So, my question is in title. I know I can parse nvram variables, but didn't find, where enable flag is stored. If there is any another way, I'll glad to know, how to resolve my problem.
UEFI SecureBoot has an indicator variable called "SecureBoot" of EfiGlobalVariable GUID. It has a value of 0x01 (UINT8) iff SecureBoot is enabled.
You should also check "SetupMode" variable of the same GUID to have a value of 0x00 (UINT8), this indicates that PK, KEK and db are indeed ready and can't be replaced without authentication.