There is a library called python-uefivars which allows you to modify UEFI variables FDs without having to boot a VM at all. I think it might be viable to write a script that enrolls the keys externally using it.
In the meantime, it doesn't seem to me that you actually need the shell to be built into the CODE fd itself here.
Is my understanding correct that the shell is put in a FAT image as `boot{x64,a64}.efi` and ran that way? And it seems to run before SecureBoot is enabled anyways, so shouldn't it be possible to still build the Shell as an external EFI binary but not include it in the `code_{.*}.fd`s?
@mihalicyn
There is a library called python-uefivars which allows you to modify UEFI variables FDs without having to boot a VM at all. I think it might be viable to write a script that enrolls the keys externally using it.
Eventually I'd like to get the library into the archive, currently I have packaged it for my own use: https:/ /git.launchpad. net/~mkukri/ +git/python- uefivars.
In the meantime, it doesn't seem to me that you actually need the shell to be built into the CODE fd itself here.
Is my understanding correct that the shell is put in a FAT image as `boot{x64,a64}.efi` and ran that way? And it seems to run before SecureBoot is enabled anyways, so shouldn't it be possible to still build the Shell as an external EFI binary but not include it in the `code_{.*}.fd`s?