diff --git a/os/layers/training-installer/hooks/live/2010-training-installer.hook.chroot b/os/layers/training-installer/hooks/live/2010-training-installer.hook.chroot
index c98afce..1c3b713 100644
--- a/os/layers/training-installer/hooks/live/2010-training-installer.hook.chroot
+++ b/os/layers/training-installer/hooks/live/2010-training-installer.hook.chroot
@@ -5,3 +5,6 @@ set -eu
 # Install the noauth PAM profile.
 groupadd noauth
 pam-auth-update --enable noauth
+
+# Enable user reset at boot triggered by a kernel parameter.
+systemctl enable reset-user.service
diff --git a/os/layers/training-installer/includes.chroot/etc/grub.d/15_reset_user b/os/layers/training-installer/includes.chroot/etc/grub.d/15_reset_user
new file mode 100755
index 0000000..f4187ac
--- /dev/null
+++ b/os/layers/training-installer/includes.chroot/etc/grub.d/15_reset_user
@@ -0,0 +1,40 @@
+#!/bin/sh
+set -e
+
+. "$pkgdatadir/grub-mkconfig_lib"
+
+list=
+for i in /boot/vmlinuz-* ; do
+    if grub_file_is_not_garbage "$i" ; then list="$list $i" ; fi
+done
+linux="$(version_find_latest $list)"
+basename="$(basename $linux)"
+rel_dirname="$(make_system_path_relative_to_its_root /boot)"
+version="$(echo $basename | sed -e "s,^[^0-9]*-,,g")"
+
+prepare_boot="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | grub_add_tab | grub_add_tab)"
+LINUX_ROOT_DEVICE="UUID=${GRUB_DEVICE_UUID}"
+
+linux_entry ()
+{
+	title="$1"
+	args="$2"
+
+	echo "	menuentry '$(echo "$title" | grub_quote)' {"
+	echo "		load_video"
+	echo "		insmod gzio"
+	echo "$prepare_boot"
+	echo "		echo	'$(echo "Loading Linux ${version} ..." | grub_quote)'"
+	echo "		linux	${rel_dirname}/${basename} root=${LINUX_ROOT_DEVICE} ro ${args}"
+	echo "		echo	'Loading initial ramdisk ...'"
+	echo "		initrd	${rel_dirname}/initrd.img-${version}"
+	echo "	}"
+}
+
+echo "submenu 'Reset SOI user...' {"
+echo "	menuentry 'Cancel' {"
+echo "		configfile \$prefix/grub.cfg"
+echo "	}"
+linux_entry "Reset SOI user (THIS DELETES USER DATA)" "reset-user"
+linux_entry "Reset SOI user (THIS DELETES USER DATA) and power off" "reset-user reset-user-poweroff"
+echo "}"
diff --git a/os/layers/training-installer/includes.chroot/etc/systemd/system/reset-user.service b/os/layers/training-installer/includes.chroot/etc/systemd/system/reset-user.service
new file mode 100644
index 0000000..1120578
--- /dev/null
+++ b/os/layers/training-installer/includes.chroot/etc/systemd/system/reset-user.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Reset user at boot by setting a kernel parameter.
+Before=basic.target
+After=local-fs.target systemd-tmpfiles-setup.service
+DefaultDependencies=no
+ConditionKernelCommandLine=reset-user
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/bin/reset-user
+
+[Install]
+WantedBy=basic.target
diff --git a/os/layers/training-installer/includes.chroot/usr/local/bin/install-config b/os/layers/training-installer/includes.chroot/usr/local/bin/install-config
index 39bfad6..cc74761 100755
--- a/os/layers/training-installer/includes.chroot/usr/local/bin/install-config
+++ b/os/layers/training-installer/includes.chroot/usr/local/bin/install-config
@@ -6,12 +6,5 @@ set -eu
 cp -rT /usr/local/share/target-sources /etc/apt/sources.list.d
 rm /etc/apt/sources.list
 
-USERNAME=soi
-USER_FULLNAME="SOI"
-# Password: soi
-USER_PASSWORD='$y$j9T$h5VhMd4KkdmbxdZD1gO0N/$1hvwZgO8pQw13Xd6jaNXbtkbqVOC4W/ia/KXOcCGYvB'
-
 # Create user.
-adduser --disabled-password --gecos "$USER_FULLNAME" "$USERNAME"
-usermod -p "$USER_PASSWORD" "$USERNAME"
-adduser "$USERNAME" noauth
+/usr/local/bin/reset-user
diff --git a/os/layers/training-installer/includes.chroot/usr/local/bin/reset-user b/os/layers/training-installer/includes.chroot/usr/local/bin/reset-user
new file mode 100755
index 0000000..44497eb
--- /dev/null
+++ b/os/layers/training-installer/includes.chroot/usr/local/bin/reset-user
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -eu
+
+USERNAME=soi
+USER_FULLNAME="SOI"
+# Password: soi
+USER_PASSWORD='$y$j9T$h5VhMd4KkdmbxdZD1gO0N/$1hvwZgO8pQw13Xd6jaNXbtkbqVOC4W/ia/KXOcCGYvB'
+
+# Delete user.
+userdel --remove "$USERNAME" || true
+
+# Create user.
+adduser --disabled-password --gecos "$USER_FULLNAME" "$USERNAME"
+usermod -p "$USER_PASSWORD" "$USERNAME"
+adduser "$USERNAME" noauth
+
+# If the corresponding boot menu item was selected, immediately power off.
+if grep --quiet --word-regexp reset-user-poweroff /proc/cmdline; then
+  systemctl start poweroff.target --job-mode=replace-irreversibly --no-block
+fi
diff --git a/os/readme.md b/os/readme.md
index 9fc0411..508cab8 100644
--- a/os/readme.md
+++ b/os/readme.md
@@ -107,6 +107,7 @@ Here is a list of features.
   - login without password for `noauth` group
   - create an admin user with sudo rights and password
   - create a participant user without password
+  - add a boot menu item for resetting participant user data
   - install packages for firmware updates and power manager
   - install Gnome Boxes and VirtualBox for running virtual machines
 - `contestant`