boot: Rework shim image verification
This moves the shim security arch override to the new
ReinstallProtocolInterface based interface. This also has the benefit to
reduce the time window in which we have this override active and also
actually removes it, which was not previously done.
The shim hooks themselves are also modernized too. The upcalls should
really not be neccessary if shim is happy with the provided binary.