Add noefi to kernel command line

Since we use CONFIG_PAX_KERNEXEC, it is recommended we pass noefi to the commandline as EFI runtime are mapped RWX.

install_files/securedrop-grsec/DEBIAN/postinst

@@ -23,6 +23,11 @@ case "$1" in
     # highest kernel version. Any kernel provided by apt.freedom.press must
     # suprecede the ones provided by Ubuntu.
     sed -i '/^GRUB_DEFAULT=/s/=.*/=0/' /etc/default/grub
+    # When using CONFIG_PAX_KERNEXEC, the grsecurity team recommends the kernel
+    # is booted with "noefi" on the kernel command line if "CONFIG_EFI" is
+    # enabled, as EFI runtime services are necessarily mapped as RWX.
+    sed -i '/^GRUB_CMDLINE_LINUX_DEFAULT=/s/=.*/=\"quiet noefi\"/' /etc/default/grub
+
     update-grub
     ;;