Comment 14 for bug 2040139

Tom is absolutely right in that we depend on UEFI Shell thing to enroll Secure boot keys and generate NVRAM:
      # 4MB variant
      ./edk2-vars-generator -f "${FIRMWARE}" \
        -e ../../edk2/build/Build/*/*/*/EnrollDefaultKeys.efi \
        -s ../../edk2/build/Build/*/*/*/Shell.efi \
        -c "${CRAFT_STAGE}/share/qemu/OVMF_CODE.4MB.fd" \
        -V "${CRAFT_STAGE}/share/qemu/OVMF_VARS.4MB.fd" \
        -C "$(cat ubuntu-sb.crt)" \
        -o "${CRAFT_PART_INSTALL}/share/qemu/OVMF_VARS.4MB.ms.fd"

Source: https://github.com/canonical/lxd-pkg-snap/blob/208ea1256a64c3f7116c5f8e5e279bd0238705d2/snapcraft.yaml#L962

So, we can't just disable it. Before that we need to learn how to generate NVRAM and enroll Secure Boot keys without it.

Theoretically, we can build a firmware with shell at first step, then generate NVRAM, then build firmware without shell but take NVRAM from the previous step. NVRAM format is compatible between different builds of UEFI if they have the same FD_SIZE.