Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. Because you want to keep Secure Boot, then the next logical step is to sign those modules.
So let's try it.
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/"
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
# also sign: vboxnetadp vboxnetflt vboxpci
sudo mokutil --import MOK.der
Supply a password for later use after reboot Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time. After the reboot, you may also need to sudo modprobe vboxdrv to load the module. Please let me know if VirtualBox would run this way on Ubuntu 16.04 (on kernel 4.4.0-21 or higher, I believe).
http://gorka.eguileor.com/vbox-vmware-in-secureboot-linux/ https://github.com/Canonical-kernel/Ubuntu-kernel/blob/master/Documentation/module-signing.txt http://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur
A small doubt: when you say "# also sign: vboxnetadp vboxnetflt vboxpci", I understand that line has to be rerun changing the last bit, but do the destination files
./MOK.{priv,der}also have to be renamed and then imported (so themokutil --impotline would be run four times)? I'm confused about whether thesign-filescript overwrites those files completely or just appends/modifies them preserving the info added in the previous steps.Thanks!