Secureboot support for grsecurity kernel

[emkll]

Description

Initially reported by https://forum.securedrop.org/t/running-handler-common-reboot-if-rquired-due-to-security-updates/1397/1:

Some hardware now ships with secureboot enabled by default, and we are currently advising disabling secureboot in the BIOS to ensure our custom kernels can boot in [1] .

We should consider signing our kernels and initram as described in [2] and ensuring the integrity of the kernel is validated prior to boot. This will require shim-signed, where we can sign the kernels at build time and enroll keys on the servers during the install process.

[1] freedomofpress/securedrop-docs#158
[2] https://gloveboxes.github.io/Ubuntu-for-Azure-Developers/docs/signing-kernel-for-secure-boot.html