Comment 52 for bug 1574727

Verification done for XENIAL: grub2-signed, dkms, shim-signed all found to be working as expected. Test cases pass. As previously discussed, the grub2-signed update is not especially useful in itself and does need to drop the calls to mokutil, but will need a further SRU to remove calling update-secureboot-policy later.