Code review comment for ~juliank/grub/+git/ubuntu:juliank/check-signed-kernels

should actually check both /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c != 0 && /sys/firmware/efi/efivars/MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 != 1. mokutil unhelpfully gives no information about the latter, so you'll need to directly read the files. See /usr/sbin/update-secureboot-policy for examples.

*Ideally*, we would verify that the kernel is not just signed, but signed with a key that's trusted by the firmware (so: found in db, or in MokListRT). Requires a bit more code, but I believe it's warranted.