[RFC] Add patch to fix lockdown mode

 grub currently copies the entire boot_params, which includes setting sentinel
 byte to 0xff, which triggers sanitize_boot_params in the kernel which in
 turn clears various boot_params variables, including the indication that
 the booloader chain is verified and thus the kernel disables lockdown mode.
 According to the information on the Fedora bug tracker, only the information
 from byte 0x1f1 is necessary, so start copying from there instead.

@pmhahn @benh @93sam @cjwatson I have tested this on a minimal image and it fixes the problem.

The issue was first reported on the Fedora bug tracker, where it was said how to fix the problem (their grub is heavily vendorized, so the actual patch cannot be just copied over): https://bugzilla.redhat.com/show_bug.cgi?id=1418360

Without this patch, when booting a signed image you can see on the console "EFI stub: UEFI Secure Boot is enabled." before the kernel goes back to Grub, but then after booting and logging in Lockdown is disabled and "secureboot: Secure boot could not be determined (mode 0)" can be seen in the log.

But I'd like feedback from you folks who know grub much better than me, especially on the details of the range of memory being copied over. If you think this is the right fix I'll then send the patch upstream.

The other alternative would be to sync the patches with Ubuntu - they have fixed it too (but again it's heavily modified so the patch can't just be copied).

Thanks!