If you want get rid of the message about Insecure Boot you need to enable secure boot.
To do this you need turn on validation in module MOK (Machine Owner Key):
sudo mokutil --enable-validation
You will be asked to enter twice temporary password and than after reboot get a possibility to change validation state.
If validation is enabled than no more message about insecure boot appears.
But remember, you will not be able to run any unsigned drivers: nVidia drivers and VirtualBox will not be working.
To disable validation type:
sudo mokutil --disable-validation
and then reboot.
If you disable validation and have in BIOS Secure Boot switched ON, still you will not be able to boot anything that wasn't signed.
Even though your ubuntu has validation disable but "is seen" by BIOS (UEFI) as signed because of shim-signed package. Shim package while your ubuntu is booting checks what is the MOK state and if validation is disabled shows message "Booting in insecure mode".
This is not a bug, it is a feature.
As Anthony Wong says, when you install a DKMS package you are compiling the package yourself, thus, Canonical cannot sign the module for you.
However, you can definitely use Secure Boot, however this is exactly the use case where Secure Boot is trying to protect you from yourself because it cannot know whether you trust a module or don't.
By default, there is a Platform Key (PK) on your UEFI machine, which is the ultimately trusted Certificate Authority for loading code in your processor.
GRUB, or shim, or other boot mechanisms can be digitally signed by a KEK which is trusted by the root CA (PK), and thus your computer can, without any configuration, boot software like Ubuntu Live USB/DVDs.
On Ubuntu 16.04 the kernel is built with CONFIG_MODULE_SIG_FORCE=1, which means that the kernel will enforce modules to be signed by a trusted key in the platform.
Take into consideration that the UEFI platform by default contains a PK that you do not have any control over, and thus you cannot sign binaries with a key recognized by your own machine.
Some people bash and rant against that, but there is really no better way (from a security standpoint) than it being yourself who enrolls the new key you want.
If your boot system uses shim, you can use something called a Machine Owner's Key database, and enroll your key as a MOK (You can do that with mokutil). If you don't, you can also enroll your key in the UEFI database as a signing key.
After you enroll your key, you can sign your DKMS-built package with your MOK (there should be a perl script at /usr/src/kernels/$(uname -r)/scripts/sign-file
), and after it is signed, you can load it into the kernel.
Granted, someone should make more visual instructions on this, and probably even make a wizard or a better DKMS standard to allow keys to be taken into consideration, but this is what we have as of now.
You can refer to this explanation on how to sign your own kernel modules: https://askubuntu.com/a/768310/12049
Best Answer
I know that Dell ships their Linux systems with a variable set that disables validation: https://bugzilla.redhat.com/show_bug.cgi?id=1544794
The solution is to enable validation in that case. Perhaps this is what you're seeing? Try running: