + hdr_offset, &chunk_hdr, SIGNED_IMAGE_CHUNK_HDR_LEN);

        if ((chunk_hdr.len > buffer_size) ||
            (chunk_hdr.offset > (buffer_size - chunk_hdr.len))) {
                rc = ENOSPC;
                goto fail11;
        }
        memcpy(bufferp + chunk_hdr.offset,
            infop->eii_imagep + image_header.offset,
            image_header.size);

        *headerpp = (efx_image_header_t *)(bufferp + chunk_hdr.offset);

        /*
         * Firmware code
         */
        hdr_offset = chunk_hdr.offset + chunk_hdr.len;
        if (hdr_offset > (buffer_size - SIGNED_IMAGE_CHUNK_HDR_LEN)) {
                rc = ENOSPC;
                goto fail12;
        }
        chunk_hdr.magic         = SIGNED_IMAGE_CHUNK_HDR_MAGIC;
        chunk_hdr.version       = SIGNED_IMAGE_CHUNK_HDR_VERSION;
        chunk_hdr.id            = SIGNED_IMAGE_CHUNK_IMAGE;
        chunk_hdr.offset        = 0;
        chunk_hdr.len           = code.size;

        memcpy(bufferp + hdr_offset, &chunk_hdr, SIGNED_IMAGE_CHUNK_HDR_LEN);

        if ((chunk_hdr.len > buffer_size) ||
            (chunk_hdr.offset > (buffer_size - chunk_hdr.len))) {
                rc = ENOSPC;
                goto fail13;
        }
        memcpy(bufferp + chunk_hdr.offset,
            infop->eii_imagep + code.offset,
            code.size);

        /*
         * Image trailer (CRC)
         */
        chunk_hdr.magic         = SIGNED_IMAGE_CHUNK_HDR_MAGIC;
        chunk_hdr.version       = SIGNED_IMAGE_CHUNK_HDR_VERSION;
        chunk_hdr.id            = SIGNED_IMAGE_CHUNK_REFLASH_TRAILER;
        chunk_hdr.offset        = hdr_offset + SIGNED_IMAGE_CHUNK_HDR_LEN;
        chunk_hdr.len           = image_trailer.size;

        hdr_offset = code.size;
        if (hdr_offset > (buffer_size - SIGNED_IMAGE_CHUNK_HDR_LEN)) {
                rc = ENOSPC;
                goto fail14;
        }

        memcpy(bufferp + hdr_offset, &chunk_hdr, SIGNED_IMAGE_CHUNK_HDR_LEN);

        if ((chunk_hdr.len > buffer_size) ||
            (chunk_hdr.offset > (buffer_size - chunk_hdr.len))) {
                rc = ENOSPC;
                goto fail15;
        }
        memcpy((uint8_t *)bufferp + chunk_hdr.offset,
            infop->eii_imagep + image_trailer.offset,
            image_trailer.size);

        /*
         * Signature
         */
        hdr_offset = chunk_hdr.offset + chunk_hdr.len;
        if (hdr_offset > (buffer_size - SIGNED_IMAGE_CHUNK_HDR_LEN)) {
                rc = ENOSPC;
                goto fail16;
        }
        chunk_hdr.magic         = SIGNED_IMAGE_CHUNK_HDR_MAGIC;
        chunk_hdr.version       = SIGNED_IMAGE_CHUNK_HDR_VERSION;
        chunk_hdr.id            = SIGNED_IMAGE_CHUNK_SIGNATURE;
        chunk_hdr.offset        = chunk_hdr.offset + SIGNED_IMAGE_CHUNK_HDR_LEN;
        chunk_hdr.len           = signature.size;

        memcpy(bufferp + hdr_offset, &chunk_hdr, SIGNED_IMAGE_CHUNK_HDR_LEN);

        if ((chunk_hdr.len > buffer_size) ||
            (chunk_hdr.offset > (buffer_size - chunk_hdr.len))) {
                rc = ENOSPC;
                goto fail17;
        }
        memcpy(bufferp + chunk_hdr.offset,
            infop->eii_imagep + signature.offset,
            signature.size);

        return (0);

fail17:
        EFSYS_PROBE(fail17);
fail16:
        EFSYS_PROBE(fail16);
fail15:
        EFSYS_PROBE(fail15);
fail14:
        EFSYS_PROBE(fail14);
fail13:
        EFSYS_PROBE(fail13);
fail12:
        EFSYS_PROBE(fail12);
fail11:
        EFSYS_PROBE(fail11);
fail10:
        EFSYS_PROBE(fail10);
fail9:
        EFSYS_PROBE(fail9);
fail8:
        EFSYS_PROBE(fail8);
fail7:
        EFSYS_PROBE(fail7);
fail6:
        EFSYS_PROBE(fail6);
fail5:
        EFSYS_PROBE(fail5);
fail4:
        EFSYS_PROBE(fail4);
fail3:
        EFSYS_PROBE(fail3);
fail2:
        EFSYS_PROBE(fail2);
fail1:
        EFSYS_PROBE1(fail1, efx_rc_t, rc);

        return (rc);
}

#endif  /* EFSYS_OPT_IMAGE_LAYOUT */

#endif  /* EFSYS_OPT_MEDFORD || EFSYS_OPT_MEDFORD2 */