Comment 10 for bug 1848892

I also blah, blah, blah, upgraded Kubuntu to 19.10 and updated to 5.3.0-19-generic.

System:
    ASUS GL553VE Laptop
    GPT Disk with EFI partition
    No TPM module installed that I can determine

BIOS:
    Latest == 308
    No TPM settings
    Turned off Secure Boot and CSM

GRUB Boot Error:
    error: Unknown TPM error. (multiple)
    error: you need to load the kernel first

FIX:
    Boot a broken system:
        'c' to command line
        grub> rmmod tpm
        'esc'
        Select any boot option to boot normally

    Fix GRUB once booted:
        sudo grub-install --no-uefi-secure-boot /dev/sd<your disk letter>
        reboot

I'm documenting my experience in the following details so that maybe somebody can figure it out and finally fix the effing thing.

Apparently, I had an older kernel {from 19.04?) that would boot even though I had a later kernel installed. I didn't notice the grub failures as I had:
  GRUB_TIMEOUT_STYLE=hidden
  GRUB_TIMEOUT=0
and the system was apparently failing. When I changed:
  #GRUB_TIMEOUT_STYLE=hidden
  GRUB_TIMEOUT=10
I thought I was borked! I rebooted and left it while I did some research. It apparently had time to fall back to the earlier working kernel which surprised me. In the attempt to clean the system, I did a "sudo apt autoremove" which really did bork my system as the fallback kernel was now gone.

I looked all over the intertubes and found little help--even this post, I fiddled with turning on and off the BIOS Fast Boot, CSM, and Secure Boot to no effect.

I guessed on trying to remove the tpm module during the grub boot as above. The grub documentation is VERY POOR at describing how specific modules get loaded. The tpm.mod file has no "insmod" command anywhere on the system. However, the /boot/grub/x86_64-efi/ directory has a moddep.lst file that shows the dependencies between modules and files: tpm <- verifiers <- normal <- many others. Automagically, tpm.mod gets loaded. I suppose I could have set a "rmmod tpm.mod" in a /etc/default/grub.d/40-custom.cfg file, but that didn't seem really elegant.

So, grub is apparently detecting and demanding Secure Boot even though it's off and the installed vmlinuz and initrd files can't get validated. I don't know why the earlier kernel didn't fail. I tried a manual boot with:
  grub> ls
    to get the disks
  grub> set root=(hd0,1)
  grub> linux /boot/vmlinuz-5.3.0-19-generic root=/dev/sda1
    Failed with the "error: Unknown TPM error."
  grub> initrd /boot/initrd.img-5.3.0-19-generic
    Failed with the "error: you need to load the kernel first"
    Of course!!! because "linux" failed to set linux
  grub> boot
    FAIL!
Then, I did:
  grub> rmmod tpm
    Complains with the "error: Unknown TPM error."
    But works because a repeat doesn't produce the error message
  Repeat "linux"
    No error
  Repeat "initrd"
    No error
  grub> boot
    SUCCESS!

Then, I eventually worked my way around to the "grub-install" man pages and saw the "--no-uefi-secure-boot" and "--uefi-secure-boot" switches. What if...YUP! Turning off UEFI Secure Boot for the grub install did it. Why the hell can't grub get it right from the BIOS settings? Why is tpm.mod failing in this odd way? Why did the older kernel work when tpm.mod is loaded and the newer ones did not?

Working for now, but I know any possible automatic grub update with a "grub-install" will bork it in the future.