Comment 4 for bug 1401532

Indeed, at this moment GRUB is explicitly trying to verify kernels, but will also silently fallback to ignoring failed verification so that users can still boot their systems. Note that this is the case for a few reasons, among which that ensuring a full trust chain is hard when one also has to load modules that are locally built (we can't ship our signing key on all systems, it would defeat the purpose).

Fixing this is the target of spec foundations-x-installing-unsigned-secureboot.

Some basic considerations:
 - fixing grub to not silently ignore validation results
 - provide some way for users to disable validation in shim (MokSB) when they need to use custom drivers or kernels
 - ship mokutil by default so a tool is there to toggle validation

And as later steps:
 - replace disabling validation (MokSB) with allowing users to enroll their own keys from the installer, where we can helpfully walk them through the key generation and enrollment.

We're probably only looking at toggling validation for 16.04.

The net effect of properly relying on shim's validation of the signatures from grub will be to automatically show a "Booting in insecure mode" message when validation is disabled, but SecureBoot is enabled. If SecureBoot is disabled, validation would succeed anyway in both the signed kernels and unsigned kernels.

For more information, I'd refer you to the blueprint or to the source code for shim (https://github.com/rhinstaller/shim), or contact me (cyphermox) on IRC in #ubuntu-installer.