Ubuntu recently added secure boot to their images, which the Ten64 firmware doesn’t support yet (once we rebase onto the latest U-Boot most of these issues should go away)
The ‘manipulator’ script baremetal-deploy runs replaces the secure boot ‘shim’ loader with plain GRUB as the ‘default’ EFI application, but the kernel upgrade puts the shim loader back. Doh!
The quickest workaround is to use the recovery firmware to move GRUB back into the default boot path:
mount /dev/nvme0n1p15 /mnt
cp /mnt/EFI/ubuntu/grubaa64.efi /mnt/EFI/BOOT/BOOTAA64.EFI
umount /mnt
/sbin/reboot
I’ll have to check if there is a way to prevent Ubuntu from ‘reinstalling’ the secure boot shim, if there is I can simply update the manipulator script to do that.
(edit: looks like removing the shim-signed package will do exactly that)
The other possibility is that we change the boot firmware to search for the ‘plain’ GRUB binary ahead of the default/standard BOOTAA64.EFI.