--- /dev/null
+From: Mate Kukri <mate.kukri@canonical.com>
+Date: Wed, 6 Dec 2023 15:47:42 +0000
+Subject: Shell: Disable the Shell when SecureBoot is enabled and not in
+ SetupMode
+
+Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
+---
+ ShellPkg/Application/Shell/Shell.c | 14 ++++++++++++++
+ ShellPkg/Application/Shell/Shell.h | 3 +++
+ ShellPkg/Application/Shell/Shell.inf | 2 ++
+ ShellPkg/ShellPkg.dsc | 1 +
+ 4 files changed, 20 insertions(+)
+
+Origin: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137/+attachment/5741528/+files/Disable-the-Shell-when-SecureBoot-is-enabled.patch
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4641
+Bug-Ubuntu: https://launchpad.net/bugs/2040137
+Last-Updated: 2024-02-11
+Forwarded: https://bugzilla.tianocore.org/show_bug.cgi?id=4641#c0
+
+diff --git a/ShellPkg/Application/Shell/Shell.c b/ShellPkg/Application/Shell/Shell.c
+index f95c799..502013d 100644
+--- a/ShellPkg/Application/Shell/Shell.c
++++ b/ShellPkg/Application/Shell/Shell.c
+@@ -357,6 +357,20 @@ UefiMain (
+ EFI_HANDLE ConInHandle;\r
+ EFI_SIMPLE_TEXT_INPUT_PROTOCOL *OldConIn;\r
+ SPLIT_LIST *Split;\r
++ UINT8 SetupMode;\r
++\r
++ //\r
++ // Check for Secure Boot mode\r
++ //\r
++ if (IsSecureBootEnabled()) {\r
++ Status = GetSetupMode (&SetupMode);\r
++ if (EFI_ERROR (Status)) {\r
++ return (Status);\r
++ }\r
++ if (SetupMode != 1) {\r
++ return (EFI_SECURITY_VIOLATION);\r
++ }\r
++ }\r
+ \r
+ if (PcdGet8 (PcdShellSupportLevel) > 3) {\r
+ return (EFI_UNSUPPORTED);\r
+diff --git a/ShellPkg/Application/Shell/Shell.h b/ShellPkg/Application/Shell/Shell.h
+index 89b4ac6..595ec79 100644
+--- a/ShellPkg/Application/Shell/Shell.h
++++ b/ShellPkg/Application/Shell/Shell.h
+@@ -11,9 +11,11 @@
+ #define _SHELL_INTERNAL_HEADER_\r
+ \r
+ #include <Uefi.h>\r
++#include <UefiSecureBoot.h>\r
+ \r
+ #include <Guid/ShellVariableGuid.h>\r
+ #include <Guid/ShellAliasGuid.h>\r
++#include <Guid/ImageAuthentication.h>\r
+ \r
+ #include <Protocol/LoadedImage.h>\r
+ #include <Protocol/SimpleTextOut.h>\r
+@@ -42,6 +44,7 @@
+ #include <Library/HandleParsingLib.h>\r
+ #include <Library/FileHandleLib.h>\r
+ #include <Library/UefiHiiServicesLib.h>\r
++#include <Library/SecureBootVariableLib.h>\r
+ \r
+ #include "ShellParametersProtocol.h"\r
+ #include "ShellProtocol.h"\r
+diff --git a/ShellPkg/Application/Shell/Shell.inf b/ShellPkg/Application/Shell/Shell.inf
+index f1e41de..340585f 100644
+--- a/ShellPkg/Application/Shell/Shell.inf
++++ b/ShellPkg/Application/Shell/Shell.inf
+@@ -47,6 +47,7 @@
+ MdePkg/MdePkg.dec\r
+ ShellPkg/ShellPkg.dec\r
+ MdeModulePkg/MdeModulePkg.dec\r
++ SecurityPkg/SecurityPkg.dec\r
+ \r
+ [LibraryClasses]\r
+ BaseLib\r
+@@ -66,6 +67,7 @@
+ SortLib\r
+ HandleParsingLib\r
+ UefiHiiServicesLib\r
++ SecureBootVariableLib\r
+ \r
+ [Guids]\r
+ gShellVariableGuid ## SOMETIMES_CONSUMES ## GUID\r
+diff --git a/ShellPkg/ShellPkg.dsc b/ShellPkg/ShellPkg.dsc
+index dd0d886..28d6a87 100644
+--- a/ShellPkg/ShellPkg.dsc
++++ b/ShellPkg/ShellPkg.dsc
+@@ -64,6 +64,7 @@
+ DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf\r
+ DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf\r
+ ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf\r
++ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf\r
+ \r
+ [LibraryClasses.ARM,LibraryClasses.AARCH64]\r
+ #\r