You use a shim bootloader (or GRUB) signed by Canonical, which optionally loads whichever bootloader you normally use. This gives you no security benefits and only serves as a workaround for secure boot.
Granted, this only works for hardware vendors who work with Canonical (or Red Hat or what have you) and relies on them producing a bootloader that works with the operating system you wish to use. GRUB supports the "chainloader" command, but it's possible that hardware vendors might force Canonical to disable this with their signed binaries.
Canonical has spoken about the possibility of distributing a shim bootloader signed with Microsoft's key, too.
All of these are workarounds that make UEFI security worthless. It's better to be able to turn off security or manually import a key than to use a bootloader that will happily load anything and is signed with the same key that restrictive bootloaders are.