Ubuntu 16.04 kernel 4.4.0-21 not loading nvidia/vboxdrv modules anymore (Required key not available)

There is a way to leave secure boot on and use proprietary kernel modules like NVidia or VirtualBox. First download xca app:

sudo apt install xca

Then create new database and generate new key. Next generate CA certificate from that private key. Export private key to PEM format and CA public cert to DER format. Import CA cert to MOK database:

sudo mokutil --import CAcert.cer

Program asks you for password for MOK database. After reboot MOKManager will be executed before GRUB. Select Enroll keys, select cert that you add before and enter password for confirmation. After that your CA cert is added to MOK database. Reboot.

Next find sign-file program in kernel headers scripts directory. For me it is in:

/usr/src/linux-headers-4.4.0-22-lowlatency/scripts/sign-file

Now sign all kernel modules in /lib/modules/4.4.0-22-lowlatency/updates/dkms/. For example:

/usr/src/linux-headers-4.4.0-22-lowlatency/scripts/sign-file sha256 CA.pem CAcert.cer /lib/modules/4.4.0-22-lowlatency/updates/dkms/nvidia_361.ko

After that you will be able to load module without Required key not available error.

After install new kernel or new version of module kernels from dkms directory you must repeat signing procedure.

Links to read to clarify:

https://wiki.ubuntu.com/SecurityTeam/SecureBoot

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html