Using the permissively-licensed* efilinux bootloader from Intel when UEFI is present.
Not signing Kernel or Kernel modules.
Ubuntu installed from disk will use a MS-issued key just like Fedora.
Pre-installed systems are signed with an Ubuntu-specific key, and the firmware will have the MS key.
What is not at all clear from this is what happens on a user-installed system post-install. There is AFAICT no Ubuntu key in the firmware at this point, so I'm not sure how the system can boot unless they use a key that is chained off the MS master key.
There is also some mention of the user having to add the Ubuntu key manually in order to perform updates, though it's not clear if this is required for all updates or just for updates to the bootloader.
Their solution WRT key management is substantially similar to Fedoras for user-installed systems (the vast majority).
All UEFI systems are stuck with a less capable bootloader.
UEFI systems gain little to no benefit from supporting UEFI since the main attack surface (the kernel) is still exposed.
Seems to be a worst-of-both-worlds approach.
*AFAICT it's an uber-permissive custom license unique to efilinux.