Code review comment for ~juliank/shim/+git/shim-signed:alternatives

on_secure_boot and most of have_non_revoked_kernel are copied from grub-check-signatures (which would fail postinst with a debconf dialog, which is not actually meaningful as the files are unpacked and would be used). We should evaluate unifying things in the future, but this avoids both tying in a grub2 SRU (there is one in progress already) and our is-not-revoked helper can be used for build-time testing.