sulogin: Read SYSTEMD_SULOGIN_FORCE from kernel cmdline

This allows setting it on the kernel cmdline and having it work
automatically without having to write any dropins or such.

Also enable the option in mkosi so that we can debug the initrd
properly with a locked root account.

mkosi.conf.d/10-systemd.conf

@@ -28,3 +28,5 @@ KernelCommandLineExtra=systemd.crash_shell
                        printk.devkmsg=on
                        # Tell networkd to manage the ethernet interface.
                        ip=enp0s1:any
+                       # Make sure sulogin works even with a locked root account.
+                       SYSTEMD_SULOGIN_FORCE=1

src/sulogin-shell/sulogin-shell.c

@@ -17,6 +17,7 @@
 #include "log.h"
 #include "main-func.h"
 #include "process-util.h"
+#include "proc-cmdline.h"
 #include "signal-util.h"
 #include "special.h"
 #include "unit-def.h"
@@ -116,6 +117,7 @@ static int run(int argc, char *argv[]) {
                 NULL,             /* --force */
                 NULL
         };
+        bool force = false;
         int r;
 
         log_setup();
@@ -123,6 +125,18 @@ static int run(int argc, char *argv[]) {
         print_mode(argc > 1 ? argv[1] : "");
 
         if (getenv_bool("SYSTEMD_SULOGIN_FORCE") > 0)
+                force = true;
+
+        if (!force) {
+                /* We look the argument in the kernel cmdline under the same name as the environment variable
+                 * to express that this is not supported at the same level as the regular kernel cmdline
+                 * switches. */
+                r = proc_cmdline_get_bool("SYSTEMD_SULOGIN_FORCE", &force);
+                if (r < 0)
+                        log_debug_errno(r, "Failed to parse SYSTEMD_SULOGIN_FORCE from kernel command line, ignoring: %m");
+        }
+
+        if (force)
                 /* allows passwordless logins if root account is locked. */
                 sulogin_cmdline[1] = "--force";