You can also enroll your MOK (Machine-Owner-Key) to UEFI and then sign the nvidia driver with it.
That way, you can leave Secure Boot enabled. However, leaving the secret part of MOK on the machine and let the dkms or whatever updater of kernel modules to use it unattended kind of defeats the purpose.
No, last time I used it, it was object file and source for a shim. You had to build the shim for your specific kernel and link together with the supplied object file. The result is kernel module, that is unsigned because it is you who built it.
That way, you can leave Secure Boot enabled. However, leaving the secret part of MOK on the machine and let the dkms or whatever updater of kernel modules to use it unattended kind of defeats the purpose.