@seth-arnold The patch proposed here patches the Shell binary to exit with "EFI_SECURITY_VIOLATION" if the following condition is true: "SecureBootEnabled() && !SetupMode".
I suppose it is closer to "enumerating environments where Shell is disabled", but I also believe it is sufficient to restrict access to Shell to environments where unsigned code execution was allowed anyhow.
@seth-arnold The patch proposed here patches the Shell binary to exit with "EFI_SECURITY_ VIOLATION" if the following condition is true: "SecureBootEnab led() && !SetupMode".
I suppose it is closer to "enumerating environments where Shell is disabled", but I also believe it is sufficient to restrict access to Shell to environments where unsigned code execution was allowed anyhow.