GRUB/UEFI problem after a windows update did something

Suddenly the following problem has arisen: When I start or restart my PC I immediately get a blue screen which says:

Verification failed: (15) Access Denied
I press return to enter “OK” and get another blue screen called “Shim UEFI key management”.
I am given 3 options: Continue boot; Enroll key from disk; Enroll hash from disk
If I select enroll key/hash I get a long list - I’ve tried selecting some of them but the key cannot be found [message: Only DER encoded certificate (*.cer/der/crt) is supported].
If I select continue boot (after 2 attempts) I boot directly into Windows 8.1 (64-bit) despite my system being dual-boot with openSUSE-13.2-x86_64 (and working with both Linux and Windows perfectly well until something, probably on Windows, made problematic changes). Every time I boot or reboot I have to go through this same sequence with blue screens and can then only boot Windows 8.1.

Possiblly important additional info:

  1. I have been invited to upgrade to Windows 10 but have not done so yet - I’m “hiding” the 8.1-> 10 upgrade option in Windows Updater, but maybe this W10 update has already done something to my system?

  2. Just before this problem appeared the HP Support Assistant updated “HP PC Hardware Diagnostics UEFI” to version 5.8.2.0

  3. Also just before this problem Windows updates KB3075853 and KB2976978 were installed - searching for info on these I see that they have something to do with preparing a W8.1 system for the upgrade to W10 - maybe they have changed something and upset or deleted GRUB?

My dual boot system operates in UEFI mode and I assume I have the latest version of GRUB.

I have the openSUSE-13.2 installation DVD. Please can someone say if/how I can use this to repair GRUB, assuming the problem is GRUB-related.

Many thanks.

Turn off secure boot. There was a bug in the last update.

IMO secure boot is a placebo since anyone that can change anything in the boot stack owns the machine already.

Hi
You need to select enrol key from disk and then enter the root password and you should be good to go.

Hi
I thought this was related to Tumbleweed, not 13.2? Anyway, to enrol the key you need the root password. Windows just asks for a few numbers and press enter.

Step 1: Disable secure-boot in your firmware (or BIOS)
Step 2: Boot into your system. It should now work.
Step 3: Run Yast online updates.

There was a bad update to grub2-efi last week. You appear to have installed that update, but not rebooted until now. Unfortunately, you failed to do another update, which would have fixed the problem.

After running updates, you should be able to turn secure-boot back on.

I’m pretty sure he is seeing the bad update to grub2-efi. Another update will fix it. But he needs to turn off secure-boot to get into the system and do that update.

Many thanks for all replies. I turned off secure boot in the BIOS, booted into openSUSE-13.2, updated grub2 and all seems to be fine now. I have re-enabled secure boot which I assume is the best thing to do.

. . . And I was thinking Windows updates were the culprit! Just goes to show that openSUSE can sometimes (but very rarely) be the villain. . .

Anyone can make an occasional mistake.

On the positive side, they were quick to pull that bad update, once it was reported. Unfortunately, you updated before it was pulled.

In any case, all’s well that ends well.