Fix SBC overlay upgrade: preserve GRUB, enable PCIe Gen 3

The v8 overlay patch deleted /boot/EFI/ to clean up stale firmware,
but this also removed GRUB's BOOTAA64.EFI, bricking the node.

Fix: keep SBC layout detection (write to /boot/ not /boot/EFI/) but
remove the os.RemoveAll that destroyed GRUB. Stale firmware files in
/boot/EFI/ are harmless.

Re-enable PCIe Gen 3 (dtparam=pciex1_gen=3) and full configTxt mode,
now that the overlay installer correctly writes to the EFI partition
root on SBC layouts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Makefile

@@ -57,7 +57,7 @@ ATTESTATION_ARGS = --provenance=mode=max --sbom=true
 IMAGER_COMMON_FLAGS = \
 	--overlay-name="rpi5" \
 	--overlay-image="$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG)" \
-	--overlay-option="configTxtAppend=$$(cat $(PWD)/config/config.txt.append)" \
+	--overlay-option="configTxt=$$(cat $(PWD)/config/config.txt)" \
 	$(EXTENSION_FLAGS)
 
 #
@@ -124,7 +124,8 @@ patches-overlay:
 		else \
 			echo "Overlay Go $$GO_VER — skipping Go toolchain patch (CVEs fixed upstream)"; \
 		fi && \
-		git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/0002-"*.patch
+		git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/0002-"*.patch && \
+		git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/0003-"*.patch
 
 patches: patches-pkgs patches-talos patches-overlay
 

config/config.txt

@@ -0,0 +1,30 @@
+# See https://www.raspberrypi.com/documentation/computers/configuration.html
+# Reduce GPU memory to give more to CPU.
+gpu_mem=32
+# Enable maximum compatibility on both HDMI ports;
+# only the one closest to the power/USB-C port will work in practice.
+hdmi_safe:0=1
+hdmi_safe:1=1
+# Load U-Boot.
+kernel=u-boot.bin
+# Forces the kernel loading system to assume a 64-bit kernel.
+arm_64bit=1
+# Run as fast as firmware / board allows.
+arm_boost=1
+# Enable the primary/console UART (globally).
+enable_uart=1
+# Disable UART on Pi5 to avoid U-Boot compatibility issue.
+# The debug UART (ttyAMA10) is always active regardless of this setting.
+[pi5]
+enable_uart=0
+# Enable PCIe Gen 3 for NVMe (~800 MB/s vs ~400 MB/s Gen 2)
+dtparam=pciex1_gen=3
+[all]
+# Disable Bluetooth.
+dtoverlay=disable-bt
+# Disable Wireless Lan.
+dtoverlay=disable-wifi
+# CM5 Overclock — 2.6GHz stable on Compute Blade with heatsink
+arm_freq=2600
+over_voltage_delta=50000
+arm_boost=1

patches/talos-rpi5/sbc-raspberrypi5/0003-Fix-SBC-overlay-upgrade-detect-EFI-mount-path-for-SB.patch

@@ -1,4 +1,4 @@
-From 113b5acba0bfc2fcc4f7494f88b0b9601bdbd4c2 Mon Sep 17 00:00:00 2001
+From 85585f84af18e1cba6080e95490b275e69d0309e Mon Sep 17 00:00:00 2001
 From: Mathias Beaulieu-Duncan <mathias@openharbor.io>
 Date: Mon, 16 Feb 2026 19:07:45 -0500
 Subject: [PATCH] Fix SBC overlay upgrade: detect EFI mount path for SBC
@@ -15,17 +15,16 @@ to end up in the wrong subdirectory — invisible to the firmware.
 
 Detect the SBC layout by checking if config.txt already exists at
 /boot/ (indicating EFI is mounted there), and write files to the
-correct location. Also clean up any stale /boot/EFI/ directory
+correct location.
-from previous incorrect upgrades.
 ---
- installers/rpi5/src/main.go | 22 +++++++++++++++++-----
+ installers/rpi5/src/main.go | 18 +++++++++++++-----
- 1 file changed, 17 insertions(+), 5 deletions(-)
+ 1 file changed, 13 insertions(+), 5 deletions(-)
 
 diff --git a/installers/rpi5/src/main.go b/installers/rpi5/src/main.go
-index fed3819..862d72e 100644
+index fed3819..4bf8c38 100644
 --- a/installers/rpi5/src/main.go
 +++ b/installers/rpi5/src/main.go
-@@ -42,13 +42,25 @@ func (i *RpiInstaller) GetOptions(extra rpiOptions) (overlay.Options, error) {
+@@ -42,13 +42,21 @@ func (i *RpiInstaller) GetOptions(extra rpiOptions) (overlay.Options, error) {
  }
  
  func (i *RpiInstaller) Install(options overlay.InstallOptions[rpiOptions]) error {
@@ -39,10 +38,6 @@ index fed3819..862d72e 100644
 +	if _, err := os.Stat(filepath.Join(options.MountPrefix, "/boot/config.txt")); err == nil {
 +		// config.txt exists at /boot — EFI partition is mounted at /boot (SBC layout).
 +		efiDir = filepath.Join(options.MountPrefix, "/boot")
-+
-+		// Clean up stale /boot/EFI/ directory from previous upgrades that
-+		// wrote to the wrong path.
-+		os.RemoveAll(filepath.Join(options.MountPrefix, "/boot/EFI"))
 +	}
 +
 +	if err := copy.Dir(filepath.Join(options.ArtifactsPath, "arm64/firmware/boot"), efiDir); err != nil {
@@ -55,7 +50,7 @@ index fed3819..862d72e 100644
  		return err
  	}
  
-@@ -58,5 +70,5 @@ func (i *RpiInstaller) Install(options overlay.InstallOptions[rpiOptions]) error
+@@ -58,5 +66,5 @@ func (i *RpiInstaller) Install(options overlay.InstallOptions[rpiOptions]) error
  
  	configTxt = append(configTxt, []byte("\n"+options.ExtraOptions.ConfigTxtAppend)...)