Pin guest kernel to 6.12 LTS with CONFIG_DUMMY=y

The standard x86_64/firecracker lane was pulling the guest kernel
straight from `nixpkgs#linuxPackages_latest`, which currently resolves
to 7.0.3. That is both a moving target and not yet bootable under PVM,
and it shipped without `CONFIG_DUMMY=y`, so the K3s install proof's
`ip link add port0 type dummy` aborted with `Error: Unknown device
type.` and the cluster never came up.

Introduce a small port-owned `nix/guest-kernel.nix` that takes
`linuxPackages_6_12.kernel` and overrides `structuredExtraConfig.DUMMY
= yes`, exposed through `legacyPackages.<sys>.linuxPackages-port-guest`
so callers retain `.kernel.dev` and `.kernel.modules`. The artifact
build/validate scripts now resolve the standard lane through that
attr, with `PORT_GUEST_KERNEL_ATTR` / `PORT_GUEST_KERNEL_MODULES_ATTR`
override hooks. PVM and aarch64 lanes are unchanged.

Author: rupurt

flake.nix

@@ -238,6 +238,10 @@
           firecracker-pvm-host-kit = awsPvmHostKitPkg;
         };
 
+        legacyPackages = pkgs.lib.optionalAttrs isLinux {
+          linuxPackages-port-guest = pkgs.callPackage ./nix/guest-kernel.nix { };
+        };
+
         checks = pkgs.lib.optionalAttrs isLinux {
           aws-pvm-host-module-eval = pkgs.writeText "aws-pvm-host-module-eval.json" (
             builtins.toJSON {

nix/guest-kernel.nix

@@ -0,0 +1,14 @@
+{ lib, linuxPackages_6_12, linuxPackagesFor }:
+
+# Port-owned guest kernel for the standard x86_64/firecracker lane.
+#
+# Pinned to the 6.12 LTS series (kernel 7.x does not yet boot under PVM)
+# and overridden with `CONFIG_DUMMY=y` so the guest's K3s install proof
+# can `ip link add port0 type dummy` without needing the dummy.ko module
+# on the rootfs. The result is a full `linuxPackages` set so callers
+# retain `.kernel.dev` and `.kernel.modules`.
+linuxPackagesFor (linuxPackages_6_12.kernel.override {
+  structuredExtraConfig = with lib.kernel; {
+    DUMMY = yes;
+  };
+})

scripts/artifacts/build-guest-image.sh

@@ -321,7 +321,8 @@ EOF
 chmod 0755 "$staging_dir/opt/credential-provider/bin/ecr-credential-provider"
 
 if [[ "$copy_kernel_modules_into_guest" -eq 1 ]]; then
-  kernel_modules_store="$(nix build --option eval-cache false --no-link --print-out-paths nixpkgs#linuxPackages_latest.kernel.modules)"
+  guest_kernel_modules_attr="${PORT_GUEST_KERNEL_MODULES_ATTR:-legacyPackages.x86_64-linux.linuxPackages-port-guest.kernel.modules}"
+  kernel_modules_store="$(nix build --option eval-cache false --no-link --print-out-paths ".#${guest_kernel_modules_attr}")"
   if [[ ! -d "${kernel_modules_store}/lib/modules" ]]; then
     echo "missing kernel modules in ${kernel_modules_store}/lib/modules" >&2
     exit 1

scripts/artifacts/build-kernel.sh

@@ -29,9 +29,10 @@ resolve_pvm_build_flake_ref() {
 case "$output_path" in
   */x86_64/firecracker/standard/*)
     arch="x86_64"
-    kernel_source="$(nix build --option eval-cache false --no-link --print-out-paths nixpkgs#linuxPackages_latest.kernel.dev)"
+    guest_kernel_attr="${PORT_GUEST_KERNEL_ATTR:-legacyPackages.x86_64-linux.linuxPackages-port-guest.kernel.dev}"
+    kernel_source="$(nix build --option eval-cache false --no-link --print-out-paths ".#${guest_kernel_attr}")"
     kernel_path="${kernel_source}/vmlinux"
-    kernel_origin="nixpkgs#linuxPackages_latest.kernel.dev"
+    kernel_origin=".#${guest_kernel_attr}"
     ;;
   */x86_64/firecracker/pvm/*)
     arch="x86_64"

scripts/artifacts/validate-kernel.sh

@@ -34,7 +34,8 @@ resolve_pvm_build_flake_ref() {
 case "$kernel_path" in
   */x86_64/firecracker/standard/*)
     arch="x86_64"
-    expected_path="$(nix build --option eval-cache false --no-link --print-out-paths nixpkgs#linuxPackages_latest.kernel.dev)/vmlinux"
+    guest_kernel_attr="${PORT_GUEST_KERNEL_ATTR:-legacyPackages.x86_64-linux.linuxPackages-port-guest.kernel.dev}"
+    expected_path="$(nix build --option eval-cache false --no-link --print-out-paths ".#${guest_kernel_attr}")/vmlinux"
     ;;
   */x86_64/firecracker/pvm/*)
     arch="x86_64"