But does it buy you any real security at that point ? If the private key is stored on the file system, a local root exploit can just as easily use the key to sign whatever it wants. I don't even see the benefit or the threat model of secureboot on regular linux disros.
Don’t store the private key on the local filesystem then. Use a USB stick or build and sign the modules on a separate machine. Depending on your threat model, a strong passphrase on the signing key might already go a long way.
I'm no so sure about that. Unless you are using an android/chromeos like system, secureboot alone itself is quite ineffective to begin with because your filesystem is writable. And keeping the private key elsewhere, while possible in theory, would just add too much friction. For instance, apt install nvidia-xxx won't work.
Sure, security adds friction. Whether the added friction is worth the added security in your case depends on the amount of friction and the amount of security it buys you. The trade off is likely different for you than it is for a larger org. For example, you (or the admins responsible for your org) could maintain an apt repo with signed nvidia drivers for your org. This would reduce the friction by centralizing the signing process.
I keep my signing key on my machine, but gpg-encrypted bound to a yubikey. Is that frictionless? No, certainly not. Does it provide perfect security? No, certainly not. A dedicated attacker can root my box and wait until I need to sign a module. Does it protect me from loading random kernel modules if I get hit by an automated attack? Most likely. Good enough for what I currently expect as threats.
