If I have disabled secureboot on my system via update-secureboot-policy due to the presence of dkms modules, but subsequently remove these dkms modules because I decide I don't like not having secureboot, I cannot re-enable SB by running 'update-secureboot-policy --enable'.
I think either the check for /var/lib/dkms should only apply when update-secureboot-policy is called without arguments, or this check should be encoded in the shim-signed postinst so that manual calls from the commandline DWIM.
If I have disabled secureboot on my system via update- secureboot- policy due to the presence of dkms modules, but subsequently remove these dkms modules because I decide I don't like not having secureboot, I cannot re-enable SB by running 'update- secureboot- policy --enable'.
I think either the check for /var/lib/dkms should only apply when update- secureboot- policy is called without arguments, or this check should be encoded in the shim-signed postinst so that manual calls from the commandline DWIM.