repart: Add --oem and OEM=

--oem can be used to only install OEM partitions (usr, verity,
verity-sig, ...). OEM= is used to indicate OEM partitions. If unset,
defaults to !FactoryReset. We also add a credential repart.oem to
allow configuring --oem via a credential.

man/repart.d.xml

@@ -567,6 +567,15 @@
         into their original state by removing partitions and creating them anew. Defaults to off.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>OEM=</varname></term>
+
+        <listitem><para>Takes a boolean argument. If specified the partition is marked as an OEM partition.
+        When the <option>--oem</option> is used, only OEM partitions are written to the partition table.
+        Unless configured explicitly with <varname>OEM=</varname>, a partition is an OEM partition if
+        <varname>FactoryReset=no</varname>.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>Flags=</varname></term>
 

man/systemd-repart.xml

@@ -440,6 +440,14 @@
         due to missing permissions.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--oem=</option><arg>BOOL</arg></term>
+
+        <listitem><para>Instructs <command>systemd-repart</command> to only include OEM partitions into the
+        image. Takes a boolean and is off by default. OEM partitions can be configured using the
+        <varname>OEM=</varname> setting.</para></listitem>
+      </varlistentry>
+
       <xi:include href="standard-options.xml" xpointer="help" />
       <xi:include href="standard-options.xml" xpointer="version" />
       <xi:include href="standard-options.xml" xpointer="no-pager" />

src/partition/repart.c

@@ -24,6 +24,7 @@
 #include "conf-files.h"
 #include "conf-parser.h"
 #include "constants.h"
+#include "creds-util.h"
 #include "cryptsetup-util.h"
 #include "device-util.h"
 #include "devnum-util.h"
@@ -153,6 +154,7 @@ static uint64_t arg_sector_size = 0;
 static ImagePolicy *arg_image_policy = NULL;
 static Architecture arg_architecture = _ARCHITECTURE_INVALID;
 static int arg_offline = -1;
+static bool arg_oem = false;
 
 STATIC_DESTRUCTOR_REGISTER(arg_root, freep);
 STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
@@ -205,6 +207,7 @@ typedef struct Partition {
 
         bool dropped;
         bool factory_reset;
+        int oem;
         int32_t priority;
 
         uint32_t weight, padding_weight;
@@ -350,6 +353,7 @@ static Partition *partition_new(void) {
                 .no_auto = -1,
                 .read_only = -1,
                 .growfs = -1,
+                .oem = -1,
         };
 
         return p;
@@ -423,9 +427,16 @@ static void partition_foreignize(Partition *p) {
         p->verity = VERITY_OFF;
 }
 
+static bool partition_is_oem(const Partition *p) {
+        return p->oem > 0 || (p->oem < 0 && !p->factory_reset);
+}
+
 static bool partition_exclude(const Partition *p) {
         assert(p);
 
+        if (arg_oem && !partition_is_oem(p))
+                return true;
+
         if (arg_filter_partitions_type == FILTER_PARTITIONS_NONE)
                 return false;
 
@@ -1631,6 +1642,7 @@ static int partition_read_definition(Partition *p, const char *path, const char
                 { "Partition", "GrowFileSystem",     config_parse_tristate,      0, &p->growfs               },
                 { "Partition", "SplitName",          config_parse_string,        0, &p->split_name_format    },
                 { "Partition", "Minimize",           config_parse_minimize,      0, &p->minimize             },
+                { "Partition", "OEM",                config_parse_tristate,      0, &p->oem                  },
                 {}
         };
         int r;
@@ -6004,6 +6016,7 @@ static int help(void) {
                "     --sector-size=SIZE   Set the logical sector size for the image\n"
                "     --architecture=ARCH  Set the generic architecture for the image\n"
                "     --offline=BOOL       Whether to build the image offline\n"
+               "     --oem=BOOL           Whether to only include OEM partitions\n"
                "\nSee the %s for details.\n",
                program_invocation_short_name,
                ansi_highlight(),
@@ -6013,6 +6026,17 @@ static int help(void) {
         return 0;
 }
 
+static int parse_credentials(void) {
+        int r;
+
+        r = read_credential_bool("repart.oem");
+        if (r < 0)
+                return log_error_errno(r, "Failed to read repart.oem credential: %m");
+        arg_oem = r;
+
+        return 0;
+}
+
 static int parse_argv(int argc, char *argv[]) {
 
         enum {
@@ -6047,6 +6071,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_SKIP_PARTITIONS,
                 ARG_ARCHITECTURE,
                 ARG_OFFLINE,
+                ARG_OEM,
         };
 
         static const struct option options[] = {
@@ -6081,6 +6106,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "sector-size",          required_argument, NULL, ARG_SECTOR_SIZE          },
                 { "architecture",         required_argument, NULL, ARG_ARCHITECTURE         },
                 { "offline",              required_argument, NULL, ARG_OFFLINE              },
+                { "oem",                  required_argument, NULL, ARG_OEM                  },
                 {}
         };
 
@@ -6402,6 +6428,13 @@ static int parse_argv(int argc, char *argv[]) {
 
                         break;
 
+                case ARG_OEM:
+                        r = parse_boolean_argument("--oem=", optarg, &arg_oem);
+                        if (r < 0)
+                                return r;
+
+                        break;
+
                 case '?':
                         return -EINVAL;
 
@@ -6898,6 +6931,10 @@ static int run(int argc, char *argv[]) {
         log_parse_environment();
         log_open();
 
+        r = parse_credentials();
+        if (r < 0)
+                return r;
+
         r = parse_argv(argc, argv);
         if (r <= 0)
                 return r;

test/units/testsuite-58.sh

@@ -132,6 +132,9 @@ EOF
 Type=home
 Label=home-first
 Label=home-always-too-long-xxxxxxxxxxxxxx-%v
+# Test that OEM=yes makes sure that a partition is OEM even if FactoryReset=yes is set.
+FactoryReset=yes
+OEM=yes
 EOF
 
     tee "$defs/swap.conf" <<EOF
@@ -139,6 +142,8 @@ EOF
 Type=swap
 SizeMaxBytes=64M
 PaddingMinBytes=92M
+# No OEM=yes here so this should not be considered an OEM partition since FactoryReset=yes.
+FactoryReset=yes
 EOF
 
     systemd-repart --offline="$OFFLINE" \
@@ -160,6 +165,26 @@ last-lba: 2097118
 $imgs/zzz1 : start=        2048, size=     1775576, type=933AC7E1-2EB4-4F13-B844-0E14E2AEF915, uuid=4980595D-D74A-483A-AA9E-9903879A0EE5, name=\"home-first\", attrs=\"GUID:59\"
 $imgs/zzz2 : start=     1777624, size=      131072, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=78C92DB8-3D2B-4823-B0DC-792B78F66F1E, name=\"swap\""
 
+    systemd-repart --offline="$OFFLINE" \
+                   --definitions="$defs" \
+                   --dry-run=no \
+                   --seed="$seed" \
+                   --empty=force \
+                   --include-partitions=home,swap \
+                   --oem=yes \
+                   --offline="$OFFLINE" \
+                   "$imgs/zzz"
+
+    output=$(sfdisk -d "$imgs/zzz" | grep -v -e 'sector-size' -e '^$')
+
+    assert_eq "$output" "label: gpt
+label-id: 1D2CE291-7CCE-4F7D-BC83-FDB49AD74EBD
+device: $imgs/zzz
+unit: sectors
+first-lba: 2048
+last-lba: 2097118
+$imgs/zzz1 : start=        2048, size=     2095064, type=933AC7E1-2EB4-4F13-B844-0E14E2AEF915, uuid=4980595D-D74A-483A-AA9E-9903879A0EE5, name=\"home-first\", attrs=\"GUID:59\""
+
     systemd-repart --offline="$OFFLINE" \
                    --definitions="$defs" \
                    --dry-run=no \