[WIP] Integrate with systemd factory reset support

2025-03-21 02:50:18 +03:00 · 2025-03-06 16:51:28 -05:00 · 2025-03-06 16:51:28 -05:00 · d57f81660f
commit d57f81660f
parent 3b1c653b71
7 changed files with 190 additions and 2 deletions
--- a/docs/FACTORY_RESET.md
+++ b/docs/FACTORY_RESET.md
@ -56,6 +56,14 @@ Specifically, the following concepts are available:
  and adds `factory-reset-now.target` to the boot transaction, already in the
  initial RAM disk (initrd).

+* The
+  [`systemd-factory-reset-esp.service`](https://www.freedesktop.org/software/systemd/man/latest/systemd-factory-reset-esp.service.html)
+  unit is invoked via `factory-reset-now.target`, and deletes non-vendor system
+  extension images, UKI addons, and credentials from the EFI System and Extended
+  Bootloader Partitions. See the
+  [`systemd-stub(7)`](https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html)
+  man page.
+
 * The
  [`systemd-factory-reset-complete.service`](https://www.freedesktop.org/software/systemd/man/latest/systemd-factory-reset-complete.service.html)
  unit is invoked after `factory-reset-now.target` and marks the factory reset
@ -118,8 +126,9 @@ order to execute the reset operation.
 ## Support for Resetting other Resources than Partitions + TPM

 By default a factory reset implemented with systemd's tools can reset/erase
-partitions (via `systemd-repart`, see above) and reset the TPM (via
-`systemd-tpm2-clear.service`, see above).
+partitions (via `systemd-repart`, see above), reset the TPM (via
+`systemd-tpm2-clear.service`, see above), and delete non-vendor resources from
+the ESP (via `systemd-factory-reset-esp.service`, see above).

 In some cases other resources shall be reset/erased too. To support that,
 define your own service and plug it into `factory-reset-now.target`, ensuring
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@ -942,6 +942,7 @@ manpages = [
  ['30-systemd-environment-d-generator'],
  'ENABLE_ENVIRONMENT_D'],
 ['systemd-escape', '1', [], ''],
+ ['systemd-factory-reset-esp.service', '8', [], ''],
 ['systemd-factory-reset-generator', '8', [], ''],
 ['systemd-factory-reset',
  '8',
--- a/man/systemd-factory-reset-esp.xml
+++ b/man/systemd-factory-reset-esp.xml
@ -0,0 +1,50 @@
+<?xml version="1.0"?>
+<!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+<refentry id="systemd-factory-reset"
+          xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>systemd-factory-reset-esp.service</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>systemd-factory-reset-esp.service</refentrytitle>
+    <manvolnum>8</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>systemd-factory-reset-esp.service</refname>
+    <refpurpose>Delete non-vendor content from the ESP and XBOOTLDR</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <para><filename>/usr/lib/systemd/systemd-factory-reset-esp</filename></para>
+    <para><filename>systemd-factory-reset-esp.service</filename></para>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><filename>systemd-factory-reset-esp.service</filename> is a part of systemd's factory reset logic,
+    which deletes non-vendor system extension images, UKI addons, and credentials from the EFI System and
+    Extended Bootloader Partitions. The vendor and non-vendor versions of these resources are stored in
+    different directories, as described in <member><citerefentry><refentrytitle>systemd-stub</refentrytitle>
+    <manvolnum>7</manvolnum></citerefentry></member>.</para>
+
+    <para>See <ulink url="https://systemd.io/FACTORY_RESET">Factory Reset</ulink> for an overview of the
+    factory reset logic.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+    <para><simplelist type="inline">
+      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-factory-reset</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+      <member><ulink url="https://systemd.io/FACTORY_RESET">Factory Reset</ulink></member>
+    </simplelist></para>
+  </refsect1>
+</refentry>
--- a/src/factory-reset/factory-reset-esp.c
+++ b/src/factory-reset/factory-reset-esp.c
@ -0,0 +1,95 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <getopt.h>
+
+#include "ansi-color.h"
+#include "bootspec.h"
+#include "find-esp.h"
+#include "main-func.h"
+
+static int help(void) {
+        _cleanup_free_ char *link = NULL;
+        int r;
+
+        r = terminal_urlify_man("systemd-factory-reset-esp.service", "8", &link);
+        if (r < 0)
+                return log_oom();
+
+        printf("%1$s [OPTIONS...]\n"
+               "\n%5$sDelete non-vendor contents from ESP and XBOOTLDR.%6$s\n"
+               "\n%3$sOptions:%4$s\n"
+               "  -h --help          Show this help\n"
+               "     --version       Print version\n"
+               "\nSee the %2$s for details.\n",
+               program_invocation_short_name,
+               link,
+               ansi_underline(),
+               ansi_normal(),
+               ansi_highlight(),
+               ansi_normal());
+
+        return 0;
+}
+
+static int parse_argv(int argc, char *argv[]) {
+        enum {
+                ARG_VERSION = 0x100,
+        };
+
+        static const struct option options[] = {
+                { "help",      no_argument, NULL, 'h'           },
+                { "version",   no_argument, NULL, ARG_VERSION   },
+                {}
+        };
+
+        int r, c;
+
+        assert(argc >= 0);
+        assert(argv);
+
+        while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
+                switch (c) {
+
+                case 'h':
+                        return help();
+
+                case ARG_VERSION:
+                        return version();
+
+                case '?':
+                        return -EINVAL;
+
+                default:
+                        assert_not_reached();
+                }
+
+        return 1;
+}
+
+static int run(int argc, char *argv[]) {
+        int r;
+
+        log_setup();
+
+        r = parse_argv(argc, argv);
+        if (r <= 0)
+                return r;
+
+        FactoryResetMode f = factory_reset_mode();
+        if (f < 0)
+                return log_error_errno(f, "Failed to determine factory reset mode: %m");
+        if (f != FACTORY_RESET_ON)
+                return log_error("We are not currently in factory reset mode. Refusing operation.");
+
+
+        _cleanup_(boot_config_free) BootConfig bc = BOOT_CONFIG_NULL;
+        r = boot_config_load_auto(&bc, NULL, NULL);
+        if (r < 0)
+                log_error_errno(r, "Failed to load boot config: %m");
+
+        // TODO: Walk the ESP and XBOOTLDR, and delete the non-vendor stuff!
+
+        return 0;
+}
+
+DEFINE_MAIN_FUNCTION(run);
--- a/src/factory-reset/meson.build
+++ b/src/factory-reset/meson.build
@ -5,6 +5,10 @@ executables += [
                'name' : 'systemd-factory-reset',
                'sources' : files('factory-reset-tool.c'),
        },
+        libexec_template + {
+                'name' : 'systemd-factory-reset-esp',
+                'sources' : files('factory-reset-esp.c'),
+        },
        generator_template + {
                'name' : 'systemd-factory-reset-generator',
                'sources' : files('factory-reset-generator.c'),
--- a/units/meson.build
+++ b/units/meson.build
@ -329,6 +329,7 @@ units = [
          'symlinks' : ['sockets.target.wants/'],
        },
        { 'file' : 'systemd-factory-reset-complete.service.in' },
+        { 'file' : 'systemd-factory-reset-esp.service' },
        { 'file' : 'systemd-factory-reset-reboot.service' },
        {
          'file' : 'systemd-factory-reset-request.service.in',
--- a/units/systemd-factory-reset-esp.service.in
+++ b/units/systemd-factory-reset-esp.service.in
@ -0,0 +1,28 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+##########################################################################################
+# TODO: Edit this!
+##########################################################################################
+
+[Unit]
+Description=Delete non-vendor content from the ESP and XBOOTLDR
+Documentation=man:systemd-factory-reset-esp.service(8)
+DefaultDependencies=no
+Requires=factory-reset-now.target
+After=factory-reset-now.target
+Conflicts=shutdown.target
+Before=shutdown.target
+RefuseManualStart=yes
+RefuseManualStop=yes
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart={{LIBEXECDIR}}/systemd-factory-reset complete --retrigger