diff --git a/pkgs/by-name/bootpart-uefi-x86_64/package.nix b/pkgs/by-name/bootpart-uefi-x86_64/package.nix
index ec700ffd4..cfc8f8771 100644
--- a/pkgs/by-name/bootpart-uefi-x86_64/package.nix
+++ b/pkgs/by-name/bootpart-uefi-x86_64/package.nix
@@ -1,5 +1,25 @@
 { stdenv, syslinux }:
 
+let
+  syslinux' = syslinux.overrideAttrs (upstream: {
+    # XXX: without this `timeout = 50` in syslinux fails to actually auto-boot.
+    # bisected to:
+    #     commit f2389281fb6f47beefa7a147ed94e857501001f8
+    #     Merge: e64186cc27ea dd80ca4d00c6
+    #     Author: Robert Scott <code@humanleg.org.uk>
+    #     Date:   2024-06-03 19:52:30 +0100
+    #
+    #         Merge pull request #316761 from risicle/ris-zerocallusedregs-default
+    #
+    #         stdenv: promote `zerocallusedregs` to `defaultHardeningFlags`
+    #
+    # this continues to be true at least through 2025-08-09.
+    # TODO: upstream
+    hardeningDisable = upstream.hardeningDisable ++ [
+      "zerocallusedregs"
+    ];
+  });
+in
 stdenv.mkDerivation {
   pname = "bootpart-uefi-x86_64";
   version = "1";
@@ -9,7 +29,7 @@ stdenv.mkDerivation {
   installPhase = ''
     # populate the EFI directory with syslinux, and configure it to read the extlinux.conf file managed by nixos.
     mkdir -p $out/EFI/syslinux
-    cp -R ${syslinux}/share/syslinux/efi64/* $out/EFI/syslinux/
+    cp -R ${syslinux'}/share/syslinux/efi64/* $out/EFI/syslinux/
     install -Dm644 ${./EFI/syslinux/syslinux.cfg} $out/EFI/syslinux/syslinux.cfg
 
     # create the EFI/BOOT/BOOTX64.EFI default entry.
@@ -23,7 +43,7 @@ stdenv.mkDerivation {
 
     # we create this "trampoline" layer so that we can setup the UI directive
     # and enable a menu before loading the real, nixos-managed extlinux.conf.
-    install -Dm644 ${syslinux}/share/syslinux/efi64/menu.c32 $out/syslinux/menu.c32
+    install -Dm644 ${syslinux'}/share/syslinux/efi64/menu.c32 $out/syslinux/menu.c32
     install -Dm644 ${./syslinux/syslinux.cfg} $out/syslinux/syslinux.cfg
   '';