Comment 10 for bug 1658255

Bah, was missing the linux-signed-generic-hwe-16.04-edge package. Once that was in place, secure boot enforcement works correctly. Not sure if that's the cause of Kees' issue as well.

That said, making it more discoverable that (a) secure boot is not being enforced by the kernel, (b) why it's not being enforced, and (c) shouldn't a boot stack that's enforcing secure boot not permit an unsigned kernel to boot?