I just got a new laptop with Secure Boot and was having trouble getting Windows and Fedora installed in a dual boot configuration. I read a few posts on how to do it by changing the bios to Legacy mode but that didn't seem like much fun. Fedora 30 installed to secure with no problem, so I knew it was possible.
I started by paritioning the disk with a GPT partition table and the following partitions:
| p1 | /boot | ext4 |
| p2 | /boot/efi | vfat |
| p3 | lvm | |
| p4 | Microsoft basic data |
Initially I didn't partition p4 at all, and got the windows installer to create that partition later.
I installed Fedora 30 from USB with secure boot and EFI enabled. My Lenovo laptop features a Novo button that has to be used to access the boot menu. Everything worked but I had no boot menu. I entered the bios boot menu and booted the Windows USB. After installing Windows I could only switch between Windows and Fedora by pressing the Novo button. This is inconvenient on my laptop as the Novo button is recessed and requires a pin to press.
To install Grub2 in the EFI with a boot menu, I booted from the Fedora installation media and then mounted /boot and /boot/efi overtop of the live filesystem:
# mount /dev/nvme0n1p1 /boot
# mount /dev/nvme0n1p2 /boot/efi
I then installed the grub2-efi-x64-modules rpm and the efibootmgr rpm.
After installing the rpms, I ran grub2-mkconfig to generate a new grub.cfg
# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
As noted on the Fedora Project Wiki I did not run grub2-install, I used efibootmgr to create an entry for grub.
# efibootmgr -c -L GRUB2 -d /dev/nvme0n1 -p 2 -l "\EFI\fedora\grubx64.efi"
I was then able to verify the entry with efibootmgr -v:
BootCurrent: 0003
Timeout: 0 seconds
BootOrder: 0005,0003,0000,0001,0006,0004,0002,2001,2002,2003
Boot0000* GRUB2 HD(2,GPT,2a3dbf30-521f-44aa-8f89-2dc2a4cd022d,0xef000,0xee800)/File(\EFI\fedora\grubx64.efi)
Boot0001* Linux HD(2,GPT,2a3dbf30-521f-44aa-8f89-2dc2a4cd022d,0xef000,0xee800)/File(\EFI\fedora\shimx64.efi)
Boot0002* Fedora HD(2,GPT,2a3dbf30-521f-44aa-8f89-2dc2a4cd022d,0xef000,0xee800)/File(\EFI\fedora\shim.efi)RC
Boot0003* Fedora HD(2,GPT,2a3dbf30-521f-44aa-8f89-2dc2a4cd022d,0xef000,0xee800)/File(\EFI\fedora\shimx64.efi)
Boot0004* Linpus lite HD(2,GPT,2a3dbf30-521f-44aa-8f89-2dc2a4cd022d,0xef000,0xee800)/File(\EFI\Boot\grubx64.efi)RC
Boot0006* Windows Boot Manager HD(2,GPT,2a3dbf30-521f-44aa-8f89-2dc2a4cd022d,0xef000,0xee800)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...a................
Boot2001* EFI USB Device RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network RC
Once you are satisfied with your boot options, you can delete entries with "-B -b xxxx" where xxxx is the number you wish to delete.
# efibootmgr -B -b 0005
On the first reboot you will need to install the keys for grub into the MUK, this is outlined on this page. In my case I had to use the "hash" option and then import the keys for the \EFI\fedora\grubx64.efi and \EFI\BOOT\BOOTX64.efi. Once the keys are imported, grub should fire right up.
Now when I reboot, Grub2 is displayed before Fedora Boots, I can also select Windows from the Grub2 menu.
This stack exchange link was also helpful in figuring this out: https://superuser.com/questions/376470/how-to-reinstall-grub2-efi