A fairly simple and non-invasive fix I could PoC would be to patch EDK2 to only allow launching the Shell if SecureBootEnabled==0 || SecureBoot==0 || SetupMode==1.
That way key enrollment could stay identical for now, users with SB disabled would still have the shell available, and theoretically (fingers crossed) we'd get away with a small patch.
A fairly simple and non-invasive fix I could PoC would be to patch EDK2 to only allow launching the Shell if SecureBootEnabl ed==0 || SecureBoot==0 || SetupMode==1.
That way key enrollment could stay identical for now, users with SB disabled would still have the shell available, and theoretically (fingers crossed) we'd get away with a small patch.