Blancco: back to Ubuntu-kernel switch_root; track grub-blancco.cfg in git

Two changes in one:

1. grub-blancco.cfg reverts to booting vmlinuz-ubuntu + kexec-initrd.img
   (the switch_root path from commit dd2fec5). b7cd097 had switched
   back to Blancco's native vmlinuz-bde-linux via TFTP for "hardware
   compat," but that turned out to regress on modern Dell fleet
   hardware - Blancco's packaged kernel lacks igc (Intel I225/I226 on
   Latitude 5330/5440, Pro-series, newer OptiPlex). Symptom was
   successful TFTP fetch of kernel+initrd, then silence at the Blancco
   UI ("no network card found") because the rootfs HTTP fetch has no
   NIC to use.

   The switch_root initramfs built by the Ansible playbook now carries
   igc, bnxt_en, r8169, atlantic, and other modern NIC modules, so the
   Ubuntu kernel path reliably finds a working NIC across the whole
   fleet before HTTP-fetching airootfs.sfs and kexec'ing into Blancco.

   Native kernel still runs under Blancco's control after kexec - only
   the *loader* kernel changes.

   The grubx64.efi binary (embedding this config via grub-mkstandalone)
   was rebuilt and pushed to /var/www/html/blancco/ on both PXE servers
   (.1 and .2). Old binary kept as grubx64.efi.bak-<timestamp> on each.

2. .gitignore: negate boot-tools/blancco/grub-blancco.cfg so this one
   file is version-controlled. boot-tools/ is otherwise local cache
   artifacts (kernel/initrd/sfs extracted from Blancco ISO, grubx64.efi
   built output). grub-blancco.cfg is source-of-truth and must not be
   re-derived; any new PXE server build needs the exact same content
   or the Blancco boot chain regresses.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -22,8 +22,14 @@ WestJeff*/
 # Offline packages (built by download-packages.sh)
 offline-packages/
 
-# Boot tool binaries (built by prepare-boot-tools.sh)
-boot-tools/
+# Boot tool binaries (built by prepare-boot-tools.sh). Everything
+# under boot-tools/ is local artifact cache - EXCEPT grub-blancco.cfg,
+# which is the source-of-truth config embedded into Blancco's
+# grubx64.efi at build time and must be version-controlled.
+boot-tools/*
+!boot-tools/blancco/
+boot-tools/blancco/*
+!boot-tools/blancco/grub-blancco.cfg
 
 # WinPE boot files (wimboot, boot.wim, BCD, ipxe.efi, etc.)
 boot-files/
@@ -54,23 +60,23 @@ secrets.md
 enrollment/
 drivers-staging/
 bios-staging/
-.claude/
-
-# Secrets and credentials (defensive)
-.env
-.env.*
-!.env.example
-!.env.*.example
-*.pem
-*.key
-id_rsa
-id_rsa.*
-*.ppk
-*.p12
-*.pfx
-secrets.json
-secrets.yaml
-secrets.yml
-*_secret
-*_secrets
-credentials.json
+.claude/
+
+# Secrets and credentials (defensive)
+.env
+.env.*
+!.env.example
+!.env.*.example
+*.pem
+*.key
+id_rsa
+id_rsa.*
+*.ppk
+*.p12
+*.pfx
+secrets.json
+secrets.yaml
+secrets.yml
+*_secret
+*_secrets
+credentials.json

boot-tools/blancco/grub-blancco.cfg

@@ -0,0 +1,31 @@
+set default=0
+set timeout=0
+set gfxpayload=text
+
+insmod all_video
+insmod efi_gop
+insmod efinet
+insmod net
+insmod http
+net_bootp efinet0
+net_bootp efinet1
+net_bootp efinet2
+net_bootp efinet3
+
+# Boot Ubuntu kernel + small custom initramfs (kexec-initrd.img).
+# The custom init brings up the NIC (drivers baked in at build time:
+# e1000e, igb, igc, bnxt_en, tg3, bnx2, b44, r8169, atlantic, ...
+# much broader than Blancco's native vmlinuz-bde-linux ships with),
+# HTTP-fetches the Blancco rootfs (airootfs.sfs + native kernel +
+# initramfs) from this PXE server, overlay-mounts the rootfs, then
+# kexecs into Blancco's environment.
+#
+# Previous native-kernel path (linux ...vmlinuz-bde-linux via TFTP)
+# was abandoned because Blancco's kernel ships with a narrow NIC
+# driver set that fails on modern Dell Latitude 5330/5440 and
+# newer 'Pro' series with Intel I225/I226 NICs - "no network card
+# found" at the Blancco UI after TFTP load succeeds.
+menuentry "Blancco Drive Eraser" {
+    linux (http,10.9.100.1)/blancco/vmlinuz-ubuntu ip=dhcp
+    initrd (http,10.9.100.1)/blancco/kexec-initrd.img
+}