Define requirements in terms of kernel lockdown patches

[julian-klode]

@mjg59 recently pointed out a kernel that should have lockdown support, but still allowed random port io with ioperm(), which leads to the bigger question:

There have been various iterations of the kernel lockdown patchset that distributions have applied in releases, and it's not entirely clear what the baseline should be, and when it should move forward, as a requirement for shim signing.

[julian-klode]

We need to

1. define a baseline, probably the merged initial patch set + maybe some followup patches
   1.1. do additional lockdown patches get CVEs or are they not considered security bugs, but hardening features?)
2. define how we want to handle adding new lockdown patches to the requirements (figure out what MS wants)

[ecos-platypus]

The upstream commit for fixing CVE-2022-21505 (see https://seclists.org/oss-sec/2022/q3/57) should be included in the list once the patch has made it into upstream. IMA should prevent setting ima_appraise=log when booted via secure boot but you could argue that it is more secure to assume that IMA may fail to prevent setting ima_appraise=log and therefore also prevent this issue when booted via secure boot.