grub: add support for dynamic kernel cmdline via EFI variables

[rucoder]

Description

This functionality is required by Evaluation Eve to set kernel command line at run time to collect HW inventory with ACS override patch disabled but it can also be used for dynamic configuration of isolated CPUs for RT. In future we can push kernel command line parameters from a controller. The later may be useful to e.g. set pci=realloc=off or other arguments without hacking /config/grub.cfg

NOTE: @christoph-zededa @rene we recently got a lot "connection refused" from gnu.org. Here is the post where they introduce new mirrors https://savannah.gnu.org/news/?id=10777

List of changes:

• Add getenv module to GRUB modules for all EFI platforms
• Implement set_append_extra_efi_cmdline function to read eve-kernel-extra-cmdline from EFI variables using GUID 7AD58F29-2B49-4F5A-9F0B-4E7BF7C2C311
• Append extra cmdline args to dom0_extra_args at boot time
• Add copyright header and fix ENV syntax in Dockerfile
• Allows runtime kernel parameter injection without modifying grub.cfg
• use mirror for GNU source code to avoid "connection refused"

Security note: Dynamic cmdline modification is acceptable since grub.cfg is measured to PCR 8, maintaining boot integrity verification.

How to test and validate this PR

1. use following script to set eve-kernel-extra-cmdline to any value from eve
2. reboot eve, make sure your data appeared at the end of kernel command line

#!/bin/ash
# eve-kcmdline.sh — manage EFI var "eve-kernel-extra-cmdline"
# GUID: 7ad58f29-2b49-4f5a-9f0b-4e7bf7c2c311
set -eu

EFIVARS=/sys/firmware/efi/efivars
NAME=eve-kernel-extra-cmdline
GUID=7ad58f29-2b49-4f5a-9f0b-4e7bf7c2c311
FILE="$EFIVARS/$NAME-$GUID"

ensure_mount() {
  [ -d /sys/firmware/efi ] || { echo "EFI not available"; exit 1; }
  grep -qs " $EFIVARS " /proc/mounts || { mkdir -p "$EFIVARS"; mount -t efivarfs efivarfs "$EFIVARS"; }
}

clear_immutable() {
  # Clear efivarfs immutable bit if tool available (either e2fsprogs chattr or BusyBox chattr)
  if command -v chattr >/dev/null 2>&1; then
    chattr -i "$FILE" 2>/dev/null || true
  elif busybox chattr --help >/dev/null 2>&1; then
    busybox chattr -i "$FILE" 2>/dev/null || true
  fi
}

write_payload() {
  # $1 = ASCII payload (no newlines); appends a NUL to the binary blob
  ensure_mount
  args="$(printf '%s' "$1" | tr -d '\r\n')"

  tmp="$(mktemp)"
  # attrs: NON_VOLATILE | BOOTSERVICE | RUNTIME = 0x00000007 (LE)
  printf '\x07\x00\x00\x00' > "$tmp"
  printf '%s' "$args"       >> "$tmp"
  printf '\0'               >> "$tmp"

  # Try in-place write first
  if ! cat "$tmp" > "$FILE" 2>/dev/null; then
    clear_immutable
    # Fallback: delete+create
    rm -f "$FILE" 2>/dev/null || true
    cp "$tmp" "$FILE"
  fi
  rm -f "$tmp"
}

case "${1:-}" in
  set)
    shift
    [ $# -gt 0 ] || { echo "usage: $0 set \"key=val ...\""; exit 1; }
    write_payload "$*"
    echo "OK: set $NAME"
    ;;
  reset)
    # Keep var present but empty (single NUL payload)
    write_payload ""
    echo "OK: reset $NAME (empty payload)"
    ;;
  delete)
    ensure_mount
    if [ -e "$FILE" ]; then
      clear_immutable
      rm -f "$FILE" || { echo "delete failed (immutable/locked?)" >&2; exit 1; }
      echo "OK: deleted $NAME"
    else
      echo "note: $NAME not present"
    fi
    ;;
  *)
    echo "usage: $0 {set \"args...\"|reset|delete}"
    exit 1
    ;;
esac

Changelog notes

None

PR Backports

- 14.5-stable: No, as the feature is not available there.
- 13.4-stable: No, as the feature is not available there.

Checklist

• I've provided a proper description

• I've added the proper documentation

• I've tested my PR on amd64 device

• I've tested my PR on arm64 device

• I've written the test verification instructions

• I've set the proper labels to this PR

• I've checked the boxes above, or I've provided a good reason why I didn't
  check them.

[rucoder]

/rerun red

[rucoder]

/rerun red

[rucoder]

/rerun red

[OhmSpectator]

We should also document the new way to configure the cmdline.

[rucoder]

/rerun red

[OhmSpectator]

I think it would make sense to add the script from the PR description into the EVE rootfs, so it's easily usable by users.
Also, I think change notes should also say that we add this nice feature.

[OhmSpectator]

And for ARM?

[rucoder]

@OhmSpectator

1. it is also for ARM. (forgot to fix commit description)
2. end users should not use it imo
3. script is just for testing, I did not make it erganomic. we can add one later

[rucoder]

@OhmSpectator you still think we should give end users a tool to modify this setting?

[OhmSpectator]

I see it useful, but not necessary in this PR