Comment 20 for bug 694328

true secure boot (as matthew garret wants ubuntu to do for example) means that only modules that were signed by the same key the kernel was signed with at build time (i.e. the ubuntu archive key) can actually be loaded at all ... so this excludes nvidia and friends who deliver a binary blob.