Arch and Manjaro do not use Secure Boot by default. They don’t have a Arch and/or Manjaro specific signed
For the kernel options: I think you mean (the output is obtained from Arch)
zgrep MSR /proc/config.gz
If they are not enabled for Ubuntu kernel, I think you need to open a launchpad bug report and explain why they are needed (I guess, only the first two are relevant).
If you use custom keys and are blindly signing binaries with them, then you just have a “Signed Boot” and not really a “Secure Boot”. In this case, you can also disable Secure Boot as it doesn’t really add any security.
Ubuntu has its own signed
shim and uses the MokManager (MOK = Machine-owner key). Disabling Secure Boot will be less secure, because
shim, the bootloader and kernel should be correctly signed.
With the MokManager, you can add your own keys and use them to sign additional kernel modules and binaries manually.
I don’t find
intel-undervolt in the Ubuntu repositories. I guess, you are taking it from GitHub and therefore you have to manually sign it.
Even when it is packaged one day, it will probably be part of the universe repo and Ubuntu/Canonical isn’t responsible to sign these binaries (I may be wrong). But I guess it could be automated to generate a new key and enroll it.
I do not use undervolting and my main PC does not have an Intel CPU. I therefore have no experience with it. So I cannot help you further. But as a starting point, have a look at: