Merge pull request #11606 from bboozzoo/bboozzoo/factory-reset-spread-no-encrypt

bootloader/assets, tests: add factory-reset mode, test non-encrypted factory-reset

4 files changed, 120 insertions, 10 deletions

diff --git a/bootloader/assets/data/grub-recovery.cfg b/bootloader/assets/data/grub-recovery.cfg
index 3242a9cea3..ffb091e4b5 100644
--- a/bootloader/assets/data/grub-recovery.cfg
+++ b/bootloader/assets/data/grub-recovery.cfg
@@ -72,6 +72,10 @@ for label in /systems/*; do
 loopback loop $2
 chainloader (loop)/kernel.efi snapd_recovery_mode=$3 snapd_recovery_system=$4 $cmdline_args
 }
+ menuentry "Factory reset using $label" --hotkey=i --id=factory-reset-$label $snapd_recovery_kernel factory-reset $label {
+ loopback loop $2
+ chainloader (loop)/kernel.efi snapd_recovery_mode=$3 snapd_recovery_system=$4 $cmdline_args
+ }
 done
 
 menuentry 'UEFI Firmware Settings' --hotkey=f 'uefi-firmware' {
diff --git a/bootloader/assets/grub_recovery_cfg_asset.go b/bootloader/assets/grub_recovery_cfg_asset.go
index 20ebc55b1b..95fdc829d5 100644
--- a/bootloader/assets/grub_recovery_cfg_asset.go
+++ b/bootloader/assets/grub_recovery_cfg_asset.go
@@ -181,11 +181,27 @@ func init() {
	0x72, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x3d, 0x24, 0x33, 0x20, 0x73, 0x6e, 0x61, 0x70, 0x64,
	0x5f, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x5f, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d,
	0x3d, 0x24, 0x34, 0x20, 0x24, 0x63, 0x6d, 0x64, 0x6c, 0x69, 0x6e, 0x65, 0x5f, 0x61, 0x72, 0x67,
-	0x73, 0x0a, 0x20, 0x20, 0x20, 0x20, 0x7d, 0x0a, 0x64, 0x6f, 0x6e, 0x65, 0x0a, 0x0a, 0x6d, 0x65,
-	0x6e, 0x75, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x20, 0x27, 0x55, 0x45, 0x46, 0x49, 0x20, 0x46, 0x69,
-	0x72, 0x6d, 0x77, 0x61, 0x72, 0x65, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x27,
-	0x20, 0x2d, 0x2d, 0x68, 0x6f, 0x74, 0x6b, 0x65, 0x79, 0x3d, 0x66, 0x20, 0x27, 0x75, 0x65, 0x66,
-	0x69, 0x2d, 0x66, 0x69, 0x72, 0x6d, 0x77, 0x61, 0x72, 0x65, 0x27, 0x20, 0x7b, 0x0a, 0x20, 0x20,
-	0x20, 0x20, 0x66, 0x77, 0x73, 0x65, 0x74, 0x75, 0x70, 0x0a, 0x7d, 0x0a,
+	0x73, 0x0a, 0x20, 0x20, 0x20, 0x20, 0x7d, 0x0a, 0x20, 0x20, 0x20, 0x20, 0x6d, 0x65, 0x6e, 0x75,
+	0x65, 0x6e, 0x74, 0x72, 0x79, 0x20, 0x22, 0x46, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x20, 0x72,
+	0x65, 0x73, 0x65, 0x74, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x20, 0x24, 0x6c, 0x61, 0x62, 0x65,
+	0x6c, 0x22, 0x20, 0x2d, 0x2d, 0x68, 0x6f, 0x74, 0x6b, 0x65, 0x79, 0x3d, 0x69, 0x20, 0x2d, 0x2d,
+	0x69, 0x64, 0x3d, 0x66, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x2d, 0x72, 0x65, 0x73, 0x65, 0x74,
+	0x2d, 0x24, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x20, 0x24, 0x73, 0x6e, 0x61, 0x70, 0x64, 0x5f, 0x72,
+	0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x5f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x20, 0x66,
+	0x61, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x2d, 0x72, 0x65, 0x73, 0x65, 0x74, 0x20, 0x24, 0x6c, 0x61,
+	0x62, 0x65, 0x6c, 0x20, 0x7b, 0x0a, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6c, 0x6f,
+	0x6f, 0x70, 0x62, 0x61, 0x63, 0x6b, 0x20, 0x6c, 0x6f, 0x6f, 0x70, 0x20, 0x24, 0x32, 0x0a, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x6c, 0x6f, 0x61, 0x64,
+	0x65, 0x72, 0x20, 0x28, 0x6c, 0x6f, 0x6f, 0x70, 0x29, 0x2f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c,
+	0x2e, 0x65, 0x66, 0x69, 0x20, 0x73, 0x6e, 0x61, 0x70, 0x64, 0x5f, 0x72, 0x65, 0x63, 0x6f, 0x76,
+	0x65, 0x72, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x3d, 0x24, 0x33, 0x20, 0x73, 0x6e, 0x61, 0x70,
+	0x64, 0x5f, 0x72, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x5f, 0x73, 0x79, 0x73, 0x74, 0x65,
+	0x6d, 0x3d, 0x24, 0x34, 0x20, 0x24, 0x63, 0x6d, 0x64, 0x6c, 0x69, 0x6e, 0x65, 0x5f, 0x61, 0x72,
+	0x67, 0x73, 0x0a, 0x20, 0x20, 0x20, 0x20, 0x7d, 0x0a, 0x64, 0x6f, 0x6e, 0x65, 0x0a, 0x0a, 0x6d,
+	0x65, 0x6e, 0x75, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x20, 0x27, 0x55, 0x45, 0x46, 0x49, 0x20, 0x46,
+	0x69, 0x72, 0x6d, 0x77, 0x61, 0x72, 0x65, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73,
+	0x27, 0x20, 0x2d, 0x2d, 0x68, 0x6f, 0x74, 0x6b, 0x65, 0x79, 0x3d, 0x66, 0x20, 0x27, 0x75, 0x65,
+	0x66, 0x69, 0x2d, 0x66, 0x69, 0x72, 0x6d, 0x77, 0x61, 0x72, 0x65, 0x27, 0x20, 0x7b, 0x0a, 0x20,
+	0x20, 0x20, 0x20, 0x66, 0x77, 0x73, 0x65, 0x74, 0x75, 0x70, 0x0a, 0x7d, 0x0a,
	})
 }
diff --git a/spread.yaml b/spread.yaml
index 3651e2b0ed..5f43f1ad9d 100644
--- a/spread.yaml
+++ b/spread.yaml
@@ -44,7 +44,7 @@ environment:
 UBUNTU_IMAGE_SNAP_CHANNEL: "latest/candidate"
 # controls whether ubuntu-image is built using the current snapd tree as a
 # dependency or the one listed in its go.mod
- UBUNTU_IMAGE_ALLOW_API_BREAK: '$(HOST: echo "${SPREAD_UBUNTU_IMAGE_ALLOW_API_BREAK:-false}")'
+ UBUNTU_IMAGE_ALLOW_API_BREAK: '$(HOST: echo "${SPREAD_UBUNTU_IMAGE_ALLOW_API_BREAK:-true}")'
 CORE_CHANNEL: '$(HOST: echo "${SPREAD_CORE_CHANNEL:-edge}")'
 BASE_CHANNEL: '$(HOST: echo "${SPREAD_BASE_CHANNEL:-edge}")'
 KERNEL_CHANNEL: '$(HOST: echo "${SPREAD_KERNEL_CHANNEL:-edge}")'
@@ -865,7 +865,7 @@ suites:
 summary: Tests for snapd upgrade
 # Test cases are not yet ported to openSUSE that is why we keep
 # it disabled. A later PR will enable most tests and
- # drop this blacklist.
+ # drop the list of excluded systems.
 systems: [-ubuntu-core-*, -opensuse-*, -ubuntu-secboot-*]
 prepare-each: |
 # FIXME: this should really use prepare-restore.sh --prepare-suite-each
@@ -898,7 +898,7 @@ suites:
 summary: Suite to run unit tests (non-go and different go runtimes)
 # Test cases are not yet ported to Fedora/openSUSE/Arch that is why
 # we keep them disabled. A later PR will enable most tests and
- # drop this blacklist.
+ # drop the list of excluded systems.
 systems:
 [
 -ubuntu-core-*,
@@ -944,7 +944,7 @@ suites:
 manual: true
 # Test cases are not yet ported to Fedora/openSUSE/Arch/AMZN2 that is why
 # we keep them disabled. A later PR will enable most tests and
- # drop this blacklist.
+ # drop the list of excluded systems.
 prepare: |
 "$TESTSLIB"/prepare-restore.sh --prepare-suite
 prepare-each: |
diff --git a/tests/nested/core/core20-factory-reset/task.yaml b/tests/nested/core/core20-factory-reset/task.yaml
new file mode 100644
index 0000000000..db86739768
--- /dev/null
+++ b/tests/nested/core/core20-factory-reset/task.yaml
@@ -0,0 +1,90 @@
+summary: Verify factory reset of a UC20 system
+
+details: |
+ This test checks that UC20 can be reset to factory state
+
+systems: [ubuntu-20.04-64]
+
+environment:
+ NESTED_ENABLE_SECURE_BOOT: false
+ NESTED_ENABLE_TPM: false
+
+execute: |
+ echo "Wait for the system to be seeded first"
+ tests.nested exec "sudo snap wait system seed.loaded"
+
+ tests.nested exec snap model > initial-model
+ tests.nested exec snap model --serial > initial-serial
+ tests.nested exec sudo blkid |grep -v /dev/loop > initial-disk
+
+ echo "Request factory reset"
+ boot_id=$(tests.nested boot-id)
+
+ # leave some marker files
+ tests.nested exec sudo touch /run/mnt/ubuntu-seed/marker
+ tests.nested exec sudo touch /run/mnt/ubuntu-save/marker
+ tests.nested exec sudo touch /run/mnt/ubuntu-boot/marker
+ tests.nested exec sudo touch /writable/marker
+
+ # add || true in case the SSH connection is broken while executing this
+ # since this command causes an immediate reboot
+ tests.nested exec "sudo snap reboot --factory-reset" || true
+
+ tests.nested wait-for reboot "${boot_id}"
+
+ # check that we are back in run mode
+ tests.nested exec cat /proc/cmdline | MATCH 'snapd_recovery_mode=run'
+
+ # wait for the system to get setup and finish seeding
+ tests.nested wait-for snap-command
+ tests.nested exec "sudo snap wait system seed.loaded"
+
+ # wait up to two minutes for serial registration
+ retry -n 60 --wait 2 tests.nested exec snap model --serial
+
+ # post factory reset world
+
+ tests.nested exec snap model > current-model
+ tests.nested exec snap model --serial > current-serial
+ tests.nested exec sudo blkid |grep -v /dev/loop > current-disk
+ # serials should be identical
+ diff -u initial-model current-model
+ diff -u initial-serial current-serial
+
+ # check ubuntu-seed
+ old_ubuntu_seed="$(grep LABEL=\"ubuntu-seed\" < initial-disk)"
+ new_ubuntu_seed="$(grep LABEL=\"ubuntu-seed\" < current-disk)"
+ # ubuntu seed is identical
+ test "$old_ubuntu_seed" = "$new_ubuntu_seed"
+
+ # check ubuntu-save
+ old_ubuntu_save="$(grep LABEL=\"ubuntu-save\" < initial-disk)"
+ new_ubuntu_save="$(grep LABEL=\"ubuntu-save\" < current-disk)"
+ # ubuntu save is identical
+ test "$old_ubuntu_save" = "$new_ubuntu_save"
+
+ # check ubuntu-boot
+ old_ubuntu_boot="$(grep LABEL=\"ubuntu-boot\" < initial-disk)"
+ new_ubuntu_boot="$(grep LABEL=\"ubuntu-boot\" < current-disk)"
+ # the device name should be the same
+ test "$(echo "$old_ubuntu_boot" | cut -f1 -d:)" = "$(echo "$new_ubuntu_boot" | cut -f1 -d:)"
+ # but otherwise the UUIDs are different, as we have a new partition
+ test "$old_ubuntu_boot" != "$new_ubuntu_boot"
+
+ # check ubuntu-data
+ old_ubuntu_data="$(grep LABEL=\"ubuntu-data\" < initial-disk)"
+ new_ubuntu_data="$(grep LABEL=\"ubuntu-data\" < current-disk)"
+ # again same device
+ test "$(echo "$old_ubuntu_data" | cut -f1 -d:)" = "$(echo "$new_ubuntu_data" | cut -f1 -d:)"
+ # again, the UUIDs are different
+ test "$old_ubuntu_data" != "$new_ubuntu_data"
+
+ # reaffirm that marker files are gone where we expected new partitions, but
+ # are still present where we expected the partitions to be preserved
+ tests.nested exec test ! -e /run/mnt/ubuntu-boot/marker
+ tests.nested exec test ! -e /writable/marker
+ tests.nested exec test -e /run/mnt/ubuntu-save/marker
+ tests.nested exec test -e /run/mnt/ubuntu-seed/marker
+
+ # verify that the factory-reset log was collected
+ tests.nested exec "zcat /var/log/factory-reset-mode.log.gz" | MATCH 'performing factory reset on an installed system'