Add xen_privcmd.unrestricted to workstation kernel opts

[zenmonkeykstop]

Adds xen_privcmd.unrestricted to the boot options for the workstation kernel, to work around fixes for XSA-482 that are not security-relevant for Qubes.

Test plan

• Visual review confirming the .cfg file is correctly formatted is sufficient
• extra points - run make securedrop-workstation-6.6 and verify the additional grub.cfg file is present in the securedrop-workstation-grsec package
• super extra points - as above but also install the kernel in an SDW template and verify that it boots.

[deeplow]

I may be late on this one, but I'll share my findings anyways.

Adds xen_privcmd.unrestricted to the boot options for the workstation kernel, to work around fixes for XSA-482 that are not security-relevant for Qubes.

In the commit message where this patch is introduced it's mentioned:

Note this does weaken in-VM isolation a bit (or rather: revert recent improvement), especially against processes with access to /dev/xen/privcmd. But it does not affect cross-VM isolation.

Since it's creation the client's apparmor includes binary and therefore think that it deserves some consideration.

Since it was a relatively recent feature, I don't think this should block a kernel release (whole delay also has security implications), but I wanted to share my findings for a potential future evaluation in an topic-adjacent conversation we have planned.