Use pure Nix environment for reproducible kernel builds

Ensure only Nix-provided tools are used during reproducible builds,
preventing system package leakage that could affect reproducibility.

Changes:
- Add --ignore-environment to nix develop for pure shell
- Keep essential env vars: HOME, USER, TERM
- Explicitly set CC=gcc to use Nix's GCC in all scenarios
- Detect host architecture to avoid cross-compiler on native builds
- Add LOCALVERSION= to prevent '+' suffix in version string
- Add shell utilities to flake.nix (getopt, coreutils, rsync, etc.)
- Print SHA256 checksum of vmlinux for verification

This ensures cross-compiled and native builds use the correct compiler
identification strings for reproducibility.

Author: Naman Jain

Microsoft/build-hcl-kernel.sh

@@ -70,18 +70,46 @@ if test -z "$arch"; then
 	arch=("x64")
 fi
 
+# Detect host architecture
+HOST_ARCH="$(uname -m)"
+
 objcopy=("objcopy")
-makeargs=("ARCH=x86_64")
+if [ -n "$REPRODUCIBLE_BUILD" ]; then
+	# For reproducible builds, explicitly set CC to use Nix's gcc
+	makeargs=("ARCH=x86_64" "CC=gcc")
+else
+	makeargs=("ARCH=x86_64")
+fi
 targets=("vmlinux modules")
 if [ "$arch" = "arm64" ]; then
-	# Use Nix cross-compiler prefix for reproducible builds, system prefix otherwise
-	if [ -n "$REPRODUCIBLE_BUILD" ]; then
+	# Only use cross-compiler when cross-compiling (host != target)
+	if [ "$HOST_ARCH" = "aarch64" ]; then
+		# Native arm64 build - no cross-compile prefix needed
+		cross_prefix=""
+	elif [ -n "$REPRODUCIBLE_BUILD" ]; then
+		# Cross-compiling from x86_64 with Nix toolchain
 		cross_prefix="aarch64-unknown-linux-gnu-"
 	else
+		# Cross-compiling from x86_64 with system toolchain
 		cross_prefix="aarch64-linux-gnu-"
 	fi
-	objcopy=("${cross_prefix}objcopy")
-	makeargs=("ARCH=arm64" "CROSS_COMPILE=${cross_prefix}")
+
+	if [ -n "$cross_prefix" ]; then
+		objcopy=("${cross_prefix}objcopy")
+		# For reproducible builds, explicitly set CC to use the Nix cross-compiler
+		if [ -n "$REPRODUCIBLE_BUILD" ]; then
+			makeargs=("ARCH=arm64" "CROSS_COMPILE=${cross_prefix}" "CC=${cross_prefix}gcc")
+		else
+			makeargs=("ARCH=arm64" "CROSS_COMPILE=${cross_prefix}")
+		fi
+	else
+		# For native builds, explicitly set CC to ensure we use Nix's gcc in reproducible mode
+		if [ -n "$REPRODUCIBLE_BUILD" ]; then
+			makeargs=("ARCH=arm64" "CC=gcc")
+		else
+			makeargs=("ARCH=arm64")
+		fi
+	fi
 	targets=("vmlinux Image modules")
 fi
 
@@ -94,6 +122,8 @@ SRC_DIR=`realpath ${SCRIPT_DIR}/..`
 if [ -n "$REPRODUCIBLE_BUILD" ]; then
 	makeargs+=("KBUILD_BUILD_ID=none")
 	makeargs+=("KCFLAGS=-fdebug-prefix-map=$SRC_DIR=.")
+	# Prevent + suffix from being added to version string
+	makeargs+=("LOCALVERSION=")
 fi
 
 build_kernel() {

Microsoft/nix-build.sh

@@ -21,7 +21,14 @@ if [ -z "${IN_NIX_SHELL:-}" ]; then
     fi
 
     # Re-execute this script inside nix develop with experimental features enabled
-    exec nix --extra-experimental-features "nix-command flakes" develop --command "$0" "$@"
+    # Use --ignore-environment (-i) to create a pure shell that excludes system packages
+    # Keep essential variables: HOME (for temp files), USER (for build metadata), TERM (for output)
+    exec nix --extra-experimental-features "nix-command flakes" develop \
+        --ignore-environment \
+        --keep-env-var HOME \
+        --keep-env-var USER \
+        --keep-env-var TERM \
+        --command "$0" "$@"
 fi
 
 # Script directory
@@ -120,6 +127,13 @@ main() {
 
     log_info "Build completed successfully!"
     log_info "Build artifacts are in: ${BUILD_OUTPUT}"
+
+    # Print sha256sum of vmlinux for reproducibility verification
+    if [ -f "${BUILD_OUTPUT}/vmlinux" ]; then
+        echo ""
+        log_info "Reproducibility verification:"
+        echo "  vmlinux sha256sum: $(sha256sum "${BUILD_OUTPUT}/vmlinux" | cut -d' ' -f1)"
+    fi
 }
 
 # Handle command line arguments

flake.nix

@@ -26,6 +26,18 @@
           perl
           python3
 
+          # Shell utilities needed for build scripts
+          getopt
+          coreutils
+          findutils
+          gnugrep
+          gnused
+          gawk
+          bash
+          rsync
+          hostname
+          which
+
           # ARM64 cross-compilation toolchain
           pkgsCross.aarch64-multiplatform.stdenv.cc
           pkgsCross.aarch64-multiplatform.buildPackages.binutils