root: Dump LUKS headers into the image to allow reencryption

initramfs compares LUKS headers with the ones known at image building time to determine whether rootfs needs to be reencrypted on-device.

Makes librem5-base!340 (merged) work at first boot after reflash.

root.sh

@@ -55,6 +55,7 @@ function setup_qemu()
 }
 
 CRYPTROOT="${basedir}/etc/initramfs-tools/hooks/99_cryptroot"
+LUKSDUMPDIR="${basedir}/var/lib/reencrypt"
 
 # crypsetup tries to be clever and resolves the root device's UUID to
 # /dev/mapper/loop0p? so just copy an unmodified crypttab over. We drop
@@ -86,6 +87,7 @@ copy_file crypttab /etc/crypttab /cryptroot/crypttab
 exit 0
 EOF
   chmod a+x "$CRYPTROOT"
+  mkdir -p "$LUKSDUMPDIR"
 
   chroot "${basedir}" apt install -y "${luks_pkgs[@]}"
 
@@ -93,6 +95,10 @@ EOF
   sed -i 's%discard%discard,keyscript=/usr/share/initramfs-tools/scripts/osk-sdl-keyscript%' "${basedir}/etc/crypttab"
   chroot "${basedir}" update-initramfs -u
   chroot "${basedir}" flash-kernel
+
+  # dump LUKS header, so we can reencrypt on device at first boot
+  LUKSDEV=$(chroot "${basedir}" cryptsetup status crypt_root | awk -F: '$1~/device/ {gsub(/^[ \t]+/, "", $2); print $2}')
+  chroot "${basedir}" cryptsetup luksDump "$LUKSDEV" > "$LUKSDUMPDIR/dump"
 }
 
 function cleanup_cryptroot()