misc/57534: replace cgdroot.kmod by cgdroot.fs and update documentation

[campbell+netbsd%mumble.net@localhost]

>Number:         57534
>Category:       misc
>Synopsis:       replace cgdroot.kmod by cgdroot.fs and update documentation
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jul 21 12:10:01 +0000 2023
>Originator:     Taylor R Campbell
>Release:        current
>Organization:
The NetCGD Documentation
>Environment:
hottest June on record, harbinger of worse to come
>Description:
The bootloader (at least on x86 and arm) has supported loading a ramdisk directly, without it being baked into a kernel module, for about a decade now.

The instructions for root-on-cgd at https://wiki.netbsd.org/security/cgdroot/ still describe the cgdroot.kmod kernel module, however, and it appears that the bare ramdisk isn't published in the releasedir anywhere.


>How-To-Repeat:
read https://wiki.netbsd.org/security/cgdroot/
>Fix:
1. cgdroot.fs (and zfsroot.fs) should be published in the releasedir.

2. https://wiki.netbsd.org/security/cgdroot/ should be updated to use cgdroot.fs.

3. Stretch goal: cgdroot and zfsroot should be combined, and support for https://github.com/riastradh/fidocrypt added (not necessary for closing this PR).