I recently went to write a kernel module on my Ubuntu system, only to discover the boot loader now defaulted to "secure boot" nonsense and I couldn't insmod a non-signed module.
I tried to simply disable "secure boot" in the BIOS settings and then the boot loader just did absolutely nothing. Hot fucking garbage.
Apparently, if you have "secure boot" available during the install it will use "secure boot" without any way to opt-out.
Did you try disabling it in shim-signed instead of the BIOS (method 2 on this page [1])? I'd expect that to be more consistent and/or reliable since BIOS quality can vary a lot from vendor to vendor.
You might also try signing the kernel module yourself (the manual method at the bottom of that page)?
