feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)

Security hardening: bind kubeconfig server to localhost, mount hardening
(noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module
loading lock after boot, SHA256 checksum verification for downloads,
kernel AppArmor + Audit support, complain-mode AppArmor profiles for
containerd and kubelet, and security integration test.

ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build
from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4-
partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting
GRUB vs RPi boot environments, architecture-aware build scripts, QEMU
aarch64 dev VM and boot test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

build/config/kernel-audit.sh

@@ -128,7 +128,12 @@ echo "Security:"
 check_config CONFIG_SECCOMP              recommended "Seccomp (container security)"
 check_config CONFIG_SECCOMP_FILTER       recommended "Seccomp BPF filter"
 check_config CONFIG_BPF_SYSCALL          recommended "BPF syscall"
-check_config CONFIG_AUDIT                recommended "Audit framework"
+check_config CONFIG_AUDIT                mandatory "Audit framework"
+check_config CONFIG_AUDITSYSCALL         mandatory "Audit system call events"
+check_config CONFIG_SECURITY             mandatory "Security framework"
+check_config CONFIG_SECURITYFS           mandatory "Security filesystem"
+check_config CONFIG_SECURITY_APPARMOR    mandatory "AppArmor LSM"
+check_config CONFIG_SECURITY_NETWORK     recommended "Network security hooks"
 echo ""
 
 # --- Crypto ---