x86: Fixes context security

The big thing is that SW contexts are popped with sysret.  On Intel
machines, a non-canonical RIP will trigger a GP in kernel mode.
A user could have manged the RIP of a VC ctx in the VCPD of a preempted
vcore, then done a sys_change_to() to get the kernel to pop the ctx.

For more info, check out:
https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/

While I was here, I also had init_ctx always call secure_ctx.  This
removed some redundant code.  It also enforces gsbase for HW ctxs,
though it was just zeroed a moment before.

Finally, we memset the entire structure for new contexts.  If we used a
smaller context for the init ctx, we could leak some information when we
eventually copy the ctx to procdata.