Drop some Secure Boot backward compatibility

Debian used to change the behaviour of secure boot in Linux in several ways. It allows the use of a Machine Owner Key (MOK) always, while Linux upstream requires a specific flag in shim. It allows to denylist kernel modules via the UEFI DBX.

The use of Machine Owner Key is reverted to the way Linux upstream uses it. The flag for this is properly set by shim.

Debian does not sign modules with the secure boot key anymore. We can instead denylist the complete kernel version via SBAT.