Comment 19 for bug 2040137

@seth-arnold The known mechanism is full access to physical memory via Shell commands, which can be turned into arbitrary code execution. However if you have the ability to go through that process you can also just run any unsigned binary after step 2 instead of having to use the Shell, I don't think it gets you any extra abilities over simply launching unsigned code.

@juliank If you have root access, you can also drop a script for the EFI shell on the ESP, change the boot order to it then trigger a reboot. After the reboot the shell script can launch a payload that runs a backdoored OSes, etc. FDE is hopefully fine if launching the Shell affects TPM measurements.

I think the issue here is arbitrary unsigned code execution without someone having access to an external console. E.g. similar to previous things tagged bypasses to Secure Boot.