Add physical attackers mitigations

It adds support for a dongle buildmode so that install drives put on writable storage devices become equivalent to those put on write-once storage devices.

The dongle does not require the base ISO image to be encrypted to serve its purpose.

Despite this, this branch is based on !217 (closed) and include !268 (closed), so that it will be easier to move the kernel and the initramfs partition on an encrypted partition at a later stage (GRUB supports booting from a LUKS partition).

Solves #189 (closed).

Includes

• !217 (closed)
• !268 (closed)

Notes

It also needs https://gitlab.archlinux.org/mkinitcpio/mkinitcpio-archiso/-/merge_requests/27 to be merged into mkinitcpio-archiso and cryptsetup-sigfile (AUR) merged into cryptsetup.

Changes

Follow upstream branch.