Allow `.cmdline` to be omitted

[raldone01]

I use refind and secure boot with custom keys. If .cmdline is present in the UKI it ignores all options passed by the bootloader. However if no .cmdline is present bootloader options are accepted.

Workaround add the following to /etc/sbupdate.conf:

# Generate a signed kernel image
#   $1: configuration name
#   $2: kernel name
function update_image() {
  local linux="/boot/vmlinuz-$2"
  local initrd="${INITRD[$1]:-/boot/initramfs-$1.img}"
  local cmdline="${CMDLINE[$1]:-${CMDLINE_DEFAULT}}"
  local output; output="$(output_name "$1")"

  echo "Generating and signing $(basename "${output}")"

  # Create a combined binary with systemd EFI stub. For additional information see:
  #   https://github.com/systemd/systemd/blob/master/src/boot/efi/stub.c
  #   https://github.com/systemd/systemd/blob/master/test/test-efi-create-disk.sh
  #
  # Prepend initramfs files are joined with the main initramfs in one image. Refer to:
  #   https://www.kernel.org/doc/Documentation/early-userspace/buffer-format.txt
  #   https://www.kernel.org/doc/Documentation/x86/microcode.txt

  #  --add-section .cmdline=<(printf "%s\0" "${cmdline}")            --change-section-vma .cmdline=0x30000  \

  objcopy \
    --add-section .osrel="/etc/os-release"                          --change-section-vma .osrel=0x20000    \
    --add-section .splash="${SPLASH}"                               --change-section-vma .splash=0x40000   \
    --add-section .linux="${linux}"                                 --change-section-vma .linux=0x2000000  \
    --add-section .initrd=<(cat "${INITRD_PREPEND[@]}" "${initrd}") --change-section-vma .initrd=0x3000000 \
    "${EFISTUB}" "${output}"
  wait $!

  # Sign the resulting output file
  sign_file --output "${output}" "${output}"
}

Official support for this would be nice. As it reduces the security sbupdate could emit a warning if the DEFAULT_CMDLINE config is unset and skip embedding a .cmdline.