pi: switch to flash-kernel-piboot for A/B tryboot rollback

[passcod]

Summary

Replaces the hand-rolled bes-pi-firmware-update + zz-bes-pi-firmware kernel postinst hook on the pi variant with Ubuntu's own flash-kernel-piboot. That package (resolute-only, which we already require for pi) brings:

• the upstream /usr/sbin/flash-kernel with Method: pi-try for the Pi 5B, replacing our custom kernel→/boot/firmware copy logic,
• an A/B current/+new/+old/ layout under /boot/firmware/, with piboot-try-reboot.service triggering trial boots and piboot-try-validate.service promoting them on success,
• automatic rollback when a kernel update boots badly: the EEPROM falls back to current/ and piboot-try-reboot marks the new assets bad to inhibit retries.

This closes the one rollback gap in the image — btrfs + snapper cover the root subvolume but the FAT firmware partition wasn't covered before.

Why now

The custom helper existed because, when pi was prototyped on noble, noble's flash-kernel lacked a Pi 5B db entry. That rationale is dead: pi images have been resolute-only in CI for a while (see .github/workflows/build.yml), and resolute ships both the db entry (flash-kernel 3.110ubuntu2) and the A/B mechanism (piboot-try 1.1ubuntu0.1, pulled in via flash-kernel-piboot).

Spec

• r[image.boot.pi-firmware] reworded — drops "selecting vmlinuz as the kernel" since flash-kernel chooses its own filenames and the bootloader resolves them via os_prefix.
• r[image.boot.pi-firmware-update] reworded from "must ship a script" to a behavioural requirement (kernel updates propagate to the firmware partition and must not overwrite known-good assets).
• New r[image.boot.pi-tryboot-rollback] covers the A/B rollback requirement and the Pi 5 EEPROM ≥ 2025-02-11 firmware floor.

Build changes

• image/packages.sh: drop the stale "no flash-kernel" rationale comment.
• image/configure.sh: install flash-kernel-piboot inside the pi branch right after writing config.txt (the awk-based migrator in flash-kernel reads from config.txt, so the file must exist when the postinst runs). The explicit invocation after dracut --force now calls flash-kernel instead of the deleted helper.
• image/files/pi/config.txt: drops the redundant kernel= / initramfs lines (flash-kernel populates /boot/firmware/current/vmlinuz and /boot/firmware/current/initrd.img and the os_prefix=current/ directive added by migrate-config resolves them).
• image/files/pi/bes-pi-firmware-update and image/files/pi/zz-bes-pi-firmware deleted.
• tests/test-image-structure.sh asserts the new layout and the absence of legacy paths.

Migration

scripts/migrate-pi-to-piboot.sh is a one-shot, idempotent migration for already-flashed images: pre-flights the variant, mount and EEPROM date (via vcgencmd bootloader_version); installs flash-kernel-piboot; removes the legacy helper; runs flash-kernel to trigger the package's own migrate() (which moves existing assets into current/, rewrites config.txt with os_prefix=, and writes autoboot.txt with tryboot_a_b=1); then verifies the new layout. A subsection in docs/GUIDE-IMAGES.md points operators at it.

Out of scope

Pre-resolute (noble) pi support; packaging the migration script; further dtparam overrides via /etc/flash-kernel/db (our settings live in config.txt, which flash-kernel preserves).