@mkukri has a solution to replace the EFI shell wtih python-uefivars to enroll keys. I don't know the specifics. I believe this would require python-uefivars in main for all affected releases, which would require MIR coordination.
Having images that are clearly documented as not supporting Secure Boot sounds fine to me. This implies a threat model where a local attacker is not a concern. An option to enable EFI Shell on Secure Boot systems is also okay (say for debugging), as long as it is opt in (secure by default) and the risk is well communicated.
Thanks Dann!
@mkukri has a solution to replace the EFI shell wtih python-uefivars to enroll keys. I don't know the specifics. I believe this would require python-uefivars in main for all affected releases, which would require MIR coordination.
Having images that are clearly documented as not supporting Secure Boot sounds fine to me. This implies a threat model where a local attacker is not a concern. An option to enable EFI Shell on Secure Boot systems is also okay (say for debugging), as long as it is opt in (secure by default) and the risk is well communicated.