[cip-dev][isar-cip-core][RFC v2 0/6] Add factory-reset

[cip-dev][isar-cip-core][RFC v2 0/6] Add factory-reset

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>


This adds an new hooks for factory-reset to the
initramfs. This hook will

- format the disk.
- In case of a encrypted disk factory reset the TPM is cleared(all keys
  are deleted)

In case of an encrypted file system the marker hook needs to be stored
in a readable location, e.g. one of the boot partitions or the efi
partition.

Changes v2:
 - make marker check a separate script
 - change data-reset to factory-reset hook

Quirin Gylstorff (6):
  add factory-reset initramfs hook
  add factory-reset-helper to set the marker file
  encrypt-data.yml: Add factory-reset information to encrypt-data
  cip-core-image: add factory-reset helper
  add factory-reset to initramfs
  Add settings for factory-reset with a separate home partition

 kas/opt/encrypt-data.yml                      |  3 +
 kas/opt/separate-home-partition.yml           |  3 +
 recipes-core/images/cip-core-image.bb         |  2 +-
 .../cip-core-initramfs/cip-core-initramfs.bb  |  1 +
 .../files/detect-marker-file                  | 33 +++++++++
 .../initramfs-factory-reset-hook/files/hook   |  7 ++
 .../files/local-top-complete                  | 67 +++++++++++++++++++
 .../files/reset-env.tmpl                      |  4 ++
 .../initramfs-factory-reset-hook_0.1.bb       | 52 ++++++++++++++
 .../factory-reset-helper_0.1.bb               | 34 ++++++++++
 .../files/set-factory-reset-marker.sh.tmpl    | 28 ++++++++
 11 files changed, 233 insertions(+), 1 deletion(-)
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/hook
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb
 create mode 100644 recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
 create mode 100644 recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl

-- 
2.47.0

[cip-dev][isar-cip-core][RFC v2 1/6] add factory-reset initramfs hook

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows to reset the device back to first boot by
formatting the persistent partitions.

The reset occurs if a file defined by the variable
INITRAMFS_FACTORY_RESET_MARKER
exists in the device INITRAMFS_FACTORY_RESET_MARKER_DEVICE.

In case of disk encryption it will invalidate the keys
stored in the TPM.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../files/detect-marker-file                  | 33 +++++++++
 .../initramfs-factory-reset-hook/files/hook   |  7 ++
 .../files/local-top-complete                  | 67 +++++++++++++++++++
 .../files/reset-env.tmpl                      |  4 ++
 .../initramfs-factory-reset-hook_0.1.bb       | 52 ++++++++++++++
 5 files changed, 163 insertions(+)
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/hook
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb

diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file b/recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
new file mode 100644
index 0000000..30e399e
--- /dev/null
+++ b/recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (C) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+#
+# This implementation check for the a existing file to trigger a
+# factory reset. Prints 'true' in case the marker was found
+
+check_for_factory_reset() {
+	marker="$(basename ${INITRAMFS_FACTORY_RESET_MARKER})"
+	marker_storage_device="${INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE}"
+	storage_mnt="$(findmnt findmnt  --first-only --output TARGET --noheadings "${marker_storage_device}")"
+	tmp_mount=$(mktemp -d)
+	# check for marker
+	if [ -z "${storage_mnt}" ]; then
+		if ! mount -t "$(get_fstype "${marker_storage_device}")" \
+			 "${marker_storage_device}" \
+			 "${tmp_mount}"; then
+			panic "Can't mount ${marker_storage_device}!"
+		fi
+		storage_mnt="$tmp_mount"
+	fi
+	if [ -e "${storage_mnt}/${marker}" ]; then
+		echo "true"
+		# delete marker
+		rm "${storage_mnt}/${marker}"
+	fi
+	if mountpoint -q "$tmp_mount"; then
+		umount "$tmp_mount"
+	fi
+	rmdir "$tmp_mount"
+}
+
diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/hook b/recipes-initramfs/initramfs-factory-reset-hook/files/hook
new file mode 100644
index 0000000..4b4ff25
--- /dev/null
+++ b/recipes-initramfs/initramfs-factory-reset-hook/files/hook
@@ -0,0 +1,7 @@
+# Copyright (C) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+copy_file library /usr/share/factory-reset/factory_reset_marker /usr/share/factory-reset/factory_reset_marker
+copy_file library /usr/share/factory-reset/reset-env /usr/share/factory-reset/reset-env
+
diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete b/recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
new file mode 100644
index 0000000..82d8d42
--- /dev/null
+++ b/recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
@@ -0,0 +1,67 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+prereqs() {
+	# no prereqs we want in front of crypt
+	echo ""
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+
+set -x
+. /scripts/functions
+. /usr/share/factory-reset/reset-env
+. /usr/share/factory-reset/factory_reset_marker
+
+target_devices="${INITRAMFS_FACTORY_RESET_DEVICES}"
+
+if [ "$(check_for_factory_reset)" = "true" ]; then
+	log_begin_msg "Factory Reset"
+	for target in ${target_devices}; do
+		log_begin_msg "Reset device: $target"
+		fs_type=$(get_fstype ${target})
+		case "$target" in
+			*by-partlabel*)
+				label="$(basename "${target}" )"
+			;;
+			*)
+				label=$(blkid --match-tag LABEL "$target" | awk -F= '{gsub(/"/,"");print $2}' )
+				if [ -z "${label}" ]; then
+					log_warning_msg "Could not find any label  for target '$target'"
+				fi
+			;;
+		esac
+		if [ "$fs_type" = "luks" ]; then
+			# after this the data on the encrypted partition
+			# is inaccessible
+			tpm2_clear
+			# with encryption the original fs_type is hidden
+			# use a variable from the reset-env to set it
+			fs_type="$INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE"
+		fi
+		case ${fs_type} in
+		ext*)
+			/sbin/mke2fs -L "${label}" -F -t ext4 "${target}"
+			;;
+		btrfs)
+			/sbin/mkfs.btrfs -L "${label}" --force "${target}"
+			;;
+		*)
+			log_warning_msg "Unrecognized filesystem type ${fs_type} - could not format"
+			;;
+		esac
+		log_end_msg "Reset device: $target"
+	done
+	log_end_msg "Factory Reset"
+fi
diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl b/recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
new file mode 100644
index 0000000..ed68398
--- /dev/null
+++ b/recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
@@ -0,0 +1,4 @@
+INITRAMFS_FACTORY_RESET_MARKER="${INITRAMFS_FACTORY_RESET_MARKER}"
+INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE="${INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE}"
+INITRAMFS_FACTORY_RESET_DEVICES="${INITRAMFS_FACTORY_RESET_DEVICES}"
+INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE="${INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE}"
diff --git a/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb b/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb
new file mode 100644
index 0000000..9e765b9
--- /dev/null
+++ b/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb
@@ -0,0 +1,52 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-initramfs/initramfs-hook/hook.inc
+DESCRIPTION = "Delete the content of the given Devices"
+
+# find the file defined by INITRAMFS_FACTORY_RESET_MARKER in
+# INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE. Important
+# this function does not work with disk encryption.
+FACTORY_RESET_DETECT_MARKER ?= "detect-marker-file"
+
+# if this file exists execute a factory reset for the given
+# list of factory-reset targets.
+INITRAMFS_FACTORY_RESET_MARKER ?= ".factory-reset"
+# use labels as crypt setup replaces the label links if
+# an partition is encrypted
+INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE ??= "/dev/disk/by-partlabel/var"
+
+# list of partitions by label
+INITRAMFS_FACTORY_RESET_DEVICES ??= "/dev/disk/by-partlabel/var"
+INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE ??= "ext4"
+SRC_URI += " \
+    file://reset-env.tmpl \
+    file://local-top-complete \
+    file://${FACTORY_RESET_DETECT_MARKER} \
+    file://hook"
+
+TEMPLATE_FILES += "reset-env.tmpl"
+TEMPLATE_VARS += " INITRAMFS_FACTORY_RESET_MARKER \
+                   INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE \
+                   INITRAMFS_FACTORY_RESET_DEVICES \
+                   INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE"
+
+DEBIAN_DEPENDS .= ", coreutils, util-linux, e2fsprogs, btrfs-progs, awk"
+DEBIAN_DEPENDS:append:encrypt-partitions = ", tpm2-tools"
+HOOK_COPY_EXECS = "mountpoint findmnt mktemp rmdir basename mke2fs mkfs.btrfs awk blkid rm"
+HOOK_COPY_EXECS:append:encrypt-partitions = " tpm2_clear"
+
+do_install[cleandirs] += "${D}/usr/share/factory-reset/"
+do_install:prepend() {
+    install -m 0755 "${WORKDIR}/reset-env" \
+        "${D}/usr/share/factory-reset/reset-env"
+    install -m 0755 "${WORKDIR}/${FACTORY_RESET_DETECT_MARKER}" \
+        "${D}/usr/share/factory-reset/factory_reset_marker"
+}
-- 
2.47.0

[cip-dev][isar-cip-core][PATCH v3 1/6] add factory-reset initramfs hook

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows to reset the device back to first boot by
formatting the persistent partitions.

The reset occurs if a file defined by the variable
INITRAMFS_FACTORY_RESET_MARKER
exists in the device INITRAMFS_FACTORY_RESET_MARKER_DEVICE.

In case of disk encryption it will invalidate the keys
stored in the TPM.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Changes v3:
 - remove `set -x`

 .../files/detect-marker-file                  | 33 ++++++++++
 .../initramfs-factory-reset-hook/files/hook   |  7 ++
 .../files/local-top-complete                  | 66 +++++++++++++++++++
 .../files/reset-env.tmpl                      |  4 ++
 .../initramfs-factory-reset-hook_0.1.bb       | 52 +++++++++++++++
 5 files changed, 162 insertions(+)
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/hook
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
 create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb

diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file b/recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
new file mode 100644
index 0000000..30e399e
--- /dev/null
+++ b/recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (C) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+#
+# This implementation check for the a existing file to trigger a
+# factory reset. Prints 'true' in case the marker was found
+
+check_for_factory_reset() {
+	marker="$(basename ${INITRAMFS_FACTORY_RESET_MARKER})"
+	marker_storage_device="${INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE}"
+	storage_mnt="$(findmnt findmnt  --first-only --output TARGET --noheadings "${marker_storage_device}")"
+	tmp_mount=$(mktemp -d)
+	# check for marker
+	if [ -z "${storage_mnt}" ]; then
+		if ! mount -t "$(get_fstype "${marker_storage_device}")" \
+			 "${marker_storage_device}" \
+			 "${tmp_mount}"; then
+			panic "Can't mount ${marker_storage_device}!"
+		fi
+		storage_mnt="$tmp_mount"
+	fi
+	if [ -e "${storage_mnt}/${marker}" ]; then
+		echo "true"
+		# delete marker
+		rm "${storage_mnt}/${marker}"
+	fi
+	if mountpoint -q "$tmp_mount"; then
+		umount "$tmp_mount"
+	fi
+	rmdir "$tmp_mount"
+}
+
diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/hook b/recipes-initramfs/initramfs-factory-reset-hook/files/hook
new file mode 100644
index 0000000..4b4ff25
--- /dev/null
+++ b/recipes-initramfs/initramfs-factory-reset-hook/files/hook
@@ -0,0 +1,7 @@
+# Copyright (C) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+copy_file library /usr/share/factory-reset/factory_reset_marker /usr/share/factory-reset/factory_reset_marker
+copy_file library /usr/share/factory-reset/reset-env /usr/share/factory-reset/reset-env
+
diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete b/recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
new file mode 100644
index 0000000..d8e06be
--- /dev/null
+++ b/recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
@@ -0,0 +1,66 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+prereqs() {
+	# no prereqs we want in front of crypt
+	echo ""
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+
+. /scripts/functions
+. /usr/share/factory-reset/reset-env
+. /usr/share/factory-reset/factory_reset_marker
+
+target_devices="${INITRAMFS_FACTORY_RESET_DEVICES}"
+
+if [ "$(check_for_factory_reset)" = "true" ]; then
+	log_begin_msg "Factory Reset"
+	for target in ${target_devices}; do
+		log_begin_msg "Reset device: $target"
+		fs_type=$(get_fstype ${target})
+		case "$target" in
+			*by-partlabel*)
+				label="$(basename "${target}" )"
+			;;
+			*)
+				label=$(blkid --match-tag LABEL "$target" | awk -F= '{gsub(/"/,"");print $2}' )
+				if [ -z "${label}" ]; then
+					log_warning_msg "Could not find any label  for target '$target'"
+				fi
+			;;
+		esac
+		if [ "$fs_type" = "luks" ]; then
+			# after this the data on the encrypted partition
+			# is inaccessible
+			tpm2_clear
+			# with encryption the original fs_type is hidden
+			# use a variable from the reset-env to set it
+			fs_type="$INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE"
+		fi
+		case ${fs_type} in
+		ext*)
+			/sbin/mke2fs -L "${label}" -F -t ext4 "${target}"
+			;;
+		btrfs)
+			/sbin/mkfs.btrfs -L "${label}" --force "${target}"
+			;;
+		*)
+			log_warning_msg "Unrecognized filesystem type ${fs_type} - could not format"
+			;;
+		esac
+		log_end_msg "Reset device: $target"
+	done
+	log_end_msg "Factory Reset"
+fi
diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl b/recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
new file mode 100644
index 0000000..ed68398
--- /dev/null
+++ b/recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
@@ -0,0 +1,4 @@
+INITRAMFS_FACTORY_RESET_MARKER="${INITRAMFS_FACTORY_RESET_MARKER}"
+INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE="${INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE}"
+INITRAMFS_FACTORY_RESET_DEVICES="${INITRAMFS_FACTORY_RESET_DEVICES}"
+INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE="${INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE}"
diff --git a/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb b/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb
new file mode 100644
index 0000000..9e765b9
--- /dev/null
+++ b/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb
@@ -0,0 +1,52 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-initramfs/initramfs-hook/hook.inc
+DESCRIPTION = "Delete the content of the given Devices"
+
+# find the file defined by INITRAMFS_FACTORY_RESET_MARKER in
+# INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE. Important
+# this function does not work with disk encryption.
+FACTORY_RESET_DETECT_MARKER ?= "detect-marker-file"
+
+# if this file exists execute a factory reset for the given
+# list of factory-reset targets.
+INITRAMFS_FACTORY_RESET_MARKER ?= ".factory-reset"
+# use labels as crypt setup replaces the label links if
+# an partition is encrypted
+INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE ??= "/dev/disk/by-partlabel/var"
+
+# list of partitions by label
+INITRAMFS_FACTORY_RESET_DEVICES ??= "/dev/disk/by-partlabel/var"
+INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE ??= "ext4"
+SRC_URI += " \
+    file://reset-env.tmpl \
+    file://local-top-complete \
+    file://${FACTORY_RESET_DETECT_MARKER} \
+    file://hook"
+
+TEMPLATE_FILES += "reset-env.tmpl"
+TEMPLATE_VARS += " INITRAMFS_FACTORY_RESET_MARKER \
+                   INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE \
+                   INITRAMFS_FACTORY_RESET_DEVICES \
+                   INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE"
+
+DEBIAN_DEPENDS .= ", coreutils, util-linux, e2fsprogs, btrfs-progs, awk"
+DEBIAN_DEPENDS:append:encrypt-partitions = ", tpm2-tools"
+HOOK_COPY_EXECS = "mountpoint findmnt mktemp rmdir basename mke2fs mkfs.btrfs awk blkid rm"
+HOOK_COPY_EXECS:append:encrypt-partitions = " tpm2_clear"
+
+do_install[cleandirs] += "${D}/usr/share/factory-reset/"
+do_install:prepend() {
+    install -m 0755 "${WORKDIR}/reset-env" \
+        "${D}/usr/share/factory-reset/reset-env"
+    install -m 0755 "${WORKDIR}/${FACTORY_RESET_DETECT_MARKER}" \
+        "${D}/usr/share/factory-reset/factory_reset_marker"
+}
-- 
2.47.0

Re: [cip-dev][isar-cip-core][PATCH v3 1/6] add factory-reset initramfs hook

[Jan Kiszka]

On 07.05.25 10:10, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This allows to reset the device back to first boot by
> formatting the persistent partitions.
> 
> The reset occurs if a file defined by the variable
> INITRAMFS_FACTORY_RESET_MARKER
> exists in the device INITRAMFS_FACTORY_RESET_MARKER_DEVICE.
> 
> In case of disk encryption it will invalidate the keys
> stored in the TPM.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> Changes v3:
>  - remove `set -x`
> 
>  .../files/detect-marker-file                  | 33 ++++++++++
>  .../initramfs-factory-reset-hook/files/hook   |  7 ++
>  .../files/local-top-complete                  | 66 +++++++++++++++++++
>  .../files/reset-env.tmpl                      |  4 ++
>  .../initramfs-factory-reset-hook_0.1.bb       | 52 +++++++++++++++
>  5 files changed, 162 insertions(+)
>  create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
>  create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/hook
>  create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
>  create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
>  create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb
> 
> diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file b/recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
> new file mode 100644
> index 0000000..30e399e
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
> @@ -0,0 +1,33 @@
> +#!/bin/sh
> +# Copyright (C) Siemens AG, 2025
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +# This implementation check for the a existing file to trigger a
> +# factory reset. Prints 'true' in case the marker was found
> +
> +check_for_factory_reset() {
> +	marker="$(basename ${INITRAMFS_FACTORY_RESET_MARKER})"
> +	marker_storage_device="${INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE}"
> +	storage_mnt="$(findmnt findmnt  --first-only --output TARGET --noheadings "${marker_storage_device}")"
> +	tmp_mount=$(mktemp -d)
> +	# check for marker
> +	if [ -z "${storage_mnt}" ]; then
> +		if ! mount -t "$(get_fstype "${marker_storage_device}")" \
> +			 "${marker_storage_device}" \
> +			 "${tmp_mount}"; then
> +			panic "Can't mount ${marker_storage_device}!"
> +		fi
> +		storage_mnt="$tmp_mount"
> +	fi
> +	if [ -e "${storage_mnt}/${marker}" ]; then
> +		echo "true"
> +		# delete marker
> +		rm "${storage_mnt}/${marker}"
> +	fi
> +	if mountpoint -q "$tmp_mount"; then
> +		umount "$tmp_mount"
> +	fi
> +	rmdir "$tmp_mount"
> +}
> +
> diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/hook b/recipes-initramfs/initramfs-factory-reset-hook/files/hook
> new file mode 100644
> index 0000000..4b4ff25
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-factory-reset-hook/files/hook
> @@ -0,0 +1,7 @@
> +# Copyright (C) Siemens AG, 2025
> +#
> +# SPDX-License-Identifier: MIT
> +
> +copy_file library /usr/share/factory-reset/factory_reset_marker /usr/share/factory-reset/factory_reset_marker
> +copy_file library /usr/share/factory-reset/reset-env /usr/share/factory-reset/reset-env
> +
> diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete b/recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
> new file mode 100644
> index 0000000..d8e06be
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
> @@ -0,0 +1,66 @@
> +#!/bin/sh
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2025
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +prereqs() {
> +	# no prereqs we want in front of crypt
> +	echo ""
> +}
> +case $1 in
> +prereqs)
> +	prereqs
> +	exit 0
> +	;;
> +esac
> +
> +
> +. /scripts/functions

If you do not need anything special here (at least I'm not seeing
anything), please switch by to auto-constructed local-top.

> +. /usr/share/factory-reset/reset-env
> +. /usr/share/factory-reset/factory_reset_marker

Do you plan to reuse that code outside of this local-top hook? If not,
why putting it into a separate script?

Naming is also a bit confusing - it's no the marker, it's the evaluation
logic for it.

Jan

> +
> +target_devices="${INITRAMFS_FACTORY_RESET_DEVICES}"
> +
> +if [ "$(check_for_factory_reset)" = "true" ]; then
> +	log_begin_msg "Factory Reset"
> +	for target in ${target_devices}; do
> +		log_begin_msg "Reset device: $target"
> +		fs_type=$(get_fstype ${target})
> +		case "$target" in
> +			*by-partlabel*)
> +				label="$(basename "${target}" )"
> +			;;
> +			*)
> +				label=$(blkid --match-tag LABEL "$target" | awk -F= '{gsub(/"/,"");print $2}' )
> +				if [ -z "${label}" ]; then
> +					log_warning_msg "Could not find any label  for target '$target'"
> +				fi
> +			;;
> +		esac
> +		if [ "$fs_type" = "luks" ]; then
> +			# after this the data on the encrypted partition
> +			# is inaccessible
> +			tpm2_clear
> +			# with encryption the original fs_type is hidden
> +			# use a variable from the reset-env to set it
> +			fs_type="$INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE"
> +		fi
> +		case ${fs_type} in
> +		ext*)
> +			/sbin/mke2fs -L "${label}" -F -t ext4 "${target}"
> +			;;
> +		btrfs)
> +			/sbin/mkfs.btrfs -L "${label}" --force "${target}"
> +			;;
> +		*)
> +			log_warning_msg "Unrecognized filesystem type ${fs_type} - could not format"
> +			;;
> +		esac
> +		log_end_msg "Reset device: $target"
> +	done
> +	log_end_msg "Factory Reset"
> +fi
> diff --git a/recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl b/recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
> new file mode 100644
> index 0000000..ed68398
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
> @@ -0,0 +1,4 @@
> +INITRAMFS_FACTORY_RESET_MARKER="${INITRAMFS_FACTORY_RESET_MARKER}"
> +INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE="${INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE}"
> +INITRAMFS_FACTORY_RESET_DEVICES="${INITRAMFS_FACTORY_RESET_DEVICES}"
> +INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE="${INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE}"
> diff --git a/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb b/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb
> new file mode 100644
> index 0000000..9e765b9
> --- /dev/null
> +++ b/recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb
> @@ -0,0 +1,52 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2025
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +
> +require recipes-initramfs/initramfs-hook/hook.inc
> +DESCRIPTION = "Delete the content of the given Devices"
> +
> +# find the file defined by INITRAMFS_FACTORY_RESET_MARKER in
> +# INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE. Important
> +# this function does not work with disk encryption.
> +FACTORY_RESET_DETECT_MARKER ?= "detect-marker-file"
> +
> +# if this file exists execute a factory reset for the given
> +# list of factory-reset targets.
> +INITRAMFS_FACTORY_RESET_MARKER ?= ".factory-reset"
> +# use labels as crypt setup replaces the label links if
> +# an partition is encrypted
> +INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE ??= "/dev/disk/by-partlabel/var"
> +
> +# list of partitions by label
> +INITRAMFS_FACTORY_RESET_DEVICES ??= "/dev/disk/by-partlabel/var"
> +INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE ??= "ext4"
> +SRC_URI += " \
> +    file://reset-env.tmpl \
> +    file://local-top-complete \
> +    file://${FACTORY_RESET_DETECT_MARKER} \
> +    file://hook"
> +
> +TEMPLATE_FILES += "reset-env.tmpl"
> +TEMPLATE_VARS += " INITRAMFS_FACTORY_RESET_MARKER \
> +                   INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE \
> +                   INITRAMFS_FACTORY_RESET_DEVICES \
> +                   INITRAMFS_FACTORY_RESET_LUKS_FORMAT_TYPE"
> +
> +DEBIAN_DEPENDS .= ", coreutils, util-linux, e2fsprogs, btrfs-progs, awk"
> +DEBIAN_DEPENDS:append:encrypt-partitions = ", tpm2-tools"
> +HOOK_COPY_EXECS = "mountpoint findmnt mktemp rmdir basename mke2fs mkfs.btrfs awk blkid rm"
> +HOOK_COPY_EXECS:append:encrypt-partitions = " tpm2_clear"
> +
> +do_install[cleandirs] += "${D}/usr/share/factory-reset/"
> +do_install:prepend() {
> +    install -m 0755 "${WORKDIR}/reset-env" \
> +        "${D}/usr/share/factory-reset/reset-env"
> +    install -m 0755 "${WORKDIR}/${FACTORY_RESET_DETECT_MARKER}" \
> +        "${D}/usr/share/factory-reset/factory_reset_marker"
> +}

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

[cip-dev][isar-cip-core][RFC v2 2/6] add factory-reset-helper to set the marker file

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This adds an helper script
`/usr/lib/factory-reset/set-factory-reset-marker` which writes the marker file to
the correct location.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../factory-reset-helper_0.1.bb               | 34 +++++++++++++++++++
 .../files/set-factory-reset-marker.sh.tmpl    | 28 +++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
 create mode 100644 recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl

diff --git a/recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb b/recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
new file mode 100644
index 0000000..72cf5fd
--- /dev/null
+++ b/recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
@@ -0,0 +1,34 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+DPKG_ARCH = "all"
+DESCRIPTION = "helper script to execute a factory reset with a file"
+
+# if this file exists execute a factory reset for the given
+# list of factory-reset targets.
+INITRAMFS_FACTORY_RESET_MARKER ?= ".factory-reset"
+# use labels as crypt setup replaces the label links if
+# an partition is encrypted
+INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE ??= "/dev/disk/by-partlabel/var"
+
+SRC_URI = "file://set-factory-reset-marker.sh.tmpl"
+
+TEMPLATE_FILES += "set-factory-reset-marker.sh.tmpl"
+TEMPLATE_VARS += " INITRAMFS_FACTORY_RESET_MARKER \
+                   INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE"
+DEBIAN_DEPENDS .= ", coreutils, util-linux"
+
+do_install[cleandirs] += "${D}/usr/lib/factory-reset/"
+do_install:prepend() {
+    install -m 0755 "${WORKDIR}/set-factory-reset-marker.sh" \
+        "${D}/usr/lib/factory-reset/"
+}
+
diff --git a/recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl b/recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl
new file mode 100644
index 0000000..eacb8fb
--- /dev/null
+++ b/recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl
@@ -0,0 +1,28 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+
+marker="$(basename "${INITRAMFS_FACTORY_RESET_MARKER}")"
+marker_storage_device="${INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE}"
+
+marker_mnt="$(findmnt  --first-only --output TARGET --noheadings "${marker_storage_device}")"
+tmp_mnt=$(mktemp -d)
+if [ -z "$marker_mnt" ]; then
+  mount "${marker_storage_device}" "$tmp_mnt"
+  marker_mnt="${tmp_mnt}"
+fi
+touch "${marker_mnt}/${marker}"
+
+if mountpoint -q "$tmp_mnt"; then
+   umount "$tmp_mnt"
+fi
+rmdir "$tmp_mnt"
+
-- 
2.47.0

Re: [cip-dev][isar-cip-core][RFC v2 2/6] add factory-reset-helper to set the marker file

[Jan Kiszka]

On 06.05.25 14:07, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This adds an helper script
> `/usr/lib/factory-reset/set-factory-reset-marker` which writes the marker file to
> the correct location.
> 

Missing description how to use this. This way, it's just some piece of
script, lying around in a folder that is on no one's radar.

> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  .../factory-reset-helper_0.1.bb               | 34 +++++++++++++++++++
>  .../files/set-factory-reset-marker.sh.tmpl    | 28 +++++++++++++++
>  2 files changed, 62 insertions(+)
>  create mode 100644 recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
>  create mode 100644 recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl
> 
> diff --git a/recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb b/recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
> new file mode 100644
> index 0000000..72cf5fd
> --- /dev/null
> +++ b/recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
> @@ -0,0 +1,34 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2025
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +
> +inherit dpkg-raw
> +DPKG_ARCH = "all"
> +DESCRIPTION = "helper script to execute a factory reset with a file"

...to request the reset via a marker file. It's not executing anything.

> +
> +# if this file exists execute a factory reset for the given
> +# list of factory-reset targets.
> +INITRAMFS_FACTORY_RESET_MARKER ?= ".factory-reset"
> +# use labels as crypt setup replaces the label links if
> +# an partition is encrypted
> +INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE ??= "/dev/disk/by-partlabel/var"

This is duplicating configuration of initramfs-factory-reset-hook. You
should make clear that the expectation is that these variable are tuned
at global conf level, not in the recipes.

That leads the point that we are missing some overview document that
describes the adaptation and usage of this new feature.

Jan

> +
> +SRC_URI = "file://set-factory-reset-marker.sh.tmpl"
> +
> +TEMPLATE_FILES += "set-factory-reset-marker.sh.tmpl"
> +TEMPLATE_VARS += " INITRAMFS_FACTORY_RESET_MARKER \
> +                   INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE"
> +DEBIAN_DEPENDS .= ", coreutils, util-linux"
> +
> +do_install[cleandirs] += "${D}/usr/lib/factory-reset/"
> +do_install:prepend() {
> +    install -m 0755 "${WORKDIR}/set-factory-reset-marker.sh" \
> +        "${D}/usr/lib/factory-reset/"
> +}
> +
> diff --git a/recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl b/recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl
> new file mode 100644
> index 0000000..eacb8fb
> --- /dev/null
> +++ b/recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl
> @@ -0,0 +1,28 @@
> +#!/bin/sh
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2025
> +#
> +# Authors:
> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +
> +
> +marker="$(basename "${INITRAMFS_FACTORY_RESET_MARKER}")"
> +marker_storage_device="${INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE}"
> +
> +marker_mnt="$(findmnt  --first-only --output TARGET --noheadings "${marker_storage_device}")"
> +tmp_mnt=$(mktemp -d)
> +if [ -z "$marker_mnt" ]; then
> +  mount "${marker_storage_device}" "$tmp_mnt"
> +  marker_mnt="${tmp_mnt}"
> +fi
> +touch "${marker_mnt}/${marker}"
> +
> +if mountpoint -q "$tmp_mnt"; then
> +   umount "$tmp_mnt"
> +fi
> +rmdir "$tmp_mnt"
> +


-- 
Siemens AG, Foundational Technologies
Linux Expert Center

Re: [cip-dev][isar-cip-core][RFC v2 2/6] add factory-reset-helper to set the marker file

[Quirin Gylstorff]

On 5/8/25 14:51, Jan Kiszka wrote:
> On 06.05.25 14:07, Quirin Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This adds an helper script
>> `/usr/lib/factory-reset/set-factory-reset-marker` which writes the marker file to
>> the correct location.
>>
> 
> Missing description how to use this. This way, it's just some piece of
> script, lying around in a folder that is on no one's radar.
> 
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>>   .../factory-reset-helper_0.1.bb               | 34 +++++++++++++++++++
>>   .../files/set-factory-reset-marker.sh.tmpl    | 28 +++++++++++++++
>>   2 files changed, 62 insertions(+)
>>   create mode 100644 recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
>>   create mode 100644 recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl
>>
>> diff --git a/recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb b/recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
>> new file mode 100644
>> index 0000000..72cf5fd
>> --- /dev/null
>> +++ b/recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
>> @@ -0,0 +1,34 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2025
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +inherit dpkg-raw
>> +DPKG_ARCH = "all"
>> +DESCRIPTION = "helper script to execute a factory reset with a file"
> 
> ...to request the reset via a marker file. It's not executing anything.
> 
>> +
>> +# if this file exists execute a factory reset for the given
>> +# list of factory-reset targets.
>> +INITRAMFS_FACTORY_RESET_MARKER ?= ".factory-reset"
>> +# use labels as crypt setup replaces the label links if
>> +# an partition is encrypted
>> +INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE ??= "/dev/disk/by-partlabel/var"
> 
> This is duplicating configuration of initramfs-factory-reset-hook. You
> should make clear that the expectation is that these variable are tuned
> at global conf level, not in the recipes.
> 
> That leads the point that we are missing some overview document that
> describes the adaptation and usage of this new feature.

After our discussion, I would change the marker to an efi variable or an 
ebg user variable. This remove the need to define a specific marker device.

Also i will move the read and write of the marker to this helper script 
which will be included by the initramfs-hook to detect an marker.

Quirin
> 
> Jan
> 
>> +
>> +SRC_URI = "file://set-factory-reset-marker.sh.tmpl"
>> +
>> +TEMPLATE_FILES += "set-factory-reset-marker.sh.tmpl"
>> +TEMPLATE_VARS += " INITRAMFS_FACTORY_RESET_MARKER \
>> +                   INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE"
>> +DEBIAN_DEPENDS .= ", coreutils, util-linux"
>> +
>> +do_install[cleandirs] += "${D}/usr/lib/factory-reset/"
>> +do_install:prepend() {
>> +    install -m 0755 "${WORKDIR}/set-factory-reset-marker.sh" \
>> +        "${D}/usr/lib/factory-reset/"
>> +}
>> +
>> diff --git a/recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl b/recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl
>> new file mode 100644
>> index 0000000..eacb8fb
>> --- /dev/null
>> +++ b/recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl
>> @@ -0,0 +1,28 @@
>> +#!/bin/sh
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2025
>> +#
>> +# Authors:
>> +#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +
>> +marker="$(basename "${INITRAMFS_FACTORY_RESET_MARKER}")"
>> +marker_storage_device="${INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE}"
>> +
>> +marker_mnt="$(findmnt  --first-only --output TARGET --noheadings "${marker_storage_device}")"
>> +tmp_mnt=$(mktemp -d)
>> +if [ -z "$marker_mnt" ]; then
>> +  mount "${marker_storage_device}" "$tmp_mnt"
>> +  marker_mnt="${tmp_mnt}"
>> +fi
>> +touch "${marker_mnt}/${marker}"
>> +
>> +if mountpoint -q "$tmp_mnt"; then
>> +   umount "$tmp_mnt"
>> +fi
>> +rmdir "$tmp_mnt"
>> +
> 
> 

[cip-dev][isar-cip-core][RFC v2 3/6] encrypt-data.yml: Add factory-reset information to encrypt-data

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 kas/opt/encrypt-data.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kas/opt/encrypt-data.yml b/kas/opt/encrypt-data.yml
index 3de76ab..4292d4c 100644
--- a/kas/opt/encrypt-data.yml
+++ b/kas/opt/encrypt-data.yml
@@ -15,3 +15,6 @@ header:
 local_conf_header:
   initramfs-option-encrypt-partitions: |
     OVERRIDES .= ":encrypt-partitions"
+  initramfs-factory-reset: |
+    INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE = "/dev/disk/by-partlabel/BOOT0"
+
-- 
2.47.0

Re: [cip-dev][isar-cip-core][RFC v2 3/6] encrypt-data.yml: Add factory-reset information to encrypt-data

[Jan Kiszka]

On 06.05.25 14:07, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  kas/opt/encrypt-data.yml | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/kas/opt/encrypt-data.yml b/kas/opt/encrypt-data.yml
> index 3de76ab..4292d4c 100644
> --- a/kas/opt/encrypt-data.yml
> +++ b/kas/opt/encrypt-data.yml
> @@ -15,3 +15,6 @@ header:
>  local_conf_header:
>    initramfs-option-encrypt-partitions: |
>      OVERRIDES .= ":encrypt-partitions"
> +  initramfs-factory-reset: |
> +    INITRAMFS_FACTORY_RESET_MARKER_STORAGE_DEVICE = "/dev/disk/by-partlabel/BOOT0"
> +

Hmm, can't we probe for a reset script on all overlay devices? Then this
would be one variable less to maintain.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

[cip-dev][isar-cip-core][RFC v2 4/6] cip-core-image: add factory-reset helper

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-core/images/cip-core-image.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 4a9cea9..fb3b185 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -14,6 +14,6 @@ require cip-core-image.inc
 DESCRIPTION = "CIP Core image"
 
 IMAGE_INSTALL += "customizations"
-
+IMAGE_INSTALL += "factory-reset-helper"
 CIP_IMAGE_OPTIONS ?= ""
 require ${CIP_IMAGE_OPTIONS}
-- 
2.47.0

[cip-dev][isar-cip-core][RFC v2 5/6] add factory-reset to initramfs

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
index 0e4cf74..7a16849 100644
--- a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -12,6 +12,7 @@
 inherit initramfs
 
 INITRAMFS_INSTALL += " \
+    initramfs-factory-reset-hook \
     initramfs-overlay-hook \
     "
 
-- 
2.47.0

[cip-dev][isar-cip-core][RFC v2 6/6] Add settings for factory-reset with a separate home partition

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 kas/opt/separate-home-partition.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate-home-partition.yml
index 83f59a1..48cccc2 100644
--- a/kas/opt/separate-home-partition.yml
+++ b/kas/opt/separate-home-partition.yml
@@ -19,3 +19,6 @@ local_conf_header:
     OVERRIDES .= ":separate-home-part"
   add-home-partition-to-crypt: |
     CRYPT_PARTITIONS:append:separate-home-part = " home:/home:reencrypt"
+  add-home-partition-to-factory-reset: |
+    INITRAMFS_FACTORY_RESET_DEVICES:append:separate-home-part = " /dev/disk/by-partlabel/home"
+
-- 
2.47.0

Re: [cip-dev][isar-cip-core][RFC v2 0/6] Add factory-reset

[Quirin Gylstorff]

On 5/6/25 14:07, Quirin Gylstorff via lists.cip-project.org wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> 
> This adds an new hooks for factory-reset to the
> initramfs. This hook will
> 
> - format the disk.
> - In case of a encrypted disk factory reset the TPM is cleared(all keys
>    are deleted)
> 
> In case of an encrypted file system the marker hook needs to be stored
> in a readable location, e.g. one of the boot partitions or the efi
> partition.

I am currently working on v3, where I replace the file based marker with
  an efi-variable. There are some issues with this approach as u-boot 
would need to support that. Also gohkan mentioned issues with preempt-rt 
with that approach during an internal discussion.

Quirin
> 
> Changes v2:
>   - make marker check a separate script
>   - change data-reset to factory-reset hook
> 
> Quirin Gylstorff (6):
>    add factory-reset initramfs hook
>    add factory-reset-helper to set the marker file
>    encrypt-data.yml: Add factory-reset information to encrypt-data
>    cip-core-image: add factory-reset helper
>    add factory-reset to initramfs
>    Add settings for factory-reset with a separate home partition
> 
>   kas/opt/encrypt-data.yml                      |  3 +
>   kas/opt/separate-home-partition.yml           |  3 +
>   recipes-core/images/cip-core-image.bb         |  2 +-
>   .../cip-core-initramfs/cip-core-initramfs.bb  |  1 +
>   .../files/detect-marker-file                  | 33 +++++++++
>   .../initramfs-factory-reset-hook/files/hook   |  7 ++
>   .../files/local-top-complete                  | 67 +++++++++++++++++++
>   .../files/reset-env.tmpl                      |  4 ++
>   .../initramfs-factory-reset-hook_0.1.bb       | 52 ++++++++++++++
>   .../factory-reset-helper_0.1.bb               | 34 ++++++++++
>   .../files/set-factory-reset-marker.sh.tmpl    | 28 ++++++++
>   11 files changed, 233 insertions(+), 1 deletion(-)
>   create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/detect-marker-file
>   create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/hook
>   create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/local-top-complete
>   create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/files/reset-env.tmpl
>   create mode 100644 recipes-initramfs/initramfs-factory-reset-hook/initramfs-factory-reset-hook_0.1.bb
>   create mode 100644 recipes-support/factory-reset-helper/factory-reset-helper_0.1.bb
>   create mode 100644 recipes-support/factory-reset-helper/files/set-factory-reset-marker.sh.tmpl
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#18766): https://lists.cip-project.org/g/cip-dev/message/18766
> Mute This Topic: https://lists.cip-project.org/mt/112647390/1753640
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/unsub [quirin.gylstorff@siemens.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [cip-dev][isar-cip-core][RFC v2 0/6] Add factory-reset

[Jan Kiszka]

On 15.05.25 15:12, Quirin Gylstorff wrote:
> 
> 
> On 5/6/25 14:07, Quirin Gylstorff via lists.cip-project.org wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>>
>> This adds an new hooks for factory-reset to the
>> initramfs. This hook will
>>
>> - format the disk.
>> - In case of a encrypted disk factory reset the TPM is cleared(all keys
>>    are deleted)
>>
>> In case of an encrypted file system the marker hook needs to be stored
>> in a readable location, e.g. one of the boot partitions or the efi
>> partition.
> 
> I am currently working on v3, where I replace the file based marker with
>  an efi-variable. There are some issues with this approach as u-boot
> would need to support that. Also gohkan mentioned issues with preempt-rt
> with that approach during an internal discussion.

Ah, yeah, the famous CONFIG_EFI_DISABLE_RUNTIME=y issue...

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center