apply debconf changes both to /etc/default/grub and to the ucf template
This avoids us showing ucf prompts when nothing has changed in either the
config file or in the package-provided template. ucf prompts will still be
shown only in the case that there is both a change to one of the
debconf-managed settings since the last update of grub, *and* there are
local changes to non-debconf-managed settings, because we cannot detect that
these are spurious.
If we don't have writable grubenv and we're on EFI, always show the menu
If we don't have writable grubenv, recordfail doesn't work, which means our
quickboot behavior - with a timeout of 0 - leaves the user without a
reliable way to access the boot menu if they're on UEFI, because unlike
BIOS, UEFI does not support checking the state of modifier keys (i.e.
holding down shift at boot is not detectable).
Handle this corner case by always using a non-zero timeout on EFI when
save_env doesn't work.
Reuse GRUB_RECORDFAIL_TIMEOUT to avoid introducing another variable.
checking the return value of 'lsefi' when the command doesn't exist does not
do what's expected, so instead check the value of $grub_platform which is
simpler anyway.
If we don't have writable grubenv and we're on EFI, always show the menu
If we don't have writable grubenv, recordfail doesn't work, which means our
quickboot behavior - with a timeout of 0 - leaves the user without a
reliable way to access the boot menu if they're on UEFI, because unlike
BIOS, UEFI does not support checking the state of modifier keys (i.e.
holding down shift at boot is not detectable).
Handle this corner case by always using a non-zero timeout on EFI when
save_env doesn't work.
Reuse GRUB_RECORDFAIL_TIMEOUT to avoid introducing another variable.
debian/grub-check-signatures: properly account for DB showing as empty on some broken firmwares: Guard against mokutil --export --db failing, and do a better job at finding the DER certs for conversion to PEM format. (LP: #1814575)
