Comment 8 for bug 2040137

If the "non-secure-boot" images still have both the Shell always enabled and give the user the option to enroll their own keys and setup SB, they could still end up with Secure Boot enabled and have the shell. Of course it's somewhat better than the same with prod keys, and we can clearly label it as "not supported", but it still exposes an insecure scenario.

The point I am trying to make is that if we'd like to have both Secure Boot support and the Shell at the same time in any of the images, I think the ability to launch the shell should be gated against Secure Boot being enabled (maybe with a hopefully upstream-able patch?). Or I guess another option is to compile out secure boot support from images that have the shell.