After installing Ubuntu, I had the issue of not being able to boot it with Secure Boot enabled. Here’s how I fixed it.

First, we need to install shim. We’ll use one of Ubuntu’s own packages for this. Run the following commands in order to install shim:

sudo apt update
sudo apt install shim-signed

Shim acts as a bootloader for us and starts GRUB. This way, we can boot Ubuntu with Secure Boot enabled. Normally, this step is sufficient, but it didn’t work for me because my computer didn’t recognize the key. In this case, we’ll replace the EFI files with shim’s dual-signed version by running the following commands.

First, we need to open the EFI partition. Let’s find where the EFI partition is located:

sudo fdisk -l

# Device           Start        End    Sectors  Size Type
# /dev/nvme0n1p1       2048     206847    204800   100M EFI System
# ....

Then mount the EFI partition to the /mnt directory:

sudo mount /dev/nvme0n1p1 /mnt

First, let’s back up the files we’re going to replace. You may have differences in capitalization like boot or Ubuntu. Adjust accordingly.

sudo cp /mnt/EFI/Boot/bootx64.efi /mnt/EFI/Boot/bootx64.bak
sudo cp /mnt/EFI/ubuntu/shimx64.efi /mnt/EFI/ubuntu/shimx64.bak

Now let’s verify the shimx64.efi.dualsigned file exists and replace it:

ls /usr/lib/shim
sudo cp /usr/lib/shim/shimx64.efi.dualsigned /mnt/EFI/Boot/bootx64.efi
sudo cp /usr/lib/shim/shimx64.efi.dualsigned /mnt/EFI/ubuntu/shimx64.efi

To see the difference between the files, we can use the sbverify command:

sbverify --list /mnt/EFI/ubuntu/shimx64.efi
sbverify --list /mnt/EFI/ubuntu/shimx64.bak

Finally, unmount the EFI partition:

sudo umount /mnt

Now you can restart your computer and boot Ubuntu with Secure Boot enabled.

I hope this was helpful.

Also, if you’re using GNOME, this extension can make switching between systems easier: Restart To

Source: Based on various Ubuntu community forum threads and personal experimentation.