efi: Enable booting unified hypervisor/kernel/initrd images

This patch adds support for bundling the xen.efi hypervisor, the xen.cfg configuration file, the Linux kernel and initrd, as well as the XSM, and CPU microcode into a single "unified" EFI executable. The resulting EFI executable can be invoked directly from the UEFI Boot Manager, removing the need to use a separate loader like grub as well as removing dependencies on local filesystem access.

It is inspired by systemd-boot's unified kernel technique and borrows the function to locate PE sections from systemd's LGPL'ed code. During EFI boot, Xen looks at its own loaded image to locate the PE sections for the configuration, kernel, etc, which are included after building xen.efi using objcopy to add named sections for each input file. This allows an administrator to update the components independently without requiring rebuilding xen.

The unified image can also be signed by sbsigntool for verification by UEFI Secure Boot. If secure boot is enabled, the Xen command line arguments are ignored. Unlike the shim based verification, the signature covers the entire Xen+config+kernel+initrd unified file. This also ensures that properly configured platforms will measure the entire runtime into the TPM for unsealing secrets or remote attestation.

Signed-off-by: Trammell Hudson hudson@trmm.net