From 4f20c9246dd5c231c24b998c0330d77e4bfe5606 Mon Sep 17 00:00:00 2001
From: Michael Chus <mike@mchus.pro>
Date: Sun, 3 May 2026 20:11:42 +0300
Subject: [PATCH] Make UEFI boot safe and remove GRUB logo

---
 iso/builder/build.sh                          | 71 ++++++++++++++++++-
 .../config/bootloaders/grub-efi/config.cfg    |  2 +-
 .../config/bootloaders/grub-efi/grub.cfg      |  4 +-
 .../bootloaders/grub-efi/live-theme/theme.txt |  7 --
 4 files changed, 72 insertions(+), 12 deletions(-)

diff --git a/iso/builder/build.sh b/iso/builder/build.sh
index 6344d2c..600ba83 100755
--- a/iso/builder/build.sh
+++ b/iso/builder/build.sh
@@ -731,12 +731,12 @@ write_canonical_grub_cfg() {
 source /boot/grub/config.cfg
 
 menuentry "EASY-BEE" {
-    linux   ${kernel} ${append_live} bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    linux   ${kernel} ${append_live} nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  ${initrd}
 }
 
 menuentry "EASY-BEE -- load to RAM (toram)" {
-    linux   ${kernel} ${append_live} toram bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    linux   ${kernel} ${append_live} toram nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  ${initrd}
 }
 
@@ -841,6 +841,73 @@ enforce_live_build_bootloader_assets() {
             echo "bootloader sync: WARNING: could not extract live entry from $isolinux_cfg" >&2
         fi
     fi
+
+    sync_efi_grub_theme_assets "$lb_dir"
+}
+
+fat_image_has_file() {
+    img="$1"
+    path="$2"
+    mtype -i "$img" "$path" >/dev/null 2>&1
+}
+
+is_efi_grub_fat_image() {
+    img="$1"
+    fat_image_has_file "$img" "::/EFI/boot/grubx64.efi" || return 1
+    fat_image_has_file "$img" "::/boot/grub/grub.cfg" || return 1
+    return 0
+}
+
+copy_file_to_fat_image() {
+    img="$1"
+    src="$2"
+    dst="$3"
+    mcopy -o -i "$img" "$src" "$dst" >/dev/null
+}
+
+sync_efi_grub_theme_assets() {
+    lb_dir="$1"
+    found=0
+
+    for img in $(find "$lb_dir" -type f \( -name '*.img' -o -name '*.ima' -o -name '*.fat' \) 2>/dev/null); do
+        if ! is_efi_grub_fat_image "$img"; then
+            continue
+        fi
+        found=1
+        echo "bootloader sync: patching EFI GRUB image $img"
+        mmd -i "$img" "::/boot" >/dev/null 2>&1 || true
+        mmd -i "$img" "::/boot/grub" >/dev/null 2>&1 || true
+        mmd -i "$img" "::/boot/grub/live-theme" >/dev/null 2>&1 || true
+
+        copy_file_to_fat_image "$img" "${BUILDER_DIR}/config/bootloaders/grub-efi/config.cfg" "::/boot/grub/config.cfg"
+        copy_file_to_fat_image "$img" "${BUILDER_DIR}/config/bootloaders/grub-efi/theme.cfg" "::/boot/grub/theme.cfg"
+        for asset in "${BUILDER_DIR}"/config/bootloaders/grub-efi/live-theme/*; do
+            [ -f "$asset" ] || continue
+            copy_file_to_fat_image "$img" "$asset" "::/boot/grub/live-theme/"
+        done
+
+        fat_image_has_file "$img" "::/boot/grub/config.cfg" || {
+            echo "ERROR: EFI GRUB image missing /boot/grub/config.cfg after sync: $img" >&2
+            exit 1
+        }
+        fat_image_has_file "$img" "::/boot/grub/theme.cfg" || {
+            echo "ERROR: EFI GRUB image missing /boot/grub/theme.cfg after sync: $img" >&2
+            exit 1
+        }
+        fat_image_has_file "$img" "::/boot/grub/live-theme/theme.txt" || {
+            echo "ERROR: EFI GRUB image missing /boot/grub/live-theme/theme.txt after sync: $img" >&2
+            exit 1
+        }
+        fat_image_has_file "$img" "::/boot/grub/live-theme/bee-logo.tga" || {
+            echo "ERROR: EFI GRUB image missing /boot/grub/live-theme/bee-logo.tga after sync: $img" >&2
+            exit 1
+        }
+    done
+
+    if [ "$found" != "1" ]; then
+        echo "ERROR: no EFI GRUB FAT image found in live-build workdir; cannot sync theme assets" >&2
+        exit 1
+    fi
 }
 
 copy_memtest_from_deb() {
diff --git a/iso/builder/config/bootloaders/grub-efi/config.cfg b/iso/builder/config/bootloaders/grub-efi/config.cfg
index 26087b3..c48dc1c 100644
--- a/iso/builder/config/bootloaders/grub-efi/config.cfg
+++ b/iso/builder/config/bootloaders/grub-efi/config.cfg
@@ -8,7 +8,7 @@ else
 fi
 
 if loadfont $font ; then
-    set gfxmode=1920x1080,1280x1024,auto
+    set gfxmode=1280x1024,auto
     set gfxpayload=keep
     insmod efi_gop
     insmod efi_uga
diff --git a/iso/builder/config/bootloaders/grub-efi/grub.cfg b/iso/builder/config/bootloaders/grub-efi/grub.cfg
index 780a6b3..ee81913 100644
--- a/iso/builder/config/bootloaders/grub-efi/grub.cfg
+++ b/iso/builder/config/bootloaders/grub-efi/grub.cfg
@@ -1,12 +1,12 @@
 source /boot/grub/config.cfg
 
 menuentry "EASY-BEE" {
-    linux   @KERNEL_LIVE@ @APPEND_LIVE@ bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@ nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  @INITRD_LIVE@
 }
 
 menuentry "EASY-BEE -- load to RAM (toram)" {
-    linux   @KERNEL_LIVE@ @APPEND_LIVE@ toram bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@ toram nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
     initrd  @INITRD_LIVE@
 }
 
diff --git a/iso/builder/config/bootloaders/grub-efi/live-theme/theme.txt b/iso/builder/config/bootloaders/grub-efi/live-theme/theme.txt
index 704fb09..e77d381 100644
--- a/iso/builder/config/bootloaders/grub-efi/live-theme/theme.txt
+++ b/iso/builder/config/bootloaders/grub-efi/live-theme/theme.txt
@@ -5,13 +5,6 @@ title-text: ""
 message-font: "Unifont Regular 16"
 terminal-font: "Unifont Regular 16"
 
-#bee logo - centered, upper third of screen
-+ image {
-        top = 4%
-        left = 50%-200
-        file = "bee-logo.tga"
-}
-
 #help bar at the bottom
 + label {
         top = 100%-50