feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)

Security hardening: bind kubeconfig server to localhost, mount hardening
(noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module
loading lock after boot, SHA256 checksum verification for downloads,
kernel AppArmor + Audit support, complain-mode AppArmor profiles for
containerd and kubelet, and security integration test.

ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build
from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4-
partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting
GRUB vs RPi boot environments, architecture-aware build scripts, QEMU
aarch64 dev VM and boot test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

build/config/kernel-audit.sh

@@ -128,7 +128,12 @@ echo "Security:"
 check_config CONFIG_SECCOMP              recommended "Seccomp (container security)"
 check_config CONFIG_SECCOMP_FILTER       recommended "Seccomp BPF filter"
 check_config CONFIG_BPF_SYSCALL          recommended "BPF syscall"
-check_config CONFIG_AUDIT                recommended "Audit framework"
+check_config CONFIG_AUDIT                mandatory "Audit framework"
+check_config CONFIG_AUDITSYSCALL         mandatory "Audit system call events"
+check_config CONFIG_SECURITY             mandatory "Security framework"
+check_config CONFIG_SECURITYFS           mandatory "Security filesystem"
+check_config CONFIG_SECURITY_APPARMOR    mandatory "AppArmor LSM"
+check_config CONFIG_SECURITY_NETWORK     recommended "Network security hooks"
 echo ""
 
 # --- Crypto ---

build/config/modules-arm64.list

@@ -0,0 +1,81 @@
+# Kernel modules loaded at boot by init (ARM64 / Raspberry Pi)
+# One module per line. Lines starting with # are ignored.
+# Modules are loaded in order listed — dependencies must come first.
+
+# Network device drivers (loaded early so interfaces are available)
+# Note: no e1000/e1000e on ARM64 — those are x86 Intel NIC drivers
+virtio_net
+
+# Virtio support (for QEMU VMs — block, entropy)
+virtio_blk
+virtio_rng
+
+# Raspberry Pi specific (USB Ethernet on Pi 4 is built-in, no module needed)
+# Pi 5 uses PCIe ethernet, also typically built-in
+
+# Filesystem — overlay (required for containerd)
+overlay
+
+# Netfilter dependencies (must load before conntrack)
+nf_defrag_ipv4
+nf_defrag_ipv6
+
+# Netfilter / connection tracking (required for kube-proxy)
+nf_conntrack
+nf_nat
+nf_conntrack_netlink
+
+# nftables (modern iptables backend)
+nf_tables
+nft_compat
+nft_chain_nat
+nft_ct
+nft_masq
+nft_nat
+nft_redir
+
+# Netfilter xt match/target modules (used by kube-proxy iptables rules via nft_compat)
+xt_conntrack
+xt_MASQUERADE
+xt_mark
+xt_comment
+xt_multiport
+xt_nat
+xt_addrtype
+xt_connmark
+xt_REDIRECT
+xt_recent
+xt_statistic
+xt_set
+
+# nft extras (reject, fib — used by kube-proxy nf_tables rules)
+nft_reject
+nft_reject_ipv4
+nft_reject_ipv6
+nft_fib
+nft_fib_ipv4
+nft_fib_ipv6
+
+# Reject targets (used by kube-proxy iptables-restore rules)
+nf_reject_ipv4
+nf_reject_ipv6
+ipt_REJECT
+ip6t_REJECT
+
+# nfacct extension (kube-proxy probes for it)
+xt_nfacct
+
+# Networking — bridge and netfilter (required for K8s pod networking)
+# Load order: llc → stp → bridge → br_netfilter
+llc
+stp
+bridge
+br_netfilter
+veth
+vxlan
+
+# IPVS — useful for kube-proxy IPVS mode and CNI plugins
+ip_vs
+ip_vs_rr
+ip_vs_wrr
+ip_vs_sh

build/config/rpi-kernel-config.fragment

@@ -0,0 +1,69 @@
+# KubeSolo OS — Raspberry Pi kernel config overrides
+# Applied on top of bcm2711_defconfig (Pi 4) or bcm2712_defconfig (Pi 5)
+# These ensure container runtime support is enabled.
+
+# cgroup v2 (mandatory for containerd/runc)
+CONFIG_CGROUPS=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_CGROUP_PIDS=y
+CONFIG_MEMCG=y
+CONFIG_CGROUP_BPF=y
+CONFIG_CFS_BANDWIDTH=y
+
+# BPF (required for cgroup v2 device control)
+CONFIG_BPF=y
+CONFIG_BPF_SYSCALL=y
+
+# Namespaces (mandatory for containers)
+CONFIG_NAMESPACES=y
+CONFIG_NET_NS=y
+CONFIG_PID_NS=y
+CONFIG_USER_NS=y
+CONFIG_UTS_NS=y
+CONFIG_IPC_NS=y
+
+# Device management
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+
+# Filesystem
+CONFIG_OVERLAY_FS=y
+CONFIG_SQUASHFS=y
+CONFIG_EXT4_FS=y
+CONFIG_VFAT_FS=y
+
+# Networking
+CONFIG_BRIDGE=m
+CONFIG_NETFILTER=y
+CONFIG_NF_CONNTRACK=m
+CONFIG_NF_NAT=m
+CONFIG_NF_TABLES=m
+CONFIG_VETH=m
+CONFIG_VXLAN=m
+
+# Security: AppArmor + Audit
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
+
+# Security: seccomp
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+
+# Crypto (image verification)
+CONFIG_CRYPTO_SHA256=y
+
+# Disable unnecessary subsystems for edge appliance
+# CONFIG_SOUND is not set
+# CONFIG_DRM is not set
+# CONFIG_MEDIA_SUPPORT is not set
+# CONFIG_WIRELESS is not set
+# CONFIG_BT is not set
+# CONFIG_NFC is not set

build/config/versions.env

@@ -15,5 +15,28 @@ KUBESOLO_INSTALL_URL=https://get.kubesolo.io
 GRUB_VERSION=2.12
 SYSLINUX_VERSION=6.03
 
+# SHA256 checksums for supply chain verification
+# Populate by running: sha256sum build/cache/<file>
+# Leave empty to skip verification (useful for first fetch)
+TINYCORE_ISO_SHA256=""
+KUBESOLO_SHA256=""
+NETFILTER_TCZ_SHA256=""
+NET_BRIDGING_TCZ_SHA256=""
+IPTABLES_TCZ_SHA256=""
+
+# piCore64 (ARM64 — Raspberry Pi)
+PICORE_VERSION=15.0
+PICORE_ARCH=aarch64
+PICORE_IMAGE=piCore-${PICORE_VERSION}.img.gz
+PICORE_IMAGE_URL=http://www.tinycorelinux.net/${PICORE_VERSION%%.*}.x/${PICORE_ARCH}/releases/RPi/${PICORE_IMAGE}
+
+# Raspberry Pi firmware (boot blobs, DTBs)
+RPI_FIRMWARE_TAG=1.20240529
+RPI_FIRMWARE_URL=https://github.com/raspberrypi/firmware/archive/refs/tags/${RPI_FIRMWARE_TAG}.tar.gz
+
+# Raspberry Pi kernel source
+RPI_KERNEL_BRANCH=rpi-6.6.y
+RPI_KERNEL_REPO=https://github.com/raspberrypi/linux
+
 # Output naming
 OS_NAME=kubesolo-os