build: separate generic ARM64 from Raspberry Pi kernel builds

Splits the ARM64 build into two tracks per docs/arm64-architecture.md:

Generic ARM64 (mainline kernel.org, UEFI, virtio, GRUB):
- New build/scripts/build-kernel-arm64.sh builds mainline LTS (6.12.x by default)
  from arm64 defconfig + shared container fragment + arm64-virt enables
  (VIRTIO_*, EFI_STUB, NVMe). Output: build/cache/kernel-arm64-generic/.
- New Makefile targets: kernel-arm64, rootfs-arm64 (now consumes the mainline
  kernel modules via TARGET_VARIANT=generic).
- versions.env: pin MAINLINE_KERNEL_VERSION=6.12.10, declare cdn.kernel.org URL
  and SHA256 placeholder.

Raspberry Pi (raspberrypi/linux fork, custom DTBs, autoboot.txt):
- build-kernel-arm64.sh (RPi-flavoured) renamed to build-kernel-rpi.sh; cache
  dir renamed from custom-kernel-arm64 to custom-kernel-rpi.
- New Makefile targets: kernel-rpi, rootfs-arm64-rpi (uses TARGET_VARIANT=rpi).
- rpi-image now depends on rootfs-arm64-rpi + kernel-rpi instead of the generic
  rootfs-arm64.
- create-rpi-image.sh + inject-kubesolo.sh updated to reference the new cache
  path. inject-kubesolo.sh now takes a TARGET_VARIANT env var (rpi|generic) to
  select which ARM64 kernel modules to consume.

Shared substrate:
- rpi-kernel-config.fragment renamed to kernel-container.fragment. The contents
  were never RPi-specific (cgroup, namespaces, AppArmor, netfilter) — just
  misnamed. Extended with extra subsystem disables (KVM, WLAN, CFG80211,
  INFINIBAND, PCMCIA, HAMRADIO, ISDN, ATM, INPUT_JOYSTICK, INPUT_TABLET, FPGA)
  and CONFIG_LSM=lockdown,yama,apparmor.
- build-kernel.sh (x86) refactored to apply the shared fragment via a generic
  apply_fragment function (two-pass for the TC stock config security dance),
  killing ~50 lines of inline config duplication.

Note: rename detection shows build-kernel-arm64.sh as 'modified' because the
new file at that path is the mainline build, while the old RPi-flavoured
content lives in build-kernel-rpi.sh (which appears as a new file). The git
log for build-kernel-rpi.sh is empty; the RPi history is preserved at the
original path until this commit.

No actual kernel build runs in this commit — that's Phase 3 work.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Makefile

@@ -1,6 +1,6 @@
 .PHONY: all fetch kernel build-cloudinit build-update-agent build-cross rootfs initramfs \
        iso disk-image oci-image rpi-image \
-       kernel-arm64 rootfs-arm64 \
+       kernel-arm64 kernel-rpi rootfs-arm64 rootfs-arm64-rpi \
        test-boot test-k8s test-persistence test-deploy test-storage test-security test-all \
        test-boot-arm64 test-cloudinit test-update-agent \
        bench-boot bench-resources \
@@ -73,21 +73,38 @@ build-cross:
 	$(BUILD_DIR)/scripts/build-cross.sh
 
 # =============================================================================
-# ARM64 Raspberry Pi targets
+# ARM64 generic targets (mainline kernel, UEFI, virtio — for cloud / SBCs)
 # =============================================================================
 kernel-arm64:
-	@echo "==> Building ARM64 kernel for Raspberry Pi..."
+	@echo "==> Building generic ARM64 kernel (mainline LTS)..."
 	$(BUILD_DIR)/scripts/build-kernel-arm64.sh
 
+# Generic ARM64 rootfs consumes the mainline kernel modules.
 rootfs-arm64: build-cross
-	@echo "==> Preparing ARM64 rootfs..."
+	@echo "==> Preparing generic ARM64 rootfs..."
 	TARGET_ARCH=arm64 $(BUILD_DIR)/scripts/fetch-components.sh
 	TARGET_ARCH=arm64 $(BUILD_DIR)/scripts/extract-core.sh
-	TARGET_ARCH=arm64 $(BUILD_DIR)/scripts/inject-kubesolo.sh
-	@echo "==> Packing ARM64 initramfs..."
+	TARGET_ARCH=arm64 TARGET_VARIANT=generic $(BUILD_DIR)/scripts/inject-kubesolo.sh
+	@echo "==> Packing generic ARM64 initramfs..."
 	$(BUILD_DIR)/scripts/pack-initramfs.sh
 
-rpi-image: rootfs-arm64 kernel-arm64
+# =============================================================================
+# ARM64 Raspberry Pi targets (RPi-patched kernel, firmware blobs, SD card)
+# =============================================================================
+kernel-rpi:
+	@echo "==> Building RPi kernel (raspberrypi/linux)..."
+	$(BUILD_DIR)/scripts/build-kernel-rpi.sh
+
+# RPi-flavoured rootfs consumes the RPi kernel modules.
+rootfs-arm64-rpi: build-cross
+	@echo "==> Preparing RPi ARM64 rootfs..."
+	TARGET_ARCH=arm64 $(BUILD_DIR)/scripts/fetch-components.sh
+	TARGET_ARCH=arm64 $(BUILD_DIR)/scripts/extract-core.sh
+	TARGET_ARCH=arm64 TARGET_VARIANT=rpi $(BUILD_DIR)/scripts/inject-kubesolo.sh
+	@echo "==> Packing RPi ARM64 initramfs..."
+	$(BUILD_DIR)/scripts/pack-initramfs.sh
+
+rpi-image: rootfs-arm64-rpi kernel-rpi
 	@echo "==> Creating Raspberry Pi SD card image..."
 	$(BUILD_DIR)/scripts/create-rpi-image.sh
 	@echo "==> Built: $(OUTPUT_DIR)/$(OS_NAME)-$(VERSION).rpi.img"
@@ -246,10 +263,14 @@ help:
 	@echo "  make quick              Fast rebuild (re-inject + repack + ISO only)"
 	@echo "  make docker-build       Reproducible build inside Docker"
 	@echo ""
+	@echo "Build targets (ARM64 generic — UEFI / cloud / SBCs):"
+	@echo "  make kernel-arm64       Build mainline ARM64 kernel from kernel.org LTS"
+	@echo "  make rootfs-arm64       Prepare generic ARM64 rootfs (mainline kernel modules)"
+	@echo ""
 	@echo "Build targets (ARM64 Raspberry Pi):"
-	@echo "  make kernel-arm64       Build ARM64 kernel from raspberrypi/linux"
-	@echo "  make rootfs-arm64       Extract + prepare ARM64 rootfs from piCore64"
-	@echo "  make rpi-image          Create Raspberry Pi SD card image with A/B partitions"
+	@echo "  make kernel-rpi         Build RPi kernel from raspberrypi/linux"
+	@echo "  make rootfs-arm64-rpi   Prepare RPi-flavoured rootfs (RPi kernel modules)"
+	@echo "  make rpi-image          Create Raspberry Pi SD card image with A/B autoboot"
 	@echo ""
 	@echo "Test targets:"
 	@echo "  make test-boot          Boot ISO in QEMU, verify boot success"