diff -Nru dkms-2.3/debian/changelog dkms-2.3/debian/changelog
--- dkms-2.3/debian/changelog	2018-04-23 16:10:30.000000000 +0000
+++ dkms-2.3/debian/changelog	2018-04-23 20:42:51.000000000 +0000
@@ -1,3 +1,13 @@
+dkms (2.3-3ubuntu9) bionic; urgency=medium
+
+  * 0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch: use find
+    to get all .ko modules from a dkms build to ensure we also catch any .kos
+    that might have been built in subdirectories.
+  * 0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch: make sure
+    we only try to enroll a MOK if we've signed modules.
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 23 Apr 2018 16:42:51 -0400
+
 dkms (2.3-3ubuntu8) bionic; urgency=medium
 
   * 0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch: handle
diff -Nru dkms-2.3/debian/patches/0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch dkms-2.3/debian/patches/0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch
--- dkms-2.3/debian/patches/0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch	2018-04-23 16:09:49.000000000 +0000
+++ dkms-2.3/debian/patches/0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch	2018-04-23 20:42:51.000000000 +0000
@@ -10,36 +10,44 @@
 not disabling Secure Boot (but then, they will not be able to load the
 dkms drivers that were added).
 ---
- dkms_common.postinst |   12 ++++++++++++
- 1 file changed, 12 insertions(+)
+ dkms_common.postinst |   16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
 
-Index: dkms-2.3/dkms_common.postinst
+Index: b/dkms_common.postinst
 ===================================================================
---- dkms-2.3.orig/dkms_common.postinst
-+++ dkms-2.3/dkms_common.postinst
-@@ -283,6 +283,17 @@
+--- a/dkms_common.postinst
++++ b/dkms_common.postinst
+@@ -154,6 +154,7 @@ fi
+ 
+ KERNELS=$(ls /lib/modules/ 2>/dev/null || true)
+ CURRENT_KERNEL=$(uname -r)
++SIGNED_MODULES=0
+ 
+ #We never want to keep an older version side by side to prevent conflicts
+ if [ -e "/var/lib/dkms/$NAME/$VERSION" ]; then
+@@ -283,6 +284,15 @@ for KERNEL in $KERNELS; do
          fi
      fi
  
 +    if type update-secureboot-policy >/dev/null 2>&1; then
 +        SHIM_NOTRIGGER=y update-secureboot-policy --new-key
-+        for mod in /var/lib/dkms/$NAME/$VERSION/$KERNEL/$(uname -m)/module/*.ko
-+        do
-+            kmodsign sha512 \
++        find /var/lib/dkms/$NAME/$VERSION/$KERNEL/$(uname -m)/module/ \
++            -name "*.ko" -print0 | xargs -n1 -0 -r kmodsign sha512 \
 +                /var/lib/shim-signed/mok/MOK.priv \
-+                /var/lib/shim-signed/mok/MOK.der \
-+                $mod
-+        done
++                /var/lib/shim-signed/mok/MOK.der
++        SIGNED_MODULES=1
 +    fi
 +
      #if the module is built (either pre-built or just now), install it
      if [ `echo $dkms_status | grep -c ": built"` -eq 1 ] && 
         [ `echo $dkms_status | grep -c ": installed"` -eq 0 ]; then
-@@ -290,3 +301,7 @@
+@@ -290,3 +300,9 @@ for KERNEL in $KERNELS; do
      fi
  done
  
 +if type update-secureboot-policy >/dev/null 2>&1; then
-+    update-secureboot-policy --enroll-key
++    if [ $SIGNED_MODULES -eq 1 ]; then
++        update-secureboot-policy --enroll-key
++    fi
 +fi
 +