[iphone] Add iPhone tethering driver

USB tethering via an iPhone is unreasonably complicated due to the
requirement to perform a pairing operation that involves establishing
a TLS session over a completely unrelated USB function that speaks a
protocol that is almost, but not quite, entirely unlike TCP.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

3 files changed, 2560 insertions, 0 deletions

diff --git a/src/drivers/net/iphone.c b/src/drivers/net/iphone.c
new file mode 100644
index 0000000..7d0eb4b
--- /dev/null
+++ b/src/drivers/net/iphone.c
@@ -0,0 +1,2268 @@
+/*
+ * Copyright (C) 2020 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+#include <stdint.h>
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+#include <ipxe/netdevice.h>
+#include <ipxe/ethernet.h>
+#include <ipxe/if_ether.h>
+#include <ipxe/profile.h>
+#include <ipxe/base64.h>
+#include <ipxe/sha256.h>
+#include <ipxe/rsa.h>
+#include <ipxe/x509.h>
+#include <ipxe/pem.h>
+#include <ipxe/xfer.h>
+#include <ipxe/tls.h>
+#include <ipxe/usb.h>
+#include "iphone.h"
+
+/** @file
+ *
+ * iPhone USB Ethernet driver
+ *
+ */
+
+/* Disambiguate the various error causes */
+#define EPIPE_NO_MUX __einfo_error ( EINFO_EPIPE_NO_MUX )
+#define EINFO_EPIPE_NO_MUX						\
+	__einfo_uniqify ( EINFO_EPIPE, 0x01,				\
+			  "No USB multiplexer" )
+#define EINPROGRESS_PAIRING __einfo_error ( EINFO_EINPROGRESS_PAIRING )
+#define EINFO_EINPROGRESS_PAIRING					\
+	__einfo_uniqify ( EINFO_EINPROGRESS, 0x01,			\
+			  "Pairing in progress" )
+#define ENOTCONN_DISABLED __einfo_error ( EINFO_ENOTCONN_DISABLED )
+#define EINFO_ENOTCONN_DISABLED						\
+	__einfo_uniqify ( EINFO_ENOTCONN, IPHONE_LINK_DISABLED,		\
+			  "Personal Hotspot disabled" )
+#define ENOTCONN_STATUS( status )					\
+	EUNIQ ( EINFO_ENOTCONN, ( (status) & 0x1f ),			\
+		ENOTCONN_DISABLED )
+
+static int ipair_create ( struct interface *xfer, unsigned int flags );
+
+/** Bulk IN completion profiler */
+static struct profiler iphone_in_profiler __profiler =
+	{ .name = "iphone.in" };
+
+/** Bulk OUT profiler */
+static struct profiler iphone_out_profiler __profiler =
+	{ .name = "iphone.out" };
+
+/** List of USB multiplexers */
+static LIST_HEAD ( imuxes );
+
+/** List of iPhone network devices */
+static LIST_HEAD ( iphones );
+
+/******************************************************************************
+ *
+ * iPhone pairing certificates
+ *
+ ******************************************************************************
+ */
+
+/** iPhone root certificate fingerprint */
+static uint8_t icert_root_fingerprint[SHA256_DIGEST_SIZE];
+
+/** Root of trust for iPhone certificates */
+static struct x509_root icert_root = {
+	.refcnt = REF_INIT ( ref_no_free ),
+	.digest = &sha256_algorithm,
+	.count = 1,
+	.fingerprints = icert_root_fingerprint,
+};
+
+/** Single zero byte used in constructed certificates */
+static const uint8_t icert_nul[] = { 0x00 };
+
+/** "RSA algorithm" identifier used in constructed certificates */
+static const uint8_t icert_rsa[] = {
+	/* algorithm */
+	ASN1_SHORT ( ASN1_SEQUENCE,
+		     ASN1_SHORT ( ASN1_OID, ASN1_OID_RSAENCRYPTION ),
+		     ASN1_NULL, 0x00 )
+};
+
+/** "SHA-256 with RSA algorithm" identifier used in constructed certificates */
+static const uint8_t icert_sha256_rsa[] = {
+	ASN1_SHORT ( ASN1_SEQUENCE,
+		     ASN1_SHORT ( ASN1_OID, ASN1_OID_SHA256WITHRSAENCRYPTION ),
+		     ASN1_NULL, 0x00 ),
+};
+
+/** Extensions used in constructed root certificate */
+static const uint8_t icert_root_exts_data[] = {
+	/* extensions */
+	ASN1_SHORT ( ASN1_EXPLICIT_TAG ( 3 ), ASN1_SHORT ( ASN1_SEQUENCE,
+	/* basicConstraints */
+	ASN1_SHORT ( ASN1_SEQUENCE,
+		     /* extnID */
+		     ASN1_SHORT ( ASN1_OID, ASN1_OID_BASICCONSTRAINTS ),
+		     /* critical */
+		     ASN1_SHORT ( ASN1_BOOLEAN, 0xff ),
+		     /* extnValue */
+		     ASN1_SHORT ( ASN1_OCTET_STRING,
+				  ASN1_SHORT ( ASN1_SEQUENCE,
+					       ASN1_SHORT ( ASN1_BOOLEAN,
+							    0xff ) ) ) ) ) )
+};
+
+/** Extensions used in constructed root certificate */
+static struct asn1_cursor icert_root_exts =
+	ASN1_CURSOR ( icert_root_exts_data );
+
+/** Extensions used in constructed leaf certificates */
+static const uint8_t icert_leaf_exts_data[] = {
+	/* extensions */
+	ASN1_SHORT ( ASN1_EXPLICIT_TAG ( 3 ), ASN1_SHORT ( ASN1_SEQUENCE,
+	/* basicConstraints */
+	ASN1_SHORT ( ASN1_SEQUENCE,
+		     /* extnID */
+		     ASN1_SHORT ( ASN1_OID, ASN1_OID_BASICCONSTRAINTS ),
+		     /* critical */
+		     ASN1_SHORT ( ASN1_BOOLEAN, 0xff ),
+		     /* extnValue */
+		     ASN1_SHORT ( ASN1_OCTET_STRING,
+				  ASN1_SHORT ( ASN1_SEQUENCE,
+					       ASN1_SHORT ( ASN1_BOOLEAN,
+							    0x00 ) ) ) ),
+	/* keyUsage */
+	ASN1_SHORT ( ASN1_SEQUENCE,
+		     /* extnID */
+		     ASN1_SHORT ( ASN1_OID, ASN1_OID_KEYUSAGE ),
+		     /* critical */
+		     ASN1_SHORT ( ASN1_BOOLEAN, 0xff ),
+		     /* extnValue */
+		     ASN1_SHORT ( ASN1_OCTET_STRING,
+				  ASN1_SHORT ( ASN1_BIT_STRING, 0x07,
+					       ( X509_DIGITAL_SIGNATURE |
+						 X509_KEY_ENCIPHERMENT ),
+					       0x00 ) ) ) ) )
+};
+
+/** Extensions used in constructed leaf certificates */
+static struct asn1_cursor icert_leaf_exts =
+	ASN1_CURSOR ( icert_leaf_exts_data );
+
+/** "TBSCertificate" prefix in constructed certificates */
+static const uint8_t icert_tbs_prefix[] = {
+	/* version */
+	ASN1_SHORT ( ASN1_EXPLICIT_TAG ( 0 ), ASN1_SHORT ( ASN1_INTEGER, 2 ) ),
+	/* serialNumber */
+	ASN1_SHORT ( ASN1_INTEGER, 0 ),
+	/* signature */
+	ASN1_SHORT ( ASN1_SEQUENCE,
+		     ASN1_SHORT ( ASN1_OID, ASN1_OID_SHA256WITHRSAENCRYPTION ),
+		     ASN1_NULL, 0x00 )
+};
+
+/** Validity period in constructed certificates */
+static const uint8_t icert_validity[] = {
+	/* validity */
+	ASN1_SHORT ( ASN1_SEQUENCE,
+		     /* notBefore */
+		     ASN1_SHORT ( ASN1_GENERALIZED_TIME,
+				  '1', '9', '7', '8', '1', '2', '1', '0',
+				  '2', '2', '0', '0', '0', '0', 'Z' ),
+		     /* notAfter */
+		     ASN1_SHORT ( ASN1_GENERALIZED_TIME,
+				  '2', '9', '9', '9', '0', '1', '0', '1',
+				  '0', '0', '0', '0', '0', '0', 'Z' ) )
+};
+
+/** "Root" subject name */
+static const uint8_t icert_name_root_data[] = {
+	ASN1_SHORT ( ASN1_SEQUENCE, ASN1_SHORT ( ASN1_SET,
+	ASN1_SHORT ( ASN1_SEQUENCE,
+		     ASN1_SHORT ( ASN1_OID, ASN1_OID_COMMON_NAME ),
+		     ASN1_SHORT ( ASN1_UTF8_STRING, 'R', 'o', 'o', 't' ) ) ) )
+};
+
+/** "Root" subject name */
+static struct asn1_cursor icert_name_root =
+	ASN1_CURSOR ( icert_name_root_data );
+
+/** "iPXE" subject name */
+static const uint8_t icert_name_ipxe_data[] = {
+	ASN1_SHORT ( ASN1_SEQUENCE, ASN1_SHORT ( ASN1_SET,
+	ASN1_SHORT ( ASN1_SEQUENCE,
+		     ASN1_SHORT ( ASN1_OID, ASN1_OID_COMMON_NAME ),
+		     ASN1_SHORT ( ASN1_UTF8_STRING, 'i', 'P', 'X', 'E' ) ) ) )
+};
+
+/** "iPXE" subject name */
+static struct asn1_cursor icert_name_ipxe =
+	ASN1_CURSOR ( icert_name_ipxe_data );
+
+/** "iPhone" subject name */
+static const uint8_t icert_name_iphone_data[] = {
+	ASN1_SHORT ( ASN1_SEQUENCE, ASN1_SHORT ( ASN1_SET,
+	ASN1_SHORT ( ASN1_SEQUENCE,
+		     ASN1_SHORT ( ASN1_OID, ASN1_OID_COMMON_NAME ),
+		     ASN1_SHORT ( ASN1_UTF8_STRING,
+				  'i', 'P', 'h', 'o', 'n', 'e' ) ) ) )
+};
+
+/** "iPhone" subject name */
+static struct asn1_cursor icert_name_iphone =
+	ASN1_CURSOR ( icert_name_iphone_data );
+
+/** Public key(s) used for pairing */
+static const uint8_t icert_public_a[] __unused = {
+	0x02, 0x81, 0x81, 0x00, 0xc9, 0xc0, 0xdd, 0xa6, 0xd5, 0xf9, 0x05, 0x3e,
+	0x1d, 0xcb, 0x67, 0x08, 0xa8, 0x50, 0x27, 0x63, 0x95, 0x87, 0x42, 0x7e,
+	0xfb, 0xff, 0x55, 0x55, 0xb8, 0xc0, 0x6f, 0x13, 0xcb, 0xf7, 0xc5, 0x1b,
+	0xda, 0x44, 0x3c, 0xbc, 0x1a, 0xe1, 0x15, 0x1e, 0xab, 0x56, 0x74, 0x02,
+	0x8b, 0xb3, 0xcd, 0x42, 0x56, 0xcd, 0x9c, 0xc3, 0x15, 0xe2, 0x33, 0x97,
+	0x6d, 0x77, 0xdd, 0x20, 0x3a, 0x74, 0xb1, 0x4c, 0xee, 0xeb, 0xe8, 0xaa,
+	0x20, 0x71, 0x5a, 0xa2, 0x5b, 0xf8, 0x1a, 0xcb, 0xd2, 0x7b, 0x96, 0xb6,
+	0x42, 0xb4, 0x7c, 0x7a, 0x13, 0xec, 0x55, 0xd3, 0x36, 0x8b, 0xe3, 0x17,
+	0xc5, 0xc4, 0xcc, 0xe0, 0x27, 0x8c, 0xed, 0xa1, 0x4c, 0x8a, 0x50, 0x4a,
+	0x1c, 0xc4, 0x58, 0xf6, 0xcd, 0xcc, 0xc3, 0x5f, 0xe6, 0x3c, 0xff, 0x97,
+	0x51, 0xed, 0xf5, 0xaa, 0x89, 0xcc, 0x3f, 0x63, 0x67, 0x46, 0x9f, 0xbf,
+	0x02, 0x03, 0x01, 0x00, 0x01
+};
+static const uint8_t icert_public_b[] __unused = {
+	0x02, 0x81, 0x81, 0x00, 0xcd, 0x96, 0x81, 0x78, 0xbb, 0x2e, 0x64, 0xda,
+	0xd3, 0x7e, 0xd7, 0x3a, 0xac, 0x3f, 0x00, 0xe5, 0x41, 0x65, 0x56, 0xac,
+	0x2d, 0x77, 0xc0, 0x1a, 0xad, 0x32, 0xca, 0x0c, 0x72, 0xae, 0xdb, 0x57,
+	0xc1, 0xc7, 0x79, 0xef, 0xc6, 0x71, 0x9f, 0xad, 0x82, 0x14, 0x94, 0x4b,
+	0xf9, 0xd8, 0x78, 0xf1, 0xca, 0x99, 0xf5, 0x71, 0x07, 0x88, 0xd7, 0x55,
+	0xc7, 0xcb, 0x36, 0x5d, 0xdb, 0x84, 0x46, 0xac, 0x05, 0xea, 0xf1, 0xe1,
+	0xbe, 0x91, 0x50, 0x85, 0x1e, 0x64, 0xab, 0x02, 0x82, 0xab, 0xba, 0x42,
+	0x06, 0x5a, 0xe3, 0xc3, 0x25, 0xd0, 0x95, 0x04, 0x54, 0xb4, 0x44, 0x40,
+	0x5a, 0x42, 0x06, 0x04, 0x7d, 0x3b, 0x9e, 0xaf, 0x2e, 0xe9, 0xc8, 0xad,
+	0x46, 0x3a, 0xff, 0xe2, 0x39, 0xc8, 0x48, 0x0a, 0x49, 0xaa, 0xfe, 0x1f,
+	0x6c, 0x91, 0x5d, 0x1d, 0xd6, 0xb0, 0x04, 0xd1, 0x6c, 0xb2, 0x43, 0xaf,
+	0x02, 0x03, 0x01, 0x00, 0x01
+};
+
+/**
+ * "Private" key(s) used for pairing
+ *
+ * Yes, this publicly visible "private" key completely obviates any
+ * nominal security provided by the pairing process.  Looked at
+ * another way, this modifies the iPhone to behave like every other
+ * USB tethering device: if the cable is physically connected and
+ * tethering is enabled then the device will Just Work.
+ *
+ * Unlike Android, the iPhone seems to have no meaningful permissions
+ * model: any device that is trusted to use the phone for tethering
+ * seems to also be trusted to use the iPhone for any other purpose
+ * (e.g. accessing files, reading messages, etc).  Apple should
+ * probably fix this at some point, e.g. via defining extended key
+ * usages in the root and host certificates.
+ */
+static const uint8_t icert_private_a[] __unused = {
+	0x02, 0x81, 0x80, 0x1d, 0x60, 0xb7, 0x25, 0xdf, 0x0c, 0x76, 0xc5, 0xf7,
+	0xc2, 0xb1, 0x8b, 0x22, 0x2f, 0x21, 0xbd, 0x2f, 0x7d, 0xd5, 0xa1, 0xf6,
+	0x01, 0xd5, 0x24, 0x39, 0x55, 0xd4, 0x16, 0xd6, 0xe1, 0x8a, 0x53, 0x26,
+	0xf2, 0x3e, 0xc1, 0xc9, 0x4c, 0x33, 0x2e, 0x17, 0x16, 0xec, 0xa7, 0x9e,
+	0x3e, 0x1d, 0x4a, 0x66, 0xa7, 0x64, 0x07, 0x48, 0x3d, 0x7a, 0xf3, 0xb6,
+	0xdd, 0xf8, 0x56, 0x04, 0x0d, 0x0f, 0xef, 0xf8, 0xbd, 0xbc, 0x73, 0xe2,
+	0xc2, 0xae, 0x1b, 0x87, 0x90, 0x18, 0x2a, 0x68, 0xff, 0xae, 0x49, 0xdf,
+	0x7c, 0xff, 0xe8, 0x44, 0xa8, 0x3e, 0x4e, 0x4f, 0xf5, 0xfa, 0x51, 0x96,
+	0xb8, 0x08, 0xf3, 0x18, 0xd6, 0x52, 0xdf, 0x3a, 0x8a, 0xed, 0xda, 0xcd,
+	0xb4, 0x06, 0x99, 0x41, 0xcb, 0x23, 0x17, 0xaf, 0xc3, 0x3e, 0xfe, 0xdf,
+	0x97, 0xf3, 0xd6, 0x18, 0x7e, 0x03, 0xaf, 0x62, 0xb2, 0xc8, 0xc9
+};
+static const uint8_t icert_private_b[] __unused = {
+	0x02, 0x81, 0x80, 0x45, 0xbd, 0xc0, 0xbe, 0x0c, 0x01, 0x79, 0x05, 0x22,
+	0xa9, 0xec, 0xa9, 0x62, 0xb5, 0x1c, 0xc0, 0xa8, 0xa6, 0x8f, 0xf8, 0x68,
+	0x94, 0x2e, 0xfe, 0xdd, 0xb2, 0x55, 0x08, 0x53, 0xff, 0x2d, 0x39, 0x5f,
+	0xeb, 0x23, 0x5a, 0x4b, 0x9f, 0x4f, 0xe3, 0xb4, 0x34, 0xf6, 0xf9, 0xaf,
+	0x0f, 0xd8, 0x37, 0x6d, 0xdb, 0x3c, 0x7f, 0xd3, 0x66, 0x80, 0x66, 0x01,
+	0x18, 0xd6, 0xa0, 0x90, 0x4f, 0x17, 0x09, 0xb8, 0x68, 0x44, 0xf0, 0xde,
+	0x16, 0x4a, 0x8a, 0x0d, 0xa7, 0x5f, 0xb5, 0x4c, 0x53, 0xcc, 0x21, 0xdd,
+	0x4f, 0x05, 0x64, 0xa5, 0xc5, 0xac, 0x2c, 0xd8, 0x0a, 0x7b, 0xf5, 0xa4,
+	0x63, 0x32, 0xb0, 0x2c, 0xf8, 0xef, 0x8c, 0xf8, 0x2c, 0xba, 0x1c, 0x2c,
+	0xc7, 0x0a, 0xf3, 0xe9, 0x8f, 0xfb, 0x0a, 0x61, 0x1b, 0x3a, 0xdd, 0x9f,
+	0x74, 0x7d, 0xb3, 0x42, 0x59, 0x52, 0x07, 0x59, 0x8e, 0xb7, 0x41
+};
+
+/** Key pair selection
+ *
+ * This exists only to allow for testing of the process for handling a
+ * failed TLS negotiation.
+ */
+#define icert_key_suffix a
+#define icert_key_variable( prefix ) _C2 ( prefix, icert_key_suffix )
+#define icert_public icert_key_variable ( icert_public_ )
+#define icert_private icert_key_variable ( icert_private_ )
+
+/** PEM certificate prefix */
+static const char icert_begin[] = "-----BEGIN CERTIFICATE-----\n";
+
+/** PEM certificate suffix */
+static const char icert_end[] = "\n-----END CERTIFICATE-----\n";
+
+/**
+ * Free pairing certificates
+ *
+ * @v icert		Pairing certificates
+ */
+static void icert_free ( struct icert *icert ) {
+
+	privkey_put ( icert->key );
+	x509_put ( icert->root );
+	x509_put ( icert->host );
+	x509_put ( icert->device );
+	memset ( icert, 0, sizeof ( *icert ) );
+}
+
+/**
+ * Construct certificate
+ *
+ * @v icert		Pairing certificates
+ * @v subject		Subject name
+ * @v issuer		Issuer name
+ * @v private		Private key
+ * @v public		Public key
+ * @v exts		Certificate extensions
+ * @v cert		Certificate to fill in
+ * @ret rc		Return status code
+ *
+ * On success, the caller is responsible for eventually calling
+ * x509_put() on the allocated encoded certificate.
+ */
+static int icert_cert ( struct icert *icert, struct asn1_cursor *subject,
+			struct asn1_cursor *issuer, struct asn1_cursor *private,
+			struct asn1_cursor *public, struct asn1_cursor *exts,
+			struct x509_certificate **cert ) {
+	struct digest_algorithm *digest = &sha256_algorithm;
+	struct pubkey_algorithm *pubkey = &rsa_algorithm;
+	struct asn1_builder spki = { NULL, 0 };
+	struct asn1_builder tbs = { NULL, 0 };
+	struct asn1_builder raw = { NULL, 0 };
+	uint8_t digest_ctx[SHA256_CTX_SIZE];
+	uint8_t digest_out[SHA256_DIGEST_SIZE];
+	uint8_t pubkey_ctx[RSA_CTX_SIZE];
+	int len;
+	int rc;
+
+	/* Initialise "private" key */
+	if ( ( rc = pubkey_init ( pubkey, pubkey_ctx, private->data,
+				  private->len ) ) != 0 ) {
+		DBGC ( icert, "ICERT %p could not initialise private key: "
+		       "%s\n", icert, strerror ( rc ) );
+		goto err_pubkey_init;
+	}
+
+	/* Construct subjectPublicKeyInfo */
+	if ( ( rc = ( asn1_prepend_raw ( &spki, public->data, public->len ),
+		      asn1_prepend_raw ( &spki, icert_nul,
+					 sizeof ( icert_nul ) ),
+		      asn1_wrap ( &spki, ASN1_BIT_STRING ),
+		      asn1_prepend_raw ( &spki, icert_rsa,
+					 sizeof ( icert_rsa ) ),
+		      asn1_wrap ( &spki, ASN1_SEQUENCE ) ) ) != 0 ) {
+		DBGC ( icert, "ICERT %p could not build subjectPublicKeyInfo: "
+		       "%s\n", icert, strerror ( rc ) );
+		goto err_spki;
+	}
+
+	/* Construct tbsCertificate */
+	if ( ( rc = ( asn1_prepend_raw ( &tbs, exts->data, exts->len ),
+		      asn1_prepend_raw ( &tbs, spki.data, spki.len ),
+		      asn1_prepend_raw ( &tbs, subject->data, subject->len ),
+		      asn1_prepend_raw ( &tbs, icert_validity,
+					 sizeof ( icert_validity ) ),
+		      asn1_prepend_raw ( &tbs, issuer->data, issuer->len ),
+		      asn1_prepend_raw ( &tbs, icert_tbs_prefix,
+					 sizeof ( icert_tbs_prefix ) ),
+		      asn1_wrap ( &tbs, ASN1_SEQUENCE ) ) ) != 0 ) {
+		DBGC ( icert, "ICERT %p could not build tbsCertificate: %s\n",
+		       icert, strerror ( rc ) );
+		goto err_tbs;
+	}
+
+	/* Calculate certificate digest */
+	digest_init ( digest, digest_ctx );
+	digest_update ( digest, digest_ctx, tbs.data, tbs.len );
+	digest_final ( digest, digest_ctx, digest_out );
+
+	/* Construct signature */
+	if ( ( rc = asn1_grow ( &raw, pubkey_max_len ( pubkey,
+						       pubkey_ctx ) ) ) != 0 ) {
+		DBGC ( icert, "ICERT %p could not build signature: %s\n",
+		       icert, strerror ( rc ) );
+		goto err_grow;
+	}
+	if ( ( len = pubkey_sign ( pubkey, pubkey_ctx, digest, digest_out,
+				   raw.data ) ) < 0 ) {
+		rc = len;
+		DBGC ( icert, "ICERT %p could not sign: %s\n",
+		       icert, strerror ( rc ) );
+		goto err_pubkey_sign;
+	}
+	assert ( ( ( size_t ) len ) == raw.len );
+
+	/* Construct raw certificate data */
+	if ( ( rc = ( asn1_prepend_raw ( &raw, icert_nul,
+					 sizeof ( icert_nul ) ),
+		      asn1_wrap ( &raw, ASN1_BIT_STRING ),
+		      asn1_prepend_raw ( &raw, icert_sha256_rsa,
+					 sizeof ( icert_sha256_rsa ) ),
+		      asn1_prepend_raw ( &raw, tbs.data, tbs.len ),
+		      asn1_wrap ( &raw, ASN1_SEQUENCE ) ) ) != 0 ) {
+		DBGC ( icert, "ICERT %p could not build certificate: %s\n",
+		       icert, strerror ( rc ) );
+		goto err_raw;
+	}
+
+	/* Parse certificate */
+	if ( ( rc = x509_certificate ( raw.data, raw.len, cert ) ) != 0 ) {
+		DBGC ( icert, "ICERT %p invalid certificate: %s\n",
+		       icert, strerror ( rc ) );
+		DBGC_HDA ( icert, 0, raw.data, raw.len );
+		goto err_x509;
+	}
+
+ err_x509:
+ err_raw:
+ err_pubkey_sign:
+	free ( raw.data );
+ err_grow:
+	free ( tbs.data );
+ err_tbs:
+	free ( spki.data );
+ err_spki:
+	pubkey_final ( pubkey, pubkey_ctx );
+ err_pubkey_init:
+	return rc;
+}
+
+/**
+ * Construct certificates
+ *
+ * @v icert		Certificate set
+ * @v pubkey		Device public key
+ * @ret rc		Return status code
+ */
+static int icert_certs ( struct icert *icert, struct asn1_cursor *key ) {
+	struct digest_algorithm *digest = icert_root.digest;
+	struct asn1_builder public = { NULL, 0 };
+	struct asn1_builder *private;
+	int rc;
+
+	/* Free any existing key and certificates */
+	icert_free ( icert );
+
+	/* Allocate "private" key */
+	icert->key = zalloc ( sizeof ( *icert->key ) );
+	if ( ! icert->key ) {
+		rc = -ENOMEM;
+		goto error;
+	}
+	privkey_init ( icert->key );
+	private = &icert->key->builder;
+
+	/* Construct our "private" key */
+	if ( ( rc = ( asn1_prepend_raw ( private, icert_private,
+					 sizeof ( icert_private ) ),
+		      asn1_prepend_raw ( private, icert_public,
+					 sizeof ( icert_public ) ),
+		      asn1_prepend ( private, ASN1_INTEGER, icert_nul,
+				     sizeof ( icert_nul ) ),
+		      asn1_wrap ( private, ASN1_SEQUENCE ) ) ) != 0 ) {
+		DBGC ( icert, "ICERT %p could not build private key: %s\n",
+		       icert, strerror ( rc ) );
+		goto error;
+	}
+
+	/* Construct our own public key */
+	if ( ( rc = ( asn1_prepend_raw ( &public, icert_public,
+					 sizeof ( icert_public ) ),
+		      asn1_wrap ( &public, ASN1_SEQUENCE ) ) ) != 0 ) {
+		DBGC ( icert, "ICERT %p could not build public key: %s\n",
+		       icert, strerror ( rc ) );
+		goto error;
+	}
+
+	/* Construct root certificate */
+	if ( ( rc = icert_cert ( icert, &icert_name_root, &icert_name_root,
+				 asn1_built ( private ), asn1_built ( &public ),
+				 &icert_root_exts, &icert->root ) ) != 0 )
+		goto error;
+
+	/* Construct host certificate */
+	if ( ( rc = icert_cert ( icert, &icert_name_ipxe, &icert_name_root,
+				 asn1_built ( private ), asn1_built ( &public ),
+				 &icert_leaf_exts, &icert->host ) ) != 0 )
+		goto error;
+
+	/* Construct device certificate */
+	if ( ( rc = icert_cert ( icert, &icert_name_iphone, &icert_name_root,
+				 asn1_built ( private ), key,
+				 &icert_leaf_exts, &icert->device ) ) != 0 )
+		goto error;
+
+	/* Construct root of trust */
+	assert ( digest->digestsize == sizeof ( icert_root_fingerprint ) );
+	x509_fingerprint ( icert->root, digest, icert_root_fingerprint );
+
+	/* Free constructed keys */
+	free ( public.data );
+	return 0;
+
+ error:
+	icert_free ( icert );
+	free ( public.data );
+	return rc;
+}
+
+/**
+ * Construct doubly base64-encoded certificate
+ *
+ * @v icert		Pairing certificates
+ * @v cert		X.509 certificate
+ * @v encenc		Doubly base64-encoded certificate to construct
+ * @ret rc		Return status code
+ *
+ * On success, the caller is responsible for eventually calling free()
+ * on the allocated doubly encoded encoded certificate.
+ */
+static int icert_encode ( struct icert *icert, struct x509_certificate *cert,
+			  char **encenc ) {
+	size_t encencoded_len;
+	size_t encoded_len;
+	size_t pem_len;
+	char *pem;
+	int rc;
+
+	/* Sanity check */
+	assert ( cert != NULL );
+
+	/* Create PEM */
+	encoded_len = ( base64_encoded_len ( cert->raw.len ) + 1 /* NUL */ );
+	pem_len = ( ( sizeof ( icert_begin ) - 1 /* NUL */ ) +
+		    ( encoded_len - 1 /* NUL */ ) +
+		    ( sizeof ( icert_end ) - 1 /* NUL */ ) +
+		    1 /* NUL */ );
+	pem = malloc ( pem_len );
+	if ( ! pem ) {
+		rc = -ENOMEM;
+		goto err_alloc_pem;
+	}
+	strcpy ( pem, icert_begin );
+	base64_encode ( cert->raw.data, cert->raw.len,
+			( pem + sizeof ( icert_begin ) - 1 /* NUL */ ),
+			encoded_len );
+	strcpy ( ( pem +
+		   ( sizeof ( icert_begin ) - 1 /* NUL */ ) +
+		   ( encoded_len - 1 /* NUL */ ) ), icert_end );
+	DBGC2 ( icert, "ICERT %p \"%s\" certificate:\n%s",
+		icert, x509_name ( cert ), pem );
+
+	/* Base64-encode the PEM (sic) */
+	encencoded_len = ( base64_encoded_len ( pem_len - 1 /* NUL */ )
+			   + 1 /* NUL */ );
+	*encenc = malloc ( encencoded_len );
+	if ( ! *encenc ) {
+		rc = -ENOMEM;
+		goto err_alloc_encenc;
+	}
+	base64_encode ( pem, ( pem_len - 1 /* NUL */ ), *encenc,
+			encencoded_len );
+
+	/* Success */
+	rc = 0;
+
+ err_alloc_encenc:
+	free ( pem );
+ err_alloc_pem:
+	return rc;
+}
+
+/******************************************************************************
+ *
+ * iPhone USB multiplexer
+ *
+ ******************************************************************************
+ *
+ * The iPhone USB multiplexer speaks a protocol that is almost, but
+ * not quite, entirely unlike TCP.
+ *
+ */
+
+/**
+ * Transmit message
+ *
+ * @v imux		USB multiplexer
+ * @v iobuf		I/O buffer
+ * @ret rc		Return status code
+ */
+static int imux_tx ( struct imux *imux, struct io_buffer *iobuf ) {
+	struct imux_header *hdr = iobuf->data;
+	size_t len = iob_len ( iobuf );
+	int rc;
+
+	/* Populate header */
+	assert ( len >= sizeof ( *hdr ) );
+	hdr->len = htonl ( len );
+	hdr->in_seq = htons ( imux->in_seq );
+	hdr->out_seq = htons ( imux->out_seq );
+	DBGCP ( imux, "IMUX %p transmitting:\n", imux );
+	DBGCP_HDA ( imux, 0, hdr, len );
+
+	/* Transmit message */
+	if ( ( rc = usb_stream ( &imux->usbnet.out, iobuf, 1 ) ) != 0 )
+		goto err;
+
+	/* Increment sequence number */
+	imux->out_seq++;
+
+	return 0;
+
+ err:
+	free_iob ( iobuf );
+	return rc;
+}
+
+/**
+ * Transmit version message
+ *
+ * @v imux		USB multiplexer
+ * @ret rc		Return status code
+ */
+static int imux_tx_version ( struct imux *imux ) {
+	struct io_buffer *iobuf;
+	struct imux_header_version *vers;
+	int rc;
+
+	/* Allocate I/O buffer */
+	iobuf = alloc_iob ( sizeof ( *vers ) );
+	if ( ! iobuf )
+		return -ENOMEM;
+	vers = iob_put ( iobuf, sizeof ( *vers ) );
+
+	/* Construct version message */
+	memset ( vers, 0, sizeof ( *vers ) );
+	vers->hdr.protocol = htonl ( IMUX_VERSION );
+
+	/* Transmit message */
+	if ( ( rc = imux_tx ( imux, iob_disown ( iobuf ) ) ) != 0 )
+		return rc;
+
+	return 0;
+}
+
+/**
+ * Transmit pseudo-TCP message
+ *
+ * @v imux		USB multiplexer
+ * @v iobuf		I/O buffer
+ * @ret rc		Return status code
+ */
+static int imux_tx_tcp ( struct imux *imux, struct io_buffer *iobuf ) {
+	struct imux_header_tcp *tcp = iobuf->data;
+	size_t len = iob_len ( iobuf );
+	int rc;
+
+	/* Populate TCP header */
+	assert ( len >= sizeof ( *tcp ) );
+	tcp->hdr.protocol = htonl ( IMUX_TCP );
+	tcp->tcp.src = htons ( imux->port );
+	tcp->tcp.dest = htons ( IMUX_PORT_LOCKDOWND );
+	tcp->tcp.seq = htonl ( imux->tcp_seq );
+	tcp->tcp.ack = htonl ( imux->tcp_ack );
+	tcp->tcp.hlen = ( ( sizeof ( tcp->tcp ) / 4 ) << 4 );
+	tcp->tcp.win = htons ( IMUX_WINDOW );
+
+	/* Transmit message */
+	if ( ( rc = imux_tx ( imux, iob_disown ( iobuf ) ) ) != 0 )
+		return rc;
+
+	/* Update TCP sequence */
+	imux->tcp_seq += ( len - sizeof ( *tcp ) );
+
+	return 0;
+}
+
+/**
+ * Transmit pseudo-TCP SYN
+ *
+ * @v imux		USB multiplexer
+ * @ret rc		Return status code
+ */
+static int imux_tx_syn ( struct imux *imux ) {
+	struct io_buffer *iobuf;
+	struct imux_header_tcp *syn;
+	int rc;
+
+	/* Allocate I/O buffer */
+	iobuf = alloc_iob ( sizeof ( *syn ) );
+	if ( ! iobuf )
+		return -ENOMEM;
+	syn = iob_put ( iobuf, sizeof ( *syn ) );
+
+	/* Construct TCP SYN message */
+	memset ( syn, 0, sizeof ( *syn ) );
+	syn->tcp.flags = TCP_SYN;
+
+	/* Transmit message */
+	if ( ( rc = imux_tx_tcp ( imux, iob_disown ( iobuf ) ) ) != 0 )
+		return rc;
+
+	/* Increment TCP sequence to compensate for SYN */
+	imux->tcp_seq++;
+
+	return 0;
+}
+
+/**
+ * Open pairing client
+ *
+ * @v imux		USB multiplexer
+ * @ret rc		Return status code
+ */
+static int imux_start_pair ( struct imux *imux ) {
+	int rc;
+
+	/* Disconnect any existing pairing client */
+	intf_restart ( &imux->tcp, -EPIPE );
+
+	/* Create pairing client */
+	if ( ( rc = ipair_create ( &imux->tcp, imux->flags ) ) != 0 )
+		return rc;
+
+	return 0;
+}
+
+/**
+ * Receive version message
+ *
+ * @v imux		USB multiplexer
+ */
+static void imux_rx_version ( struct imux *imux ) {
+
+	/* Reset output sequence */
+	imux->out_seq = 0;
+
+	/* Send TCP SYN */
+	imux->action = imux_tx_syn;
+}
+
+/**
+ * Receive log message
+ *
+ * @v imux		USB multiplexer
+ * @v hdr		Message header
+ * @v len		Length of message
+ */
+static void imux_rx_log ( struct imux *imux, struct imux_header *hdr,
+			  size_t len ) {
+	struct imux_header_log *log =
+		container_of ( hdr, struct imux_header_log, hdr );
+	unsigned int level;
+	size_t msg_len;
+	char *tmp;
+
+	/* Sanity check */
+	if ( len < sizeof ( *log ) ) {
+		DBGC ( imux, "IMUX %p malformed log message:\n", imux );
+		DBGC_HDA ( imux, 0, log, len );
+		return;
+	}
+
+	/* First byte is the log level, followed by a printable
+	 * message with no NUL terminator.  Extract the log level,
+	 * then shuffle the message down within the buffer and append
+	 * a NUL terminator.
+	 */
+	msg_len = ( len - sizeof ( *hdr ) );
+	level = log->level;
+	tmp = ( ( void * ) &log->level );
+	memmove ( tmp, &log->msg, msg_len );
+	tmp[msg_len] = '\0';
+
+	/* Print log message */
+	DBGC ( imux, "IMUX %p <%d>: %s\n", imux, level, tmp );
+}
+
+/**
+ * Receive pseudo-TCP SYN+ACK
+ *
+ * @v imux		USB multiplexer
+ */
+static void imux_rx_syn ( struct imux *imux ) {
+
+	/* Increment TCP acknowledgement to compensate for SYN */
+	imux->tcp_ack++;
+
+	/* Start pairing client */
+	imux->action = imux_start_pair;
+}
+
+/**
+ * Receive pseudo-TCP message
+ *
+ * @v imux		USB multiplexer
+ * @v iobuf		I/O buffer
+ */
+static void imux_rx_tcp ( struct imux *imux, struct io_buffer *iobuf ) {
+	struct imux_header_tcp *tcp = iobuf->data;
+	size_t len = iob_len ( iobuf );
+	int rc;
+
+	/* Sanity check */
+	if ( len < sizeof ( *tcp ) ) {
+		DBGC ( imux, "IMUX %p malformed TCP message:\n", imux );
+		DBGC_HDA ( imux, 0, tcp, len );
+		goto error;
+	}
+
+	/* Ignore unexpected packets */
+	if ( tcp->tcp.dest != htons ( imux->port ) ) {
+		DBGC ( imux, "IMUX %p ignoring unexpected TCP port %d:\n",
+		       imux, ntohs ( tcp->tcp.dest ) );
+		DBGC_HDA ( imux, 0, tcp, len );
+		goto error;
+	}
+
+	/* Ignore resets */
+	if ( tcp->tcp.flags & TCP_RST ) {
+		DBGC ( imux, "IMUX %p ignoring TCP RST\n", imux );
+		DBGC2_HDA ( imux, 0, tcp, len );
+		goto error;
+	}
+
+	/* Record ACK number */
+	imux->tcp_ack = ( ntohl ( tcp->tcp.seq ) + len - sizeof ( *tcp ) );
+
+	/* Handle received message */
+	if ( tcp->tcp.flags & TCP_SYN ) {
+
+		/* Received SYN+ACK */
+		imux_rx_syn ( imux );
+
+	} else {
+
+		/* Strip header */
+		iob_pull ( iobuf, sizeof ( *tcp ) );
+
+		/* Deliver via socket */
+		if ( ( rc = xfer_deliver_iob ( &imux->tcp,
+					       iob_disown ( iobuf ) ) ) != 0 )
+			goto error;
+	}
+
+ error:
+	free_iob ( iobuf );
+}
+
+/**
+ * Complete bulk IN transfer
+ *
+ * @v ep		USB endpoint
+ * @v iobuf		I/O buffer
+ * @v rc		Completion status code
+ */
+static void imux_in_complete ( struct usb_endpoint *ep,
+			       struct io_buffer *iobuf, int rc ) {
+	struct imux *imux = container_of ( ep, struct imux, usbnet.in );
+	struct imux_header *hdr = iobuf->data;
+	size_t len = iob_len ( iobuf );
+
+	/* Ignore packets cancelled when the endpoint closes */
+	if ( ! ep->open )
+		goto drop;
+
+	/* Report USB errors */
+	if ( rc != 0 ) {
+		DBGC ( imux, "IMUX %p bulk IN failed: %s\n",
+		       imux, strerror ( rc ) );
+		goto drop;
+	}
+
+	/* Sanity check */
+	if ( len < sizeof ( *hdr ) ) {
+		DBGC ( imux, "IMUX %p malformed message:\n", imux );
+		DBGC_HDA ( imux, 0, hdr, len );
+		goto drop;
+	}
+
+	/* Record input sequence */
+	imux->in_seq = ntohs ( hdr->in_seq );
+
+	/* Handle according to protocol */
+	DBGCP ( imux, "IMUX %p received:\n", imux );
+	DBGCP_HDA ( imux, 0, hdr, len );
+	switch ( hdr->protocol ) {
+	case htonl ( IMUX_VERSION ):
+		imux_rx_version ( imux );
+		break;
+	case htonl ( IMUX_LOG ):
+		imux_rx_log ( imux, hdr, len );
+		break;
+	case htonl ( IMUX_TCP ):
+		imux_rx_tcp ( imux, iob_disown ( iobuf ) );
+		break;
+	default:
+		DBGC ( imux, "IMUX %p unknown message type %d:\n",
+		       imux, ntohl ( hdr->protocol ) );
+		DBGC_HDA ( imux, 0, hdr, len );
+		break;
+	}
+
+ drop:
+	free_iob ( iobuf );
+}
+
+/** Bulk IN endpoint operations */
+static struct usb_endpoint_driver_operations imux_in_operations = {
+	.complete = imux_in_complete,
+};
+
+/**
+ * Complete bulk OUT transfer
+ *
+ * @v ep		USB endpoint
+ * @v iobuf		I/O buffer
+ * @v rc		Completion status code
+ */
+static void imux_out_complete ( struct usb_endpoint *ep,
+				struct io_buffer *iobuf, int rc ) {
+	struct imux *imux = container_of ( ep, struct imux, usbnet.out );
+
+	/* Report USB errors */
+	if ( rc != 0 ) {
+		DBGC ( imux, "IMUX %p bulk OUT failed: %s\n",
+		       imux, strerror ( rc ) );
+		goto error;
+	}
+
+ error:
+	free_iob ( iobuf );
+}
+
+/** Bulk OUT endpoint operations */
+static struct usb_endpoint_driver_operations imux_out_operations = {
+	.complete = imux_out_complete,
+};
+
+/**
+ * Shut down USB multiplexer
+ *
+ * @v imux		USB multiplexer
+ */
+static void imux_shutdown ( struct imux *imux ) {
+
+	/* Shut down interfaces */
+	intf_shutdown ( &imux->tcp, -ECANCELED );
+
+	/* Close USB network device, if open */
+	if ( process_running ( &imux->process ) ) {
+		process_del ( &imux->process );
+		usbnet_close ( &imux->usbnet );
+	}
+}
+
+/**
+ * Close USB multiplexer
+ *
+ * @v imux		USB multiplexer
+ * @v rc		Reason for close
+ */
+static void imux_close ( struct imux *imux, int rc ) {
+	struct iphone *iphone;
+
+	/* Restart interfaces */
+	intf_restart ( &imux->tcp, rc );
+
+	/* Record pairing status */
+	imux->rc = rc;
+
+	/* Trigger link check on any associated iPhones */
+	list_for_each_entry ( iphone, &iphones, list ) {
+		if ( iphone->usb == imux->usb )
+			start_timer_nodelay ( &iphone->timer );
+	}
+
+	/* Retry pairing on any error */
+	if ( rc != 0 ) {
+
+		/* Increment port number */
+		imux->port++;
+
+		/* Request pairing on any retry attempt */
+		imux->flags = IPAIR_REQUEST;
+
+		/* Send new pseudo-TCP SYN */
+		imux->action = imux_tx_syn;
+
+		DBGC ( imux, "IMUX %p retrying pairing: %s\n",
+		       imux, strerror ( rc ) );
+		return;
+	}
+
+	/* Shut down multiplexer on pairing success */
+	imux_shutdown ( imux );
+}
+
+/**
+ * Allocate I/O buffer for pseudo-TCP socket
+ *
+ * @v imux		USB multiplexer
+ * @v len		I/O buffer payload length
+ * @ret iobuf		I/O buffer
+ */
+static struct io_buffer * imux_alloc_iob ( struct imux *imux __unused,
+					   size_t len ) {
+	struct imux_header_tcp *tcp;
+	struct io_buffer *iobuf;
+
+	/* Allocate I/O buffer */
+	iobuf = alloc_iob ( sizeof ( *tcp ) + len );
+	if ( ! iobuf )
+		return NULL;
+
+	/* Reserve space for pseudo-TCP message header */
+	iob_reserve ( iobuf, sizeof ( *tcp ) );
+
+	return iobuf;
+}
+
+/**
+ * Transmit packet via pseudo-TCP socket
+ *
+ * @v imux		USB multiplexer
+ * @v iobuf		I/O buffer
+ * @v meta		Data transfer metadata
+ * @ret rc		Return status code
+ */
+static int imux_deliver ( struct imux *imux, struct io_buffer *iobuf,
+			  struct xfer_metadata *meta __unused ) {
+	struct imux_header_tcp *tcp;
+
+	/* Prepend pseudo-TCP header */
+	tcp = iob_push ( iobuf, sizeof ( *tcp ) );
+	memset ( tcp, 0, sizeof ( *tcp ) );
+	tcp->tcp.flags = TCP_ACK;
+
+	/* Transmit pseudo-TCP packet */
+	return imux_tx_tcp ( imux, iob_disown ( iobuf ) );
+}
+
+/** Pseudo-TCP socket interface operations */
+static struct interface_operation imux_tcp_operations[] = {
+	INTF_OP ( xfer_deliver, struct imux *, imux_deliver ),
+	INTF_OP ( xfer_alloc_iob, struct imux *, imux_alloc_iob ),
+	INTF_OP ( intf_close, struct imux *, imux_close ),
+};
+
+/** Pseudo-TCP socket interface descriptor */
+static struct interface_descriptor imux_tcp_desc =
+	INTF_DESC ( struct imux, tcp, imux_tcp_operations );
+
+/**
+ * Multiplexer process
+ *
+ * @v imux		USB multiplexer
+ */
+static void imux_step ( struct imux *imux ) {
+	int rc;
+
+	/* Poll USB bus */
+	usb_poll ( imux->bus );
+
+	/* Do nothing more if multiplexer has been closed */
+	if ( ! process_running ( &imux->process ) )
+		return;
+
+	/* Refill endpoints */
+	if ( ( rc = usbnet_refill ( &imux->usbnet ) ) != 0 ) {
+		/* Wait for next poll */
+		return;
+	}
+
+	/* Perform pending action, if any */
+	if ( imux->action ) {
+		if ( ( rc = imux->action ( imux ) ) != 0 )
+			imux_close ( imux, rc );
+		imux->action = NULL;
+	}
+}
+
+/** Multiplexer process descriptor */
+static struct process_descriptor imux_process_desc =
+	PROC_DESC ( struct imux, process, imux_step );
+
+/**
+ * Probe device
+ *
+ * @v func		USB function
+ * @v config		Configuration descriptor
+ * @ret rc		Return status code
+ */
+static int imux_probe ( struct usb_function *func,
+			struct usb_configuration_descriptor *config ) {
+	struct usb_device *usb = func->usb;
+	struct imux *imux;
+	int rc;
+
+	/* Allocate and initialise structure */
+	imux = zalloc ( sizeof ( *imux ) );
+	if ( ! imux ) {
+		rc = -ENOMEM;
+		goto err_alloc;
+	}
+	ref_init ( &imux->refcnt, NULL );
+	imux->usb = usb;
+	imux->bus = usb->port->hub->bus;
+	usbnet_init ( &imux->usbnet, func, NULL, &imux_in_operations,
+		      &imux_out_operations );
+	usb_refill_init ( &imux->usbnet.in, 0, IMUX_IN_MTU, IMUX_IN_MAX_FILL );
+	process_init ( &imux->process, &imux_process_desc, &imux->refcnt );
+	imux->action = imux_tx_version;
+	imux->port = IMUX_PORT_LOCAL;
+	intf_init ( &imux->tcp, &imux_tcp_desc, &imux->refcnt );
+	imux->rc = -EINPROGRESS_PAIRING;
+
+	/* Describe USB network device */
+	if ( ( rc = usbnet_describe ( &imux->usbnet, config ) ) != 0 ) {
+		DBGC ( imux, "IMUX %p could not describe: %s\n",
+		       imux, strerror ( rc ) );
+		goto err_describe;
+	}
+
+	/* Open USB network device */
+	if ( ( rc = usbnet_open ( &imux->usbnet ) ) != 0 ) {
+		DBGC ( imux, "IMUX %p could not open: %s\n",
+		       imux, strerror ( rc ) );
+		goto err_open;
+	}
+
+	/* Start polling process */
+	process_add ( &imux->process );
+
+	/* Add to list of multiplexers */
+	list_add ( &imux->list, &imuxes );
+
+	usb_func_set_drvdata ( func, imux );
+	return 0;
+
+	list_del ( &imux->list );
+	imux_shutdown ( imux );
+ err_open:
+ err_describe:
+	ref_put ( &imux->refcnt );
+ err_alloc:
+	return rc;
+}
+
+/**
+ * Remove device
+ *
+ * @v func		USB function
+ */
+static void imux_remove ( struct usb_function *func ) {
+	struct imux *imux = usb_func_get_drvdata ( func );
+
+	list_del ( &imux->list );
+	imux_shutdown ( imux );
+	ref_put ( &imux->refcnt );
+}
+
+/** USB multiplexer device IDs */
+static struct usb_device_id imux_ids[] = {
+	{
+		.name = "imux",
+		.vendor = 0x05ac,
+		.product = USB_ANY_ID,
+	},
+};
+
+/** USB multiplexer driver */
+struct usb_driver imux_driver __usb_driver = {
+	.ids = imux_ids,
+	.id_count = ( sizeof ( imux_ids ) / sizeof ( imux_ids[0] ) ),
+	.class = USB_CLASS_ID ( 0xff, 0xfe, 0x02 ),
+	.score = USB_SCORE_NORMAL,
+	.probe = imux_probe,
+	.remove = imux_remove,
+};
+
+/******************************************************************************
+ *
+ * iPhone pairing client
+ *
+ ******************************************************************************
+ */
+
+/** Common prefix for all pairing messages */
+static const char ipair_prefix[] =
+	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+	"<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" "
+	"\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n"
+	"<plist version=\"1.0\">\n"
+	"<dict>\n"
+	"<key>Label</key>\n"
+	"<string>iPXE</string>\n"
+	"<key>Request</key>\n";
+
+/** Common suffix for all pairing messages */
+static const char ipair_suffix[] =
+	"</dict>\n"
+	"</plist>\n";
+
+/** Arbitrary system BUID used for pairing */
+static const char ipair_system_buid[] = "E4DB92D2-248A-469A-AC34-92045D07E695";
+
+/** Arbitrary host ID used for pairing */
+static const char ipair_host_id[] = "93CEBC27-8457-4804-9108-F42549DF6143";
+
+static int ipair_tx_pubkey ( struct ipair *ipair );
+static int ipair_rx_pubkey ( struct ipair *ipair, char *msg );
+static int ipair_tx_pair ( struct ipair *ipair );
+static int ipair_rx_pair ( struct ipair *ipair, char *msg );
+static int ipair_tx_session ( struct ipair *ipair );
+static int ipair_rx_session ( struct ipair *ipair, char *msg );
+
+/**
+ * Free pairing client
+ *
+ * @v refcnt		Reference counter
+ */
+static void ipair_free ( struct refcnt *refcnt ) {
+	struct ipair *ipair = container_of ( refcnt, struct ipair, refcnt );
+
+	icert_free ( &ipair->icert );
+	free ( ipair );
+}
+
+/**
+ * Shut down pairing client
+ *
+ * @v ipair		Pairing client
+ * @v rc		Reason for close
+ */
+static void ipair_close ( struct ipair *ipair, int rc ) {
+
+	/* Shut down interfaces */
+	intf_shutdown ( &ipair->xfer, rc );
+
+	/* Stop timer */
+	stop_timer ( &ipair->timer );
+}
+
+/**
+ * Transmit XML message
+ *
+ * @v ipair		Pairing client
+ * @v fmt		Format string
+ * @v ...		Arguments
+ * @ret rc		Return status code
+ */
+static int __attribute__ (( format ( printf, 2, 3 ) ))
+ipair_tx ( struct ipair *ipair, const char *fmt, ... ) {
+	struct io_buffer *iobuf;
+	struct ipair_header *hdr;
+	va_list args;
+	size_t len;
+	char *msg;
+	int rc;
+
+	/* Calculate length of formatted string */
+	va_start ( args, fmt );
+	len = ( vsnprintf ( NULL, 0, fmt, args ) + 1 /* NUL */ );
+	va_end ( args );
+
+	/* Allocate I/O buffer */
+	iobuf = xfer_alloc_iob ( &ipair->xfer, ( sizeof ( *hdr ) + len ) );
+	if ( ! iobuf )
+		return -ENOMEM;
+	hdr = iob_put ( iobuf, sizeof ( *hdr ) );
+
+	/* Construct XML message */
+	memset ( hdr, 0, sizeof ( *hdr ) );
+	hdr->len = htonl ( len );
+	msg = iob_put ( iobuf, len );
+	vsnprintf ( msg, len, fmt, args );
+	DBGC2 ( ipair, "IPAIR %p transmitting:\n%s\n", ipair, msg );
+
+	/* Transmit message */
+	if ( ( rc = xfer_deliver_iob ( &ipair->xfer,
+				       iob_disown ( iobuf ) ) ) != 0 )
+		return rc;
+
+	return 0;
+}
+
+/**
+ * Receive XML message payload
+ *
+ * @v ipair		Pairing client
+ * @v msg		Message payload
+ * @v len		Length of message
+ * @ret rc		Return status code
+ */
+static int ipair_rx ( struct ipair *ipair, char *msg, size_t len ) {
+	int ( * rx ) ( struct ipair *ipair, char *msg );
+	int rc;
+
+	/* Ignore empty messages */
+	if ( ! len )
+		return 0;
+
+	/* Sanity check */
+	if ( ( msg[ len - 1 ] != '\0' ) && ( msg[ len - 1 ] != '\n' ) ) {
+		DBGC ( ipair, "IPAIR %p malformed XML:\n", ipair );
+		DBGC_HDA ( ipair, 0, msg, len );
+		return -EPROTO;
+	}
+
+	/* Add NUL terminator (potentially overwriting final newline) */
+	msg[ len - 1 ] = '\0';
+	DBGC2 ( ipair, "IPAIR %p received:\n%s\n\n", ipair, msg );
+
+	/* Handle according to current state */
+	rx = ipair->rx;
+	if ( ! rx ) {
+		DBGC ( ipair, "IPAIR %p unexpected XML:\n%s\n", ipair, msg );
+		return -EPROTO;
+	}
+	ipair->rx = NULL;
+	if ( ( rc = rx ( ipair, msg ) ) != 0 )
+		return rc;
+
+	return 0;
+}
+
+/**
+ * Locate XML tag
+ *
+ * @v ipair		Pairing client
+ * @v msg		XML message
+ * @v tag		Tag name
+ * @ret start		Start of tag content
+ * @ret end		End of tag content
+ * @ret rc		Return status code
+ */
+static int ipair_tag ( struct ipair *ipair, const char *msg, const char *tag,
+		       char **start, char **end ) {
+	char buf[ 2 /* "</" */ + strlen ( tag ) + 1 /* ">" */ + 1 /* NUL */ ];
+
+	/* Locate opening tag */
+	sprintf ( buf, "<%s>", tag );
+	*start = strstr ( msg, buf );
+	if ( ! *start )
+		return -ENOENT;
+	*start += strlen ( buf );
+
+	/* Locate closing tag */
+	sprintf ( buf, "</%s>", tag );
+	*end = strstr ( *start, buf );
+	if ( ! *end ) {
+		DBGC ( ipair, "IPAIR %p missing closing tag %s in:\n%s\n",
+		       ipair, buf, msg );
+		return -ENOENT;
+	}
+
+	return 0;
+}
+
+/**
+ * Locate XML property list dictionary value
+ *
+ * @v ipair		Pairing client
+ * @v msg		XML message
+ * @v key		Key name
+ * @v type		Key type
+ * @ret start		Start of value content
+ * @ret end		End of value content
+ * @ret rc		Return status code
+ */
+static int ipair_key ( struct ipair *ipair, const char *msg, const char *key,
+		       const char *type, char **start, char **end ) {
+	int rc;
+
+	/* Iterate over keys */
+	while ( 1 ) {
+
+		/* Locate key */
+		if ( ( rc = ipair_tag ( ipair, msg, "key", start,
+					end ) ) != 0 )
+			return rc;
+		msg = *end;
+
+		/* Check key name */
+		if ( memcmp ( *start, key, ( *end - *start ) ) != 0 )
+			continue;
+
+		/* Locate value */
+		return ipair_tag ( ipair, msg, type, start, end );
+	}
+}
+
+/**
+ * Transmit DevicePublicKey message
+ *
+ * @v ipair		Pairing client
+ * @ret rc		Return status code
+ */
+static int ipair_tx_pubkey ( struct ipair *ipair ) {
+	int rc;
+
+	/* Transmit message */
+	if ( ( rc = ipair_tx ( ipair,
+			       "%s"
+			       "<string>GetValue</string>\n"
+			       "<key>Key</key>\n"
+			       "<string>DevicePublicKey</string>\n"
+			       "%s",
+			       ipair_prefix, ipair_suffix ) ) != 0 )
+		return rc;
+
+	return 0;
+}
+
+/**
+ * Receive DevicePublicKey message
+ *
+ * @v ipair		Pairing client
+ * @v msg		XML message
+ * @ret rc		Return status code
+ */
+static int ipair_rx_pubkey ( struct ipair *ipair, char *msg ) {
+	struct asn1_cursor *key;
+	char *data;
+	char *end;
+	char *decoded;
+	size_t max_len;
+	int len;
+	int next;
+	int rc;
+
+	/* Locate "Value" value */
+	if ( ( rc = ipair_key ( ipair, msg, "Value", "data", &data,
+				&end ) ) != 0 ) {
+		DBGC ( ipair, "IPAIR %p unexpected public key message:\n%s\n",
+		       ipair, msg );
+		goto err_tag;
+	}
+	*end = '\0';
+
+	/* Decode outer layer of Base64 */
+	max_len = base64_decoded_max_len ( data );
+	decoded = malloc ( max_len );
+	if ( ! decoded ) {
+		rc = -ENOMEM;
+		goto err_alloc;
+	}
+	len = base64_decode ( data, decoded, max_len );
+	if ( len < 0 ) {
+		rc = len;
+		DBGC ( ipair, "IPAIR %p invalid outer public key:\n%s\n",
+		       ipair, data );
+		goto err_decode;
+	}
+
+	/* Decode inner layer of Base64 */
+	next = pem_asn1 ( virt_to_user ( decoded ), len, 0, &key );
+	if ( next < 0 ) {
+		rc = next;
+		DBGC ( ipair, "IPAIR %p invalid inner public key:\n%s\n",
+		       ipair, decoded );
+		goto err_asn1;
+	}
+	DBGC ( ipair, "IPAIR %p received public key\n", ipair );
+	DBGC2_HDA ( ipair, 0, key->data, key->len );
+
+	/* Construct certificates */
+	if ( ( rc = icert_certs ( &ipair->icert, key ) ) != 0 )
+		goto err_certs;
+
+	/* Send session request or pair request as applicable */
+	if ( ipair->flags & IPAIR_REQUEST ) {
+		ipair->tx = ipair_tx_pair;
+		ipair->rx = ipair_rx_pair;
+	} else {
+		ipair->tx = ipair_tx_session;
+		ipair->rx = ipair_rx_session;
+	}
+	start_timer_nodelay ( &ipair->timer );
+
+	/* Free key */
+	free ( key );
+
+	/* Free intermediate Base64 */
+	free ( decoded );
+
+	return 0;
+
+ err_certs:
+	free ( key );
+ err_asn1:
+ err_decode:
+	free ( decoded );
+ err_alloc:
+ err_tag:
+	return rc;
+}
+
+/**
+ * Transmit Pair message
+ *
+ * @v ipair		Pairing client
+ * @ret rc		Return status code
+ */
+static int ipair_tx_pair ( struct ipair *ipair ) {
+	char *root;
+	char *host;
+	char *device;
+	int rc;
+
+	/* Construct doubly encoded certificates */
+	if ( ( rc = icert_encode ( &ipair->icert, ipair->icert.root,
+				   &root ) ) != 0 )
+		goto err_root;
+	if ( ( rc = icert_encode ( &ipair->icert, ipair->icert.host,
+				   &host ) ) != 0 )
+		goto err_host;
+	if ( ( rc = icert_encode ( &ipair->icert, ipair->icert.device,
+				   &device ) ) != 0 )
+		goto err_device;
+
+	/* Transmit message */
+	if ( ( rc = ipair_tx ( ipair,
+			       "%s"
+			       "<string>Pair</string>\n"
+			       "<key>PairRecord</key>\n"
+			       "<dict>\n"
+			       "<key>RootCertificate</key>\n"
+			       "<data>%s</data>\n"
+			       "<key>HostCertificate</key>\n"
+			       "<data>%s</data>\n"
+			       "<key>DeviceCertificate</key>\n"
+			       "<data>%s</data>\n"
+			       "<key>SystemBUID</key>\n"
+			       "<string>%s</string>\n"
+			       "<key>HostID</key>\n"
+			       "<string>%s</string>\n"
+			       "</dict>\n"
+			       "<key>ProtocolVersion</key>\n"
+			       "<string>2</string>\n"
+			       "<key>PairingOptions</key>\n"
+			       "<dict>\n"
+			       "<key>ExtendedPairingErrors</key>\n"
+			       "<true/>\n"
+			       "</dict>\n"
+			       "%s",
+			       ipair_prefix, root, host, device,
+			       ipair_system_buid, ipair_host_id,
+			       ipair_suffix
+			       ) ) != 0 )
+		goto err_tx;
+
+ err_tx:
+	free ( device );
+ err_device:
+	free ( host );
+ err_host:
+	free ( root );
+ err_root:
+	return rc;
+}
+
+/**
+ * Receive Pair message error
+ *
+ * @v ipair		Pairing client
+ * @v error		Pairing error
+ * @ret rc		Return status code
+ */
+static int ipair_rx_pair_error ( struct ipair *ipair, char *error ) {
+
+	/* Check for actual errors */
+	if ( strcmp ( error, "PairingDialogResponsePending" ) != 0 ) {
+		DBGC ( ipair, "IPAIR %p pairing error \"%s\"\n", ipair, error );
+		return -EPERM;
+	}
+
+	/* Retransmit pairing request */
+	ipair->tx = ipair_tx_pair;
+	ipair->rx = ipair_rx_pair;
+	start_timer_fixed ( &ipair->timer, IPAIR_RETRY_DELAY );
+
+	DBGC ( ipair, "IPAIR %p waiting for pairing dialog\n", ipair );
+	return 0;
+}
+
+/**
+ * Receive Pair message
+ *
+ * @v ipair		Pairing client
+ * @v msg		XML message
+ * @ret rc		Return status code
+ */
+static int ipair_rx_pair ( struct ipair *ipair, char *msg ) {
+	char *error;
+	char *escrow;
+	char *end;
+	int rc;
+
+	/* Check for pairing errors */
+	if ( ( rc = ipair_key ( ipair, msg, "Error", "string", &error,
+				&end ) ) == 0 ) {
+		*end = '\0';
+		return ipair_rx_pair_error ( ipair, error );
+	}
+
+	/* Get EscrowBag */
+	if ( ( rc = ipair_key ( ipair, msg, "EscrowBag", "data", &escrow,
+				&end ) ) != 0 ) {
+		DBGC ( ipair, "IPAIR %p unexpected pairing response:\n%s\n",
+		       ipair, msg );
+		return rc;
+	}
+	DBGC ( ipair, "IPAIR %p pairing successful\n", ipair );
+
+	/* Send session request */
+	ipair->tx = ipair_tx_session;
+	ipair->rx = ipair_rx_session;
+	start_timer_nodelay ( &ipair->timer );
+
+	return 0;
+}
+
+/**
+ * Transmit StartSession message
+ *
+ * @v ipair		Pairing client
+ * @ret rc		Return status code
+ */
+static int ipair_tx_session ( struct ipair *ipair ) {
+	int rc;
+
+	/* Transmit message */
+	if ( ( rc = ipair_tx ( ipair,
+			       "%s"
+			       "<string>StartSession</string>\n"
+			       "<key>SystemBUID</key>\n"
+			       "<string>%s</string>\n"
+			       "<key>HostID</key>\n"
+			       "<string>%s</string>\n"
+			       "%s",
+			       ipair_prefix, ipair_system_buid,
+			       ipair_host_id, ipair_suffix
+			       ) ) != 0 )
+		return rc;
+
+	return 0;
+}
+
+/**
+ * Receive StartSession message error
+ *
+ * @v ipair		Pairing client
+ * @v error		Pairing error
+ * @ret rc		Return status code
+ */
+static int ipair_rx_session_error ( struct ipair *ipair, char *error ) {
+
+	/* Check for actual errors */
+	if ( strcmp ( error, "InvalidHostID" ) != 0 ) {
+		DBGC ( ipair, "IPAIR %p session error \"%s\"\n", ipair, error );
+		return -EPERM;
+	}
+
+	/* Transmit pairing request */
+	ipair->tx = ipair_tx_pair;
+	ipair->rx = ipair_rx_pair;
+	start_timer_nodelay ( &ipair->timer );
+
+	DBGC ( ipair, "IPAIR %p unknown host: requesting pairing\n", ipair );
+	return 0;
+}
+
+/**
+ * Receive StartSession message
+ *
+ * @v ipair		Pairing client
+ * @v msg		XML message
+ * @ret rc		Return status code
+ */
+static int ipair_rx_session ( struct ipair *ipair, char *msg ) {
+	char *error;
+	char *session;
+	char *end;
+	int rc;
+
+	/* Check for session errors */
+	if ( ( rc = ipair_key ( ipair, msg, "Error", "string", &error,
+				&end ) ) == 0 ) {
+		*end = '\0';
+		return ipair_rx_session_error ( ipair, error );
+	}
+
+	/* Check for session ID */
+	if ( ( rc = ipair_key ( ipair, msg, "SessionID", "string", &session,
+				&end ) ) != 0 ) {
+		DBGC ( ipair, "IPAIR %p unexpected session response:\n%s\n",
+		       ipair, msg );
+		return rc;
+	}
+	*end = '\0';
+	DBGC ( ipair, "IPAIR %p starting session \"%s\"\n", ipair, session );
+
+	/* Start TLS */
+	if ( ( rc = add_tls ( &ipair->xfer, "iPhone", &icert_root,
+			      ipair->icert.key ) ) != 0 ) {
+		DBGC ( ipair, "IPAIR %p could not start TLS: %s\n",
+		       ipair, strerror ( rc ) );
+		return rc;
+	}
+
+	/* Record that TLS has been started */
+	ipair->flags |= IPAIR_TLS;
+
+	return 0;
+}
+
+/**
+ * Handle window change notification
+ *
+ * @v ipair		Pairing client
+ */
+static void ipair_window_changed ( struct ipair *ipair ) {
+
+	/* Report pairing as complete once TLS session has been established */
+	if ( ( ipair->flags & IPAIR_TLS ) && xfer_window ( &ipair->xfer ) ) {
+
+		/* Sanity checks */
+		assert ( x509_is_valid ( ipair->icert.root, &icert_root ) );
+		assert ( x509_is_valid ( ipair->icert.device, &icert_root ) );
+		assert ( ! x509_is_valid ( ipair->icert.root, NULL ) );
+		assert ( ! x509_is_valid ( ipair->icert.host, NULL ) );
+		assert ( ! x509_is_valid ( ipair->icert.device, NULL ) );
+
+		/* Report pairing as complete */
+		DBGC ( ipair, "IPAIR %p established TLS session\n", ipair );
+		ipair_close ( ipair, 0 );
+		return;
+	}
+}
+
+/**
+ * Handle received data
+ *
+ * @v ipair		Pairing client
+ * @v iobuf		I/O buffer
+ * @v meta		Data transfer metadata
+ * @ret rc		Return status code
+ */
+static int ipair_deliver ( struct ipair *ipair, struct io_buffer *iobuf,
+			   struct xfer_metadata *meta __unused ) {
+	struct ipair_header *hdr;
+	int rc;
+
+	/* Strip header (which may appear in a separate packet) */
+	if ( ( ! ( ipair->flags & IPAIR_RX_LEN ) ) &&
+	     ( iob_len ( iobuf ) >= sizeof ( *hdr ) ) ) {
+		iob_pull ( iobuf, sizeof ( *hdr ) );
+		ipair->flags |= IPAIR_RX_LEN;
+	}
+
+	/* Clear received header flag if we have a message */
+	if ( iob_len ( iobuf ) )
+		ipair->flags &= ~IPAIR_RX_LEN;
+
+	/* Receive message */
+	if ( ( rc = ipair_rx ( ipair, iobuf->data, iob_len ( iobuf ) ) ) != 0 )
+		goto error;
+
+	/* Free I/O buffer */
+	free_iob ( iobuf );
+
+	return 0;
+
+ error:
+	ipair_close ( ipair, rc );
+	free_iob ( iobuf );
+	return rc;
+}
+
+/**
+ * Pairing transmission timer
+ *
+ * @v timer		Retransmission timer
+ * @v over		Failure indicator
+ */
+static void ipair_expired ( struct retry_timer *timer, int over __unused ) {
+	struct ipair *ipair = container_of ( timer, struct ipair, timer );
+	int ( * tx ) ( struct ipair *ipair );
+	int rc;
+
+	/* Sanity check */
+	tx = ipair->tx;
+	assert ( tx != NULL );
+
+	/* Clear pending transmission */
+	ipair->tx = NULL;
+
+	/* Transmit data, if applicable */
+	if ( ( rc = tx ( ipair ) ) != 0 )
+		ipair_close ( ipair, rc );
+}
+
+/** Pairing client interface operations */
+static struct interface_operation ipair_xfer_operations[] = {
+	INTF_OP ( xfer_deliver, struct ipair *, ipair_deliver ),
+	INTF_OP ( xfer_window_changed, struct ipair *, ipair_window_changed ),
+	INTF_OP ( intf_close, struct ipair *, ipair_close ),
+};
+
+/** Pairing client interface descriptor */
+static struct interface_descriptor ipair_xfer_desc =
+	INTF_DESC ( struct ipair, xfer, ipair_xfer_operations );
+
+/**
+ * Create a pairing client
+ *
+ * @v xfer		Data transfer interface
+ * @v flags		Initial state flags
+ * @ret rc		Return status code
+ */
+static int ipair_create ( struct interface *xfer, unsigned int flags ) {
+	struct ipair *ipair;
+	int rc;
+
+	/* Allocate and initialise structure */
+	ipair = zalloc ( sizeof ( *ipair ) );
+	if ( ! ipair ) {
+		rc = -ENOMEM;
+		goto err_alloc;
+	}
+	ref_init ( &ipair->refcnt, ipair_free );
+	intf_init ( &ipair->xfer, &ipair_xfer_desc, &ipair->refcnt );
+	timer_init ( &ipair->timer, ipair_expired, &ipair->refcnt );
+	ipair->tx = ipair_tx_pubkey;
+	ipair->rx = ipair_rx_pubkey;
+	ipair->flags = flags;
+
+	/* Schedule initial transmission */
+	start_timer_nodelay ( &ipair->timer );
+
+	/* Attach to parent interface, mortalise self, and return */
+	intf_plug_plug ( &ipair->xfer, xfer );
+	ref_put ( &ipair->refcnt );
+	return 0;
+
+	ref_put ( &ipair->refcnt );
+ err_alloc:
+	return rc;
+}
+
+/******************************************************************************
+ *
+ * iPhone USB networking
+ *
+ ******************************************************************************
+ */
+
+/**
+ * Complete bulk IN transfer
+ *
+ * @v ep		USB endpoint
+ * @v iobuf		I/O buffer
+ * @v rc		Completion status code
+ */
+static void iphone_in_complete ( struct usb_endpoint *ep,
+				 struct io_buffer *iobuf, int rc ) {
+	struct iphone *iphone = container_of ( ep, struct iphone, usbnet.in );
+	struct net_device *netdev = iphone->netdev;
+
+	/* Profile receive completions */
+	profile_start ( &iphone_in_profiler );
+
+	/* Ignore packets cancelled when the endpoint closes */
+	if ( ! ep->open )
+		goto ignore;
+
+	/* Record USB errors against the network device */
+	if ( rc != 0 ) {
+		DBGC ( iphone, "IPHONE %p bulk IN failed: %s\n",
+		       iphone, strerror ( rc ) );
+		goto error;
+	}
+
+	/* Strip padding */
+	if ( iob_len ( iobuf ) < IPHONE_IN_PAD ) {
+		DBGC ( iphone, "IPHONE %p malformed bulk IN:\n", iphone );
+		DBGC_HDA ( iphone, 0, iobuf->data, iob_len ( iobuf ) );
+		rc = -EINVAL;
+		goto error;
+	}
+	iob_pull ( iobuf, IPHONE_IN_PAD );
+
+	/* Hand off to network stack */
+	netdev_rx ( netdev, iob_disown ( iobuf ) );
+
+	profile_stop ( &iphone_in_profiler );
+	return;
+
+ error:
+	netdev_rx_err ( netdev, iob_disown ( iobuf ), rc );
+ ignore:
+	free_iob ( iobuf );
+}
+
+/** Bulk IN endpoint operations */
+static struct usb_endpoint_driver_operations iphone_in_operations = {
+	.complete = iphone_in_complete,
+};
+
+/**
+ * Transmit packet
+ *
+ * @v iphone		iPhone device
+ * @v iobuf		I/O buffer
+ * @ret rc		Return status code
+ */
+static int iphone_out_transmit ( struct iphone *iphone,
+				 struct io_buffer *iobuf ) {
+	int rc;
+
+	/* Profile transmissions */
+	profile_start ( &iphone_out_profiler );
+
+	/* Enqueue I/O buffer */
+	if ( ( rc = usb_stream ( &iphone->usbnet.out, iobuf, 1 ) ) != 0 )
+		return rc;
+
+	profile_stop ( &iphone_out_profiler );
+	return 0;
+}
+
+/**
+ * Complete bulk OUT transfer
+ *
+ * @v ep		USB endpoint
+ * @v iobuf		I/O buffer
+ * @v rc		Completion status code
+ */
+static void iphone_out_complete ( struct usb_endpoint *ep,
+				  struct io_buffer *iobuf, int rc ) {
+	struct iphone *iphone = container_of ( ep, struct iphone, usbnet.out );
+	struct net_device *netdev = iphone->netdev;
+
+	/* Report TX completion */
+	netdev_tx_complete_err ( netdev, iobuf, rc );
+}
+
+/** Bulk OUT endpoint operations */
+static struct usb_endpoint_driver_operations iphone_out_operations = {
+	.complete = iphone_out_complete,
+};
+
+/**
+ * Check pairing status
+ *
+ * @v iphone		iPhone device
+ * @ret rc		Return status code
+ */
+static int iphone_check_pair ( struct iphone *iphone ) {
+	struct imux *imux;
+
+	/* Find corresponding USB multiplexer */
+	list_for_each_entry ( imux, &imuxes, list ) {
+		if ( imux->usb == iphone->usb )
+			return imux->rc;
+	}
+
+	return -EPIPE_NO_MUX;
+}
+
+/**
+ * Check link status
+ *
+ * @v netdev		Network device
+ */
+static void iphone_check_link ( struct net_device *netdev ) {
+	struct iphone *iphone = netdev->priv;
+	struct usb_device *usb = iphone->usb;
+	uint8_t status;
+	int rc;
+
+	/* Check pairing status */
+	if ( ( rc = iphone_check_pair ( iphone ) ) != 0 )
+		goto err_pair;
+
+	/* Get link status */
+	if ( ( rc = usb_control ( usb, IPHONE_GET_LINK, 0, 0, &status,
+				  sizeof ( status ) ) ) != 0 ) {
+		DBGC ( iphone, "IPHONE %p could not get link status: %s\n",
+		       iphone, strerror ( rc ) );
+		goto err_control;
+	}
+
+	/* Check link status */
+	if ( status != IPHONE_LINK_UP ) {
+		rc = -ENOTCONN_STATUS ( status );
+		goto err_status;
+	}
+
+	/* Success */
+	rc = 0;
+
+ err_status:
+ err_control:
+ err_pair:
+	/* Report link status.  Since we have to check the link
+	 * periodically (due to an absence of an interrupt endpoint),
+	 * do this only if the link status has actually changed.
+	 */
+	if ( rc != netdev->link_rc ) {
+		if ( rc == 0 ) {
+			DBGC ( iphone, "IPHONE %p link up\n", iphone );
+		} else {
+			DBGC ( iphone, "IPHONE %p link down: %s\n",
+			       iphone, strerror ( rc ) );
+		}
+		netdev_link_err ( netdev, rc );
+	}
+}
+
+/**
+ * Periodically update link status
+ *
+ * @v timer		Link status timer
+ * @v over		Failure indicator
+ */
+static void iphone_expired ( struct retry_timer *timer, int over __unused ) {
+	struct iphone *iphone = container_of ( timer, struct iphone, timer );
+	struct net_device *netdev = iphone->netdev;
+
+	/* Check link status */
+	iphone_check_link ( netdev );
+
+	/* Restart timer, if device is open */
+	if ( netdev_is_open ( netdev ) )
+		start_timer_fixed ( timer, IPHONE_LINK_CHECK_INTERVAL );
+}
+
+/**
+ * Open network device
+ *
+ * @v netdev		Network device
+ * @ret rc		Return status code
+ */
+static int iphone_open ( struct net_device *netdev ) {
+	struct iphone *iphone = netdev->priv;
+	int rc;
+
+	/* Open USB network device */
+	if ( ( rc = usbnet_open ( &iphone->usbnet ) ) != 0 ) {
+		DBGC ( iphone, "IPHONE %p could not open: %s\n",
+		       iphone, strerror ( rc ) );
+		goto err_open;
+	}
+
+	/* Start the link status check timer */
+	start_timer_nodelay ( &iphone->timer );
+
+	return 0;
+
+	usbnet_close ( &iphone->usbnet );
+ err_open:
+	return rc;
+}
+
+/**
+ * Close network device
+ *
+ * @v netdev		Network device
+ */
+static void iphone_close ( struct net_device *netdev ) {
+	struct iphone *iphone = netdev->priv;
+
+	/* Stop the link status check timer */
+	stop_timer ( &iphone->timer );
+
+	/* Close USB network device */
+	usbnet_close ( &iphone->usbnet );
+}
+
+/**
+ * Transmit packet
+ *
+ * @v netdev		Network device
+ * @v iobuf		I/O buffer
+ * @ret rc		Return status code
+ */
+static int iphone_transmit ( struct net_device *netdev,
+			     struct io_buffer *iobuf ) {
+	struct iphone *iphone = netdev->priv;
+	int rc;
+
+	/* Transmit packet */
+	if ( ( rc = iphone_out_transmit ( iphone, iobuf ) ) != 0 )
+		return rc;
+
+	return 0;
+}
+
+/**
+ * Poll for completed and received packets
+ *
+ * @v netdev		Network device
+ */
+static void iphone_poll ( struct net_device *netdev ) {
+	struct iphone *iphone = netdev->priv;
+	int rc;
+
+	/* Poll USB bus */
+	usb_poll ( iphone->bus );
+
+	/* Refill endpoints */
+	if ( ( rc = usbnet_refill ( &iphone->usbnet ) ) != 0 )
+		netdev_rx_err ( netdev, NULL, rc );
+}
+
+/** iPhone network device operations */
+static struct net_device_operations iphone_operations = {
+	.open		= iphone_open,
+	.close		= iphone_close,
+	.transmit	= iphone_transmit,
+	.poll		= iphone_poll,
+};
+
+/**
+ * Probe device
+ *
+ * @v func		USB function
+ * @v config		Configuration descriptor
+ * @ret rc		Return status code
+ */
+static int iphone_probe ( struct usb_function *func,
+			  struct usb_configuration_descriptor *config ) {
+	struct usb_device *usb = func->usb;
+	struct net_device *netdev;
+	struct iphone *iphone;
+	int rc;
+
+	/* Allocate and initialise structure */
+	netdev = alloc_etherdev ( sizeof ( *iphone ) );
+	if ( ! netdev ) {
+		rc = -ENOMEM;
+		goto err_alloc;
+	}
+	netdev_init ( netdev, &iphone_operations );
+	netdev->dev = &func->dev;
+	iphone = netdev->priv;
+	memset ( iphone, 0, sizeof ( *iphone ) );
+	iphone->usb = usb;
+	iphone->bus = usb->port->hub->bus;
+	iphone->netdev = netdev;
+	usbnet_init ( &iphone->usbnet, func, NULL, &iphone_in_operations,
+		      &iphone_out_operations );
+	usb_refill_init ( &iphone->usbnet.in, 0, IPHONE_IN_MTU,
+			  IPHONE_IN_MAX_FILL );
+	timer_init ( &iphone->timer, iphone_expired, &netdev->refcnt );
+	DBGC ( iphone, "IPHONE %p on %s\n", iphone, func->name );
+
+	/* Describe USB network device */
+	if ( ( rc = usbnet_describe ( &iphone->usbnet, config ) ) != 0 ) {
+		DBGC ( iphone, "IPHONE %p could not describe: %s\n",
+		       iphone, strerror ( rc ) );
+		goto err_describe;
+	}
+
+	/* Fetch MAC address */
+	if ( ( rc = usb_control ( usb, IPHONE_GET_MAC, 0, 0, netdev->hw_addr,
+				  ETH_ALEN ) ) != 0 ) {
+		DBGC ( iphone, "IPHONE %p could not fetch MAC address: %s\n",
+		       iphone, strerror ( rc ) );
+		goto err_fetch_mac;
+	}
+
+	/* Register network device */
+	if ( ( rc = register_netdev ( netdev ) ) != 0 )
+		goto err_register;
+
+	/* Set initial link status */
+	iphone_check_link ( netdev );
+
+	/* Add to list of iPhone network devices */
+	list_add ( &iphone->list, &iphones );
+
+	usb_func_set_drvdata ( func, iphone );
+	return 0;
+
+	list_del ( &iphone->list );
+	unregister_netdev ( netdev );
+ err_register:
+ err_fetch_mac:
+ err_describe:
+	netdev_nullify ( netdev );
+	netdev_put ( netdev );
+ err_alloc:
+	return rc;
+}
+
+/**
+ * Remove device
+ *
+ * @v func		USB function
+ */
+static void iphone_remove ( struct usb_function *func ) {
+	struct iphone *iphone = usb_func_get_drvdata ( func );
+	struct net_device *netdev = iphone->netdev;
+
+	list_del ( &iphone->list );
+	unregister_netdev ( netdev );
+	netdev_nullify ( netdev );
+	netdev_put ( netdev );
+}
+
+/** iPhone device IDs */
+static struct usb_device_id iphone_ids[] = {
+	{
+		.name = "iphone",
+		.vendor = 0x05ac,
+		.product = USB_ANY_ID,
+	},
+};
+
+/** iPhone driver */
+struct usb_driver iphone_driver __usb_driver = {
+	.ids = iphone_ids,
+	.id_count = ( sizeof ( iphone_ids ) / sizeof ( iphone_ids[0] ) ),
+	.class = USB_CLASS_ID ( 0xff, 0xfd, 0x01 ),
+	.score = USB_SCORE_NORMAL,
+	.probe = iphone_probe,
+	.remove = iphone_remove,
+};
+
+/* Drag in objects via iphone_driver */
+REQUIRING_SYMBOL ( iphone_driver );
+
+/* Drag in RSA-with-SHA256 OID prefixes */
+REQUIRE_OBJECT ( rsa_sha256 );
diff --git a/src/drivers/net/iphone.h b/src/drivers/net/iphone.h
new file mode 100644
index 0000000..2db6da7
--- /dev/null
+++ b/src/drivers/net/iphone.h
@@ -0,0 +1,291 @@
+#ifndef _IPHONE_H
+#define _IPHONE_H
+
+/** @file
+ *
+ * iPhone USB Ethernet driver
+ *
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+#include <stdint.h>
+#include <ipxe/usb.h>
+#include <ipxe/usbnet.h>
+#include <ipxe/process.h>
+#include <ipxe/timer.h>
+#include <ipxe/retry.h>
+#include <ipxe/tcp.h>
+#include <ipxe/x509.h>
+#include <ipxe/privkey.h>
+
+/******************************************************************************
+ *
+ * iPhone pairing certificates
+ *
+ ******************************************************************************
+ */
+
+/** An iPhone pairing certificate set */
+struct icert {
+	/** "Private" key */
+	struct private_key *key;
+	/** Root certificate */
+	struct x509_certificate *root;
+	/** Host certificate */
+	struct x509_certificate *host;
+	/** Device certificate */
+	struct x509_certificate *device;
+};
+
+/******************************************************************************
+ *
+ * iPhone USB multiplexer
+ *
+ ******************************************************************************
+ */
+
+/** An iPhone USB multiplexed packet header */
+struct imux_header {
+	/** Protocol */
+	uint32_t protocol;
+	/** Length (including this header) */
+	uint32_t len;
+	/** Reserved */
+	uint32_t reserved;
+	/** Output sequence number */
+	uint16_t out_seq;
+	/** Input sequence number */
+	uint16_t in_seq;
+} __attribute__ (( packed ));
+
+/** iPhone USB multiplexer protocols */
+enum imux_protocol {
+	/** Version number */
+	IMUX_VERSION = 0,
+	/** Log message */
+	IMUX_LOG = 1,
+	/** TCP packet */
+	IMUX_TCP = IP_TCP,
+};
+
+/** An iPhone USB multiplexed version message header */
+struct imux_header_version {
+	/** Multiplexed packet header */
+	struct imux_header hdr;
+	/** Reserved */
+	uint32_t reserved;
+} __attribute__ (( packed ));
+
+/** An iPhone USB multiplexed log message header */
+struct imux_header_log {
+	/** Multiplexed packet header */
+	struct imux_header hdr;
+	/** Log level */
+	uint8_t level;
+	/** Message */
+	char msg[0];
+} __attribute__ (( packed ));
+
+/** An iPhone USB multiplexed pseudo-TCP message header */
+struct imux_header_tcp {
+	/** Multiplexed packet header */
+	struct imux_header hdr;
+	/** Pseudo-TCP header */
+	struct tcp_header tcp;
+} __attribute__ (( packed ));
+
+/** Local port number
+ *
+ * This is a policy decision.
+ */
+#define IMUX_PORT_LOCAL 0x18ae
+
+/** Lockdown daemon port number */
+#define IMUX_PORT_LOCKDOWND 62078
+
+/** Advertised TCP window
+ *
+ * This is a policy decision.
+ */
+#define IMUX_WINDOW 0x0200
+
+/** An iPhone USB multiplexer */
+struct imux {
+	/** Reference counter */
+	struct refcnt refcnt;
+	/** USB device */
+	struct usb_device *usb;
+	/** USB bus */
+	struct usb_bus *bus;
+	/** USB network device */
+	struct usbnet_device usbnet;
+	/** List of USB multiplexers */
+	struct list_head list;
+
+	/** Polling process */
+	struct process process;
+	/** Pending action
+	 *
+	 * @v imux		USB multiplexer
+	 * @ret rc		Return status code
+	 */
+	int ( * action ) ( struct imux *imux );
+
+	/** Input sequence */
+	uint16_t in_seq;
+	/** Output sequence */
+	uint16_t out_seq;
+	/** Pseudo-TCP sequence number */
+	uint32_t tcp_seq;
+	/** Pseudo-TCP acknowledgement number */
+	uint32_t tcp_ack;
+	/** Pseudo-TCP local port number */
+	uint16_t port;
+
+	/** Pseudo-TCP lockdown socket interface */
+	struct interface tcp;
+	/** Pairing flags */
+	unsigned int flags;
+	/** Pairing status */
+	int rc;
+};
+
+/** Multiplexer bulk IN maximum fill level
+ *
+ * This is a policy decision.
+ */
+#define IMUX_IN_MAX_FILL 1
+
+/** Multiplexer bulk IN buffer size
+ *
+ * This is a policy decision.
+ */
+#define IMUX_IN_MTU 4096
+
+/******************************************************************************
+ *
+ * iPhone pairing client
+ *
+ ******************************************************************************
+ */
+
+/** An iPhone USB multiplexed pseudo-TCP XML message header */
+struct ipair_header {
+	/** Message length */
+	uint32_t len;
+	/** Message */
+	char msg[0];
+} __attribute__ (( packed ));
+
+/** An iPhone pairing client */
+struct ipair {
+	/** Reference counter */
+	struct refcnt refcnt;
+	/** Data transfer interface */
+	struct interface xfer;
+
+	/** Pairing timer */
+	struct retry_timer timer;
+	/** Transmit message
+	 *
+	 * @v ipair		Pairing client
+	 * @ret rc		Return status code
+	 */
+	int ( * tx ) ( struct ipair *ipair );
+	/** Receive message
+	 *
+	 * @v ipair		Pairing client
+	 * @v msg		XML message
+	 * @ret rc		Return status code
+	 */
+	int ( * rx ) ( struct ipair *ipair, char *msg );
+	/** State flags */
+	unsigned int flags;
+
+	/** Pairing certificates */
+	struct icert icert;
+};
+
+/** Pairing client state flags */
+enum ipair_flags {
+	/** Request a new pairing */
+	IPAIR_REQUEST = 0x0001,
+	/** Standalone length has been received */
+	IPAIR_RX_LEN = 0x0002,
+	/** TLS session has been started */
+	IPAIR_TLS = 0x0004,
+};
+
+/** Pairing retry delay
+ *
+ * This is a policy decision.
+ */
+#define IPAIR_RETRY_DELAY ( 1 * TICKS_PER_SEC )
+
+/******************************************************************************
+ *
+ * iPhone USB networking
+ *
+ ******************************************************************************
+ */
+
+/** Get MAC address */
+#define IPHONE_GET_MAC							\
+	( USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE |		\
+	  USB_REQUEST_TYPE ( 0x00 ) )
+
+/** Get link status */
+#define IPHONE_GET_LINK							\
+	( USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE |		\
+	  USB_REQUEST_TYPE ( 0x45 ) )
+
+/** An iPhone link status */
+enum iphone_link_status {
+	/** Personal Hotspot is disabled */
+	IPHONE_LINK_DISABLED = 0x03,
+	/** Link up */
+	IPHONE_LINK_UP = 0x04,
+	/** Link not yet determined */
+	IPHONE_LINK_UNKNOWN = -1U,
+};
+
+/** An iPhone network device */
+struct iphone {
+	/** USB device */
+	struct usb_device *usb;
+	/** USB bus */
+	struct usb_bus *bus;
+	/** Network device */
+	struct net_device *netdev;
+	/** USB network device */
+	struct usbnet_device usbnet;
+
+	/** List of iPhone network devices */
+	struct list_head list;
+	/** Link status check timer */
+	struct retry_timer timer;
+};
+
+/** Bulk IN padding */
+#define IPHONE_IN_PAD 2
+
+/** Bulk IN buffer size
+ *
+ * This is a policy decision.
+ */
+#define IPHONE_IN_MTU ( ETH_FRAME_LEN + IPHONE_IN_PAD )
+
+/** Bulk IN maximum fill level
+ *
+ * This is a policy decision.
+ */
+#define IPHONE_IN_MAX_FILL 8
+
+/** Link check interval
+ *
+ * This is a policy decision.
+ */
+#define IPHONE_LINK_CHECK_INTERVAL ( 5 * TICKS_PER_SEC )
+
+#endif /* _IPHONE_H */
diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h
index 7c98909..3437a52 100644
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -210,6 +210,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define ERRFILE_pcimsix		     ( ERRFILE_DRIVER | 0x00cc0000 )
 #define ERRFILE_intelxlvf	     ( ERRFILE_DRIVER | 0x00cd0000 )
 #define ERRFILE_usbblk		     ( ERRFILE_DRIVER | 0x00ce0000 )
+#define ERRFILE_iphone		     ( ERRFILE_DRIVER | 0x00cf0000 )
 
 #define ERRFILE_aoe			( ERRFILE_NET | 0x00000000 )
 #define ERRFILE_arp			( ERRFILE_NET | 0x00010000 )