NVIDIA proprietary driver does not load when using shimx64 since xenial

I have a strange behavior after upgrading my PC from wily to xenial (both Kubuntu flavor). Before and after the upgrade I have two "ubuntu" boot options in my BIOS. Here you can see the values behind each entry under xenial:

stephane@nausicaa:~$ sudo efibootmgr -v
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0002,0000
Boot0000  ubuntu        HD(1,GPT,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,0x800,0x64000)/File(\EFI\ubuntu\shimx64.efi)
Boot0002* ubuntu        HD(1,GPT,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,0x800,0x64000)/File(EFI\Ubuntu\grubx64.efi)

With wily I have been using shimx64 (first entry) and the NVIDIA proprietary driver without issues. Since the upgrade to xenial shimx64 (first entry) doesn't load the NVIDIA proprietary driver. I have to use grubx64 instead (second entry).

When I use grubx64 I find the following entries for "nvidia" or "NVRM" in the kernel log:

nvidia: module license 'NVIDIA' taints kernel.
nvidia: module verification failed: signature and/or required key missing - tainting kernel
[drm] Initialized nvidia-drm 0.0.0 20150116 for 0000:01:00.0 on minor 0
NVRM: loading NVIDIA UNIX x86_64 Kernel Module  340.96  Sun Nov  8 22:33:28 PST 2015
nvidia_uvm: Loaded the UVM driver, major device number 245
NVRM: Your system is not currently configured to drive a VGA console
NVRM: on the primary VGA device. The NVIDIA Linux graphics driver
NVRM: requires the use of a text-mode VGA console. Use of other console
NVRM: drivers including, but not limited to, vesafb, may result in
NVRM: corruption and stability problems, and is not supported.

When I use shimx64 there is no entry for "nvidia" or "NVRM" in the kernel log, not even error messages.

I used to believe that shimx64 is just a signed chainloader for grubx64 but from the differences in the kernel log it is obviously not so simple. Does anyone has an explanation for what happens there? Could it have something to do with digital signature of the drivers?


NVIDIA does not sign its proprietary video driver. The Linux kernel always checks for signatures in kernel modules, even with secure boot disabled. When I use grubx64 I can see this message:

kernel: nvidia: module verification failed: signature and/or required key missing - tainting kernel

This is not an error since secure boot is disabled; the NVIDIA proprietary video driver still works. The funny part is that when I use shimx64 this message does not appear. The NVIDIA driver is skipped by the kernel without any message. I can tell that secure boot is enabled because of this message:

kernel: Secure boot enabled