Added support for no default kernel parameters

[rharish101]

This way it's helpful for boot managers like rEFInd that can set multiple boot options with different kernel params.

For example, I have set up a boot option in rEFInd for booting into emergency mode. I can't use this boot option, since the unified image will reject what rEFInd passes it and only use the hardcoded options. The only way is to disable secure boot and re-enable after I'm done using emergency mode.

With these changes, if both the per-config and default command lines are empty, then sbupdate should set an empty command line. This is basically ignored by the EFI, and thus it will allow rEFInd to pass its options.

I've tested this with both cases of setting a command line and not setting any, and my system (EFI firmware in the Asus ROG GL552VW with the latest BIOS update) boots fine.

[Maryse47]

With these changes, if both the per-config and default command lines are empty, then sbupdate should set an empty command line. This is basically ignored by the EFI, and thus it will allow rEFInd to pass its options.

How this is different than disabling secure boot? I think this gives you false sense of security. You may disable secure boot permanently instead.

[rharish101]

Sorry, I'm not that familiar with secure boot, but with an encrypted root partition, wouldn't one still have the benefit that only signed kernels can be booted by the person with the decryption keys for the root partition? That would be better than no secure boot at all.

[Maryse47]

With access to kernel cmdline attacker can get unlimited code execution including booting into another unsigned kernel thus bypassing secure boot. There is a reason modifying cmdline is restricted in secure boot mode.

[rharish101]

Ah, didn't know that. Thanks for the info, I'll just close this PR.