Just add a precision, only if Secure boot enabled

Hi Adrien,
Do you have an efi entry for Ubuntu? i.e., what is the output of 
# efibootmgr

If you are booting Ubuntu from Fedora and using Fedora's grub, it does not trust Ubuntu kernels, which is the message that you're seeing. But you should have the Ubuntu boot loaders still installed in /boot/efi/EFI/ubuntu and there should be a grub.cfg there as well. Creating an efi entry for it, if it doesn't exist, will allow you to boot Ubuntu also with Secure Boot enabled. I can tell you how to do that, but it should already be there...

I am answering here, I can reproduce that easily:

So when booted into Fedora:

[tester@ibm-p8-kvm-03-guest-02 ~]$ efibootmgr 
BootCurrent: 0001
Timeout: 0 seconds
BootOrder: 0001,0002,0000,0003,0004,0005,0006
Boot0000* UiApp	FvVol(7cb8bdc9-f8eb-4f34-aaea-3ee4af6516a1)/FvFile(462caa21-7614-4503-836e-8ab6f4662331)
Boot0001* Fedora	HD(15,GPT,96a2176c-568d-44c3-bf1c-cef88210e921,0x2000,0x3e000)/\EFI\fedora\shimx64.efi
Boot0002* UEFI Misc Device	PciRoot(0x0)/Pci(0x2,0x4)/Pci(0x0,0x0){auto_created_boot_option}
Boot0003* UEFI PXEv4 (MAC:525400123456)	PciRoot(0x0)/Pci(0x16,0x0)/MAC(525400123456,1)/IPv4(0.0.0.0,0,DHCP,0.0.0.0,0.0.0.0,0.0.0.0){auto_created_boot_option}
Boot0004* UEFI PXEv6 (MAC:525400123456)	PciRoot(0x0)/Pci(0x16,0x0)/MAC(525400123456,1)/IPv6([::],0,Static,[::],[::],64){auto_created_boot_option}
Boot0005* UEFI HTTPv4 (MAC:525400123456)	PciRoot(0x0)/Pci(0x16,0x0)/MAC(525400123456,1)/IPv4(0.0.0.0,0,DHCP,0.0.0.0,0.0.0.0,0.0.0.0)/Uri(){auto_created_boot_option}
Boot0006* UEFI HTTPv6 (MAC:525400123456)	PciRoot(0x0)/Pci(0x16,0x0)/MAC(525400123456,1)/IPv6([::],0,Static,[::],[::],64)/Uri(){auto_created_boot_option}

efibootmgr does not show the other OS entry (here I am testing against debian)

And yes, there is efi entry for debian in my case:

[tester@ibm-p8-kvm-03-guest-02 ~]$ sudo ls  /boot/efi/EFI/debian/
BOOTX64.CSV  fbx64.efi	grub.cfg  grubx64.efi  mmx64.efi  shimx64.efi
[tester@ibm-p8-kvm-03-guest-02 ~]$ sudo cat /boot/efi/EFI/debian/grub.cfg
search.fs_uuid 4c49db7c-dc87-4c8b-b8b2-41e03234a0aa root 
set prefix=($root)'/boot/grub'
configfile $prefix/grub.cfg

Let me know how I can assist you with further debugging.

Secure boot is doing what it's supposed to: shim is loading the grub in its directory, and since it's fedora's grub, it doesn't trust ubuntu kernels. Since ubuntu was already installed on your machine (is this a VM or actual hardware? if a VM, which application do you use?) then there *should* be an efi entry for it, and if you set it to boot next:
# efibootmgr -n 000#
then ubuntu should boot with secure boot enabled.

What Katerina is observing (on a VM) is that the existing ubuntu entry disappears after the fedora installation, and it needs to be recreated... and I wonder whose fault that is exactly... I don't think it's anaconda's. Their efi entry creation looks ok to me. So it could be VMM or ... well, more info would help.

Writing some more observations:

Trying to select the OSes from the main menu fails consistently with: bad shim signature, you need to load the kernel first
Trying to select the OSes from the UEFI firmware settings -> Boot Manager -> selecting the OS in Boot manager Menu -> selecting the OS from the main menu always works

So I assume there is something wrong with Fedora's main grub configuration: /boot/grub2/grub.cfg

Attaching the files for the bootloader team to check:

/boot/grub2/grub.cfg
/boot/efi/EFI/fedora/grub.cfg
/boot/efi/EFI/ubuntu/grub.cfg

Created attachment 2057776 [details]
/boot/grub2/grub.cfg

Created attachment 2057777 [details]
/boot/efi/EFI/fedora/grub.cfg

Created attachment 2057778 [details]
/boot/efi/EFI/ubuntu/grub.cfg

Created attachment 2057779 [details]
blkid output

efibootmgr displays the boot options that are available in UEFI. These are UEFI boot variables that you can also set with efibootmgr. Please notice that the fedora entry looks like:

Boot0001* Fedora	HD(15,GPT,96a2176c-568d-44c3-bf1c-cef88210e921,0x2000,0x3e000)/\EFI\fedora\shimx64.efi

so that when you choose to boot from that option (either by typing `efibootmgr -n 0001`-- which is BootNext-- or by setting it in the BootOrder: 0001,0002,0000,0003,0004,0005,0006) it uses that path (/dev/vda15 = EFI system partition aka /boot/efi) \EFI\fedora\shimx64.efi as its first stage boot loader. That is the fedora shim, which simply looks for the grub that is in the same directory-- fedora grub-- and loads that. Fedora grub only trusts fedora kernels.

Now if you already have or you create an entry for ubuntu, it will look something like:

Boot0002* Ubuntu	HD(15,GPT,96a2176c-568d-44c3-bf1c-cef88210e921,0x2000,0x3e000)/File(\EFI\ubuntu\shimx64.efi)

which is the ubuntu shim (\boot\efi\EFI\ubuntu\shimx64.efi), and which will load the grub in its directory-- ubuntu grub-- that only trusts ubuntu kernels.

The menu with the black background is the grub menu, generated by /boot/grub2/grub.cfg and which includes both fedora and ubuntu kernels. Since you've already booted to grub at that point, which kernels will boot with Secure Boot enabled depends on the grub path you took to get there. If you booted using fedora shim -> fedora grub, then you'll only be able to boot securely to fedora.

what this probably needs is for whatever generates the boot menu at Fedora level to be SB-aware and not include entries for non-bootable OSes, if SB is enabled. I believe that's os-prober.

This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.