Comment 9 for bug 1658255

I have reproduced this and can confirm it only affects 4.8 kernels. I have a Ubuntu 16.04 system with secure boot enabled, and the 4.4 kernels were enforcing it. Installing and rebooting into the linux-image-generic-hwe-edge kernel (4.8.0-34.36~16.04.1-generic) and everything before the kernel thinks secure boot is enabled, but the kernel does not and freely loads unsigned modules.

$ cat /proc/version_signature
Ubuntu 4.4.0-59.80-generic 4.4.35
$ mokutil --sb-state
SecureBoot enabled
$ sysctl kernel.secure_boot
kernel.secure_boot = 1

$ cat /proc/version_signature
Ubuntu 4.8.0-34.36~16.04.1-generic 4.8.11
$ mokutil --sb-state
SecureBoot enabled
$ sysctl kernel.secure_boot
kernel.secure_boot = 0