grub: disable PCIe ACS override for EVE-K boot

[rucoder]

Description

EVE-K's grub config has been booting the kernel with pcie_acs_override=downstream,multifunction on the dom0_flavor_tweaks command line. The ACS override patch forces the kernel to treat PCIe downstream ports as if they implement Access Control Services, artificially splitting IOMMU groups. While useful for some passthrough scenarios on consumer hardware, it weakens isolation guarantees between devices and is not appropriate as a default for EVE-K nodes — IOMMU groups should reflect the platform's actual ACS topology.

This change removes that flag from pkg/grub/rootfs.cfg so EVE-K boots with upstream kernel behavior. Devices that genuinely share an IOMMU group continue to do so, and passthrough on such hardware must be configured deliberately rather than implicitly enabled by the ACS override.

NOTE: device model must be regenerated and update to EVE-k after this commit will break current installations but eve-k is not in production yet so this is not a problem

How to test and validate this PR

1. Build an EVE-K image from this branch and install on a test node.
2. Inspect /proc/cmdline on the running node — the pcie_acs_override=… token must be absent.
3. Inspect /sys/kernel/iommu_groups/ — IOMMU group membership should match the platform's actual ACS topology (groups with multiple devices that lack ACS should no longer be artificially split).
4. Sanity-check that EVE-K still boots and applications launch on platforms that previously relied on default isolation (i.e. weren't depending on the override to split a group).

Changelog notes

EVE-K nodes no longer boot with the pcie_acs_override kernel option. IOMMU groups now reflect the platform's real ACS topology; PCI passthrough configurations that implicitly relied on the override to split a shared IOMMU group will need to be revisited.

PR Backports

• 16.0-stable: No
• 14.5-stable: No
• 13.4-stable: No

Checklist

• I've provided a proper description

• I've added the proper documentation

• I've tested my PR on amd64 device

• I've tested my PR on arm64 device

• I've written the test verification instructions

• I've set the proper labels to this PR

• I've checked the boxes above, or I've provided a good reason why I didn't check them.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 21.05%. Comparing base (2caf795) to head (3e4a690).
⚠️ Report is 25 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5969      +/-   ##
==========================================
+ Coverage   20.64%   21.05%   +0.41%     
==========================================
  Files         489      499      +10     
  Lines       90431    92129    +1698     
==========================================
+ Hits        18667    19399     +732     
- Misses      70187    70974     +787     
- Partials     1577     1756     +179     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[eriknordmark]

Shouldn't we add some docs/.md about how to re-enable this for some specific device that needs it? And/or provide an example in the conf/grub file?

[rucoder]

@eriknordmark @rene I tested and ACS is disabled on eve-k

[rene]

Shouldn't we add some docs/.md about how to re-enable this for some specific device that needs it? And/or provide an example in the conf/grub file?

makes sense to me as well....

[eriknordmark]

Can we add a reference to using /config/grub.cfg for the case when folks want to enable the ACS patch.

[eriknordmark]

Kick off tests