Hrm, that's bad, I thoguht that we had a kind of automatic key enrollment for Nvidia in the past, at least at the beginning of the Secure Boot support. The problem isn't too serious on TW because the TW kernel (i.e. the upstream kernel) still has no strict lockdown. SLE / Leap kernel has a stricter lockdown, so it can be an actual problem. It might be a problem on TW as well once when the upstream accepts the more lockdown. IOW, it's not only about CONFIG_MODULE_SIG. Rather the key point is whether the kernel has a lockdown feature for the unsigned module or not.