I have reproduced this and can confirm it only affects 4.8 kernels. I have a Ubuntu 16.04 system with secure boot enabled, and the 4.4 kernels were enforcing it. Installing and rebooting into the linux-image- generic-hwe-edge kernel (4.8.0-34.36~16.04.1-generic) and everything before the kernel thinks secure boot is enabled, but the kernel does not and freely loads unsigned modules.
$ cat /proc/version_signature Ubuntu 4.4.0-59.80-generic 4.4.35 $ mokutil --sb-state SecureBoot enabled $ sysctl kernel.secure_boot kernel.secure_boot = 1 $ cat /proc/version_signature Ubuntu 4.8.0-34.36~16.04.1-generic 4.8.11 $ mokutil --sb-state SecureBoot enabled $ sysctl kernel.secure_boot kernel.secure_boot = 0 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot Status in linux package in Ubuntu: In Progress Status in linux source package in Yakkety: In Progress Status in linux source package in Zesty: In Progress Bug description: $ sudo mokutil --sbstate SecureBoot enabled $ cat /proc/sys/kernel/moksbstate_disabled 0 $ sudo insmod ./hello.ko $ echo $? 0 $ dmesg | grep Hello [00112.530866] Hello, world! $ strings /lib/modules/$(uname -r)/kernel/lib/test_module.ko | grep signature ~Module signature appended~ $ strings hello.ko | grep signature $ uname -r 4.8.0-34-generic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp