The default signed Linux kernel on Ubuntu (>=16.04.x), Fedora and perhaps on other distributions as well, won't load unsigned external kernel modules if Secure Boot is enabled on UEFI systems. Hence, any external kernel modules like the proprietary Nvidia kernel driver, Oracle VM VirtualBox's host/guest kernel driver etc. won't work. External kernel modules must be signed for UEFI Secure Boot using a Machine Owner Key (MOK). This is useful if you can't or don't wish to disable Secure Boot on your UEFI-enabled system. UEFI Secure Boot Sign Tool can be used to sign kernel modules. Essentially, it is a wrapper around the sign-file binary in the kernel sources. The systemd service can be enabled to automatically sign specific kernel modules with user's own once setup is complete.

This is a companion discussion topic for the original entry at