diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh
index 7fa3ffbe53..13d4db132f 100755
--- a/tools/packaging/static-build/ovmf/build.sh
+++ b/tools/packaging/static-build/ovmf/build.sh
@@ -11,6 +11,7 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 readonly ovmf_builder="${script_dir}/build-ovmf.sh"
 
+# shellcheck source=/dev/null
 source "${script_dir}/../../scripts/lib.sh"
 
 DESTDIR=${DESTDIR:-${PWD}}
@@ -24,28 +25,28 @@ ovmf_package="${ovmf_package:-}"
 ovmf_branch="${ovmf_branch:-}"
 package_output_dir="${package_output_dir:-}"
 
-if [ -z "$ovmf_repo" ]; then
+if [[ -z "${ovmf_repo}" ]]; then
 	ovmf_repo=$(get_from_kata_deps ".externals.ovmf.url")
 fi
 
-[ -n "$ovmf_repo" ] || die "failed to get ovmf repo"
+[[ -n "${ovmf_repo}" ]] || die "failed to get ovmf repo"
 
-if [ "${ovmf_build}" == "x86_64" ]; then
-	[ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.x86_64.version")
-	[ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps ".externals.ovmf.x86_64.package")
-	[ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.x86_64.package_output_dir")
-elif [ "${ovmf_build}" == "sev" ]; then
-	[ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.sev.version")
-	[ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps ".externals.ovmf.sev.package")
-	[ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.sev.package_output_dir")
-elif [ "${ovmf_build}" == "tdx" ]; then
-	[ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.tdx.version")
-	[ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps ".externals.ovmf.tdx.package")
-	[ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.tdx.package_output_dir")
-elif [ "${ovmf_build}" == "arm64" ]; then
-	[ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.arm64.version")
-	[ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps ".externals.ovmf.arm64.package")
-	[ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.arm64.package_output_dir")
+if [[ "${ovmf_build}" == "x86_64" ]]; then
+	[[ -n "${ovmf_version}" ]] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.x86_64.version")
+	[[ -n "${ovmf_package}" ]] || ovmf_package=$(get_from_kata_deps ".externals.ovmf.x86_64.package")
+	[[ -n "${package_output_dir}" ]] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.x86_64.package_output_dir")
+elif [[ "${ovmf_build}" == "sev" ]]; then
+	[[ -n "${ovmf_version}" ]] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.sev.version")
+	[[ -n "${ovmf_package}" ]] || ovmf_package=$(get_from_kata_deps ".externals.ovmf.sev.package")
+	[[ -n "${package_output_dir}" ]] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.sev.package_output_dir")
+elif [[ "${ovmf_build}" == "tdx" ]]; then
+	[[ -n "${ovmf_version}" ]] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.tdx.version")
+	[[ -n "${ovmf_package}" ]] || ovmf_package=$(get_from_kata_deps ".externals.ovmf.tdx.package")
+	[[ -n "${package_output_dir}" ]] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.tdx.package_output_dir")
+elif [[ "${ovmf_build}" == "arm64" ]]; then
+	[[ -n "${ovmf_version}" ]] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.arm64.version")
+	[[ -n "${ovmf_package}" ]] || ovmf_package=$(get_from_kata_deps ".externals.ovmf.arm64.package")
+	[[ -n "${package_output_dir}" ]] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.arm64.package_output_dir")
 elif [[ "${ovmf_build}" == "cca" ]]; then
   ovmf_repo=$(get_from_kata_deps ".externals.ovmf.cca.url")
 	[[ -n "${ovmf_version}" ]] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.cca.version")
@@ -53,15 +54,16 @@ elif [[ "${ovmf_build}" == "cca" ]]; then
 	[[ -n "${package_output_dir}" ]] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.cca.package_output_dir")
 fi
 
-[ -n "$ovmf_version" ] || die "failed to get ovmf package or commit"
-[ -n "$ovmf_package" ] || die "failed to get ovmf package or commit"
-[ -n "$package_output_dir" ] || die "failed to get ovmf package or commit"
+[[ -n "${ovmf_version}" ]] || die "failed to get ovmf package or commit"
+[[ -n "${ovmf_package}" ]] || die "failed to get ovmf package or commit"
+[[ -n "${package_output_dir}" ]] || die "failed to get ovmf package or commit"
 
-docker pull ${container_image} || \
+docker pull "${container_image}" || \
 	(docker build -t "${container_image}" "${script_dir}" && \
 	# No-op unless PUSH_TO_REGISTRY is exported as "yes"
 	push_to_registry "${container_image}")
 
+# shellcheck disable=SC2154
 docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${PWD}" \
 	--env DESTDIR="${DESTDIR}" --env PREFIX="${PREFIX}" \