[aftbit]

My approach would be to rename the Grub EFI image to something silly like "HP Windows Recovery", then set Windows to boot first. Someone could smash F11 then select the recovery option to make sure it was really recovery... but the average Keystone Kop at CBP would probably not figure this out. In fact, I think they would just turn the machine on, see it start to boot Windows, shrug, and turn it off again. If they image the machine, they can find that it has Linux with forensics, but I really struggle to imagine anyone caring enough to chase me down after the fact.

I am a US citizen though. The only real goal for me at CBP is to avoid secondary at all. I'm not worried at all about them coming for me after I leave the airport. If that sort of stuff starts to happen... I am screwed anyway. They can find records of everything I've said by just compelling US companies to disclose it to them.