When installing 16.04, I was asked to turn off "Secure Boot" if I wanted to install 3rd party modules/drivers.
I did not comply.
And when I installed manually the only 3rd party drivers I use (bcmwl-kernel-source), I was asked again (during the installation of the package) to turn off "Secure Boot".
Using bcmwl-kernel-source was perfectly fine with Secure Boot in 15.10. This does not seem to be related to a bug to me.
So this does look like Ubuntu refuse to sign anymore the 3rd party drivers/modules to make it work (??) with "Secure Boot". Or seem to consider 3rd party modules as insecure and breaking "Secure Boot" hence inforcing to disable it to make it clear ?? Am I right ?
Best Answer
This is not a bug, it is a feature.
As Anthony Wong says, when you install a DKMS package you are compiling the package yourself, thus, Canonical cannot sign the module for you.
However, you can definitely use Secure Boot, however this is exactly the use case where Secure Boot is trying to protect you from yourself because it cannot know whether you trust a module or don't.
By default, there is a Platform Key (PK) on your UEFI machine, which is the ultimately trusted Certificate Authority for loading code in your processor.
GRUB, or shim, or other boot mechanisms can be digitally signed by a KEK which is trusted by the root CA (PK), and thus your computer can, without any configuration, boot software like Ubuntu Live USB/DVDs.
On Ubuntu 16.04 the kernel is built with CONFIG_MODULE_SIG_FORCE=1, which means that the kernel will enforce modules to be signed by a trusted key in the platform. Take into consideration that the UEFI platform by default contains a PK that you do not have any control over, and thus you cannot sign binaries with a key recognized by your own machine.
Some people bash and rant against that, but there is really no better way (from a security standpoint) than it being yourself who enrolls the new key you want.
If your boot system uses shim, you can use something called a Machine Owner's Key database, and enroll your key as a MOK (You can do that with mokutil). If you don't, you can also enroll your key in the UEFI database as a signing key.
After you enroll your key, you can sign your DKMS-built package with your MOK (there should be a perl script at
/usr/src/kernels/$(uname -r)/scripts/sign-file), and after it is signed, you can load it into the kernel.Granted, someone should make more visual instructions on this, and probably even make a wizard or a better DKMS standard to allow keys to be taken into consideration, but this is what we have as of now.
You can refer to this explanation on how to sign your own kernel modules: https://askubuntu.com/a/768310/12049