> It goes the other way too. An Ubuntu Update could put the Windows bootloader on the deny list.
I don't think this is generally true. Since most computers don't ship with Ubuntu's CA directly trusted their signed components rely on a chain of trust that goes up through Microsoft's 3rd party UEFI CA cert to their root. I don't know the specific details of UEFI's implementation but it seems incredibly unlikely that it'd allow a subordinate CA to sign an update that distrusts components upstream of it.
If an OEM does ship Ubuntu's root or if a system owner has manually installed it then sure, but that's not the majority of systems.
I don't think this is generally true. Since most computers don't ship with Ubuntu's CA directly trusted their signed components rely on a chain of trust that goes up through Microsoft's 3rd party UEFI CA cert to their root. I don't know the specific details of UEFI's implementation but it seems incredibly unlikely that it'd allow a subordinate CA to sign an update that distrusts components upstream of it.
If an OEM does ship Ubuntu's root or if a system owner has manually installed it then sure, but that's not the majority of systems.