Comment 9 for bug 2040137

A fairly simple and non-invasive fix I could PoC would be to patch EDK2 to only allow launching the Shell if SecureBootEnabled==0 || SecureBoot==0 || SetupMode==1.

That way key enrollment could stay identical for now, users with SB disabled would still have the shell available, and theoretically (fingers crossed) we'd get away with a small patch.