fix(linux/build): correct derivative-maker CLI invocation (M1.1)

Run #4253 finally got past all the harness failures and into
derivative-maker's actual build steps, where 1100_sanity-tests
rejected our invocation with:

    unknown option (1): '--build'

The CLI we'd been passing was built from invented flag names rather
than the real grammar in derivative-maker/help-steps/parse-cmd.
Concretely:

  - `--build`  is not a real option (just wrong)
  - `--flavour` should be `--flavor` (upstream uses American spelling)
  - `--dist`   is not a real option; dist is implicit from `--flavor`
                (kicksecure-cli ⇒ bookworm)
  - `--config` is not a real option; the silvermetal-base.conf is
                sourced into env above the invocation, no flag needed
  - `--freedom true|false` was missing entirely; parse-cmd requires it
                for `--arch amd64` (line 70 in parse-cmd) — the script
                exits if neither is set

Fix: build-inner.sh now invokes
    ./derivative-maker --flavor … --target … --arch … --freedom …
which is the minimal valid form per parse-cmd's case-branches.

Set DERIVATIVE_FREEDOM=false in silvermetal-base.conf, matching
Kicksecure's own public-ISO choice — `--freedom true` would omit
firmware-nonfreedom and the resulting ISO wouldn't initialise wifi /
many GPUs / Intel microcode on most hardware. Privacy/functionality
trade-off documented inline; the hardening overlay in M1.2+ can
revisit if that conversation becomes useful.

Verified: bash -n on both scripts. No image rebuild needed — pure
script and config changes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

linux/build/config/silvermetal-base.conf

@@ -16,8 +16,19 @@ DERIVATIVE_BUILD_TARGET="iso"
 # Kicksecure's derivative-maker exposes "build flavour" as the upstream
 # selector. We ride on the plain Kicksecure CLI flavour here. M1.2 will
 # switch this to a SilverMetal-Hardened flavour with our overlay.
+# Upstream spells the CLI flag --flavor (American), so the variable name
+# below is intentionally British but the flag passed in build-inner.sh
+# is the upstream spelling.
 DERIVATIVE_FLAVOUR="kicksecure-cli"
 
+# Nonfree firmware switch (mandatory for amd64/i386 — parse-cmd errors
+# otherwise). Kicksecure's public ISOs choose "false" (nonfree firmware
+# included) so the resulting image actually boots on real hardware
+# (wifi, GPU, microcode). M1.1 follows that choice; the hardening
+# overlay in M1.2+ can revisit if there's a privacy-vs-functionality
+# argument worth reopening.
+DERIVATIVE_FREEDOM="false"
+
 # --- Branding (reads shared/branding/linux-iso-meta.yaml at script time) ----
 # These mirror the YAML; the wrapper script reconciles them so we don't have
 # two sources of truth for the same value. If they diverge, build.sh fails.

linux/build/scripts/build-inner.sh

@@ -28,13 +28,19 @@ source "${REPO_ROOT}/linux/build/config/silvermetal-base.conf"
 
 cd "${REPO_ROOT}/linux/build/derivative-maker"
 
+# CLI grammar comes from derivative-maker/help-steps/parse-cmd. The
+# valid options are a closed set; passing anything else (including
+# --build, --dist, or --config) trips the "unknown option" guard at
+# parse-cmd line 725. Spelling matters too: upstream uses --flavor
+# (American), not --flavour. --freedom is mandatory for amd64/i386.
+# Dist is implicit from --flavor (kicksecure-cli => bookworm), and
+# the silvermetal-base.conf is sourced into the env above rather than
+# passed as a flag because derivative-maker has no --config option.
 ./derivative-maker \
-    --build \
+    --flavor  "${DERIVATIVE_FLAVOUR}" \
     --target  "${DERIVATIVE_BUILD_TARGET}" \
-    --flavour "${DERIVATIVE_FLAVOUR}" \
     --arch    "${DERIVATIVE_TARGET_ARCH}" \
-    --dist    "${DERIVATIVE_DIST}" \
-    --config  "${REPO_ROOT}/linux/build/config/silvermetal-base.conf"
+    --freedom "${DERIVATIVE_FREEDOM}"
 
 # derivative-maker writes into its own build/ tree; collect into BUILD_DIR.
 # Exact upstream output paths can shift between tags — keep this tolerant.