Bah, was missing the linux-signed-generic-hwe-16.04-edge package. Once that was in place, secure boot enforcement works correctly. Not sure if that's the cause of Kees' issue as well.
That said, making it more discoverable that (a) secure boot is not being enforced by the kernel, (b) why it's not being enforced, and (c) shouldn't a boot stack that's enforcing secure boot not permit an unsigned kernel to boot? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot Status in linux package in Ubuntu: In Progress Status in linux source package in Yakkety: In Progress Status in linux source package in Zesty: In Progress Bug description: $ sudo mokutil --sbstate SecureBoot enabled $ cat /proc/sys/kernel/moksbstate_disabled 0 $ sudo insmod ./hello.ko $ echo $? 0 $ dmesg | grep Hello [00112.530866] Hello, world! $ strings /lib/modules/$(uname -r)/kernel/lib/test_module.ko | grep signature ~Module signature appended~ $ strings hello.ko | grep signature $ uname -r 4.8.0-34-generic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
